AppLocker : Your Solution for True Application Smackdown - PowerPoint PPT Presentation

applocker your solution for true application smackdown l.
Skip this Video
Loading SlideShow in 5 Seconds..
AppLocker : Your Solution for True Application Smackdown PowerPoint Presentation
Download Presentation
AppLocker : Your Solution for True Application Smackdown

play fullscreen
1 / 38
Download Presentation
AppLocker : Your Solution for True Application Smackdown
Download Presentation

AppLocker : Your Solution for True Application Smackdown

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Required Slide SESSION CODE: WCL303 AppLocker: Your Solution for True Application Smackdown Jeremy Moskowitz, Group Policy MVP Chief Propeller-Head: Founder: PolicyPak Software (

  2. WHAT’S THE POINT?Why do you need “Application Whitelisting” technology? • Common arguments “against” the need: • “We’re already locked down…” • “We’re already running with ‘standard user’ rights.” • Good uses for: • Prevent users from running “portable” (non-installed) applications • Prevent users from installing MSIs. • Seriously: Try FireFox or Google Chrome as local non-elevated user • Restricting parts of the operating system (sol.exe) • Restricting Junior admins or “prying eyes” from “big things” (gpmc.msc) • Ensuring specific applications of “correct” version numbers are used

  3. IN THE BEGINNING….There was Software Restriction Policy (SRP) And it was good… • Built-in to Windows XP • Has whitelisting and blacklisting ability • Four rule types: • Hash • Path • Windows Installer / Network Zone Rule • Certificate rules

  4. IN THE BEGINNING….There was Software Restriction Policy (SRP) • Of course, still available on XP and… • Also available in ALL versions of Windows 7 • No “direct” migration path to AppLocker. Will need to re-create rules during a transition time • Huge gotcha ! : • Once AppLocker is turned on, and first rules are applied.. SRP no longer enforced!

  5. APPLOCKER 101 • Good news: • Under the hood, references as “SRPv2” • Active Directory Group Policy or Local Policy • Way better for whitelisting • Targets can be: • Windows 7 • Windows Server 2008 / R2 • Only available in the following Windows 7 editions: • Enterprise • Ultimate

  6. IMMUTABLE APPLOCKER LAWS • Applocker’s “brain” is in a loop, like this: • Law #1: Explicit deny: A specific rule which denies an action. • Law #2: Explicit allow: A specific rule which allows an action. • Law #3: Implicit deny: All files that are not specifically named by an Allow rule are automatically blocked. • Not related to Azimov’s “Three Laws or Robotics” •

  7. APPLOCKER “RULES” • Action: • Allow • Deny • Based upon condition: • Path • File Hash • Publisher • Rule types: • Executable • DLL • Windows Installer • Script • Can make “Exceptions” • Mix and Match, like this: • ALLOW Executable, based upon who PUBLISHED the application (publisher condition) EXCEPT a specific application (or version), which is DENIED • Windows Installer Rule, based upon a specific build (file hash) • DENY Scripts, based upon where its executing from (PATH condition), EXCEPT for a certain (known good) directory

  8. APPLOCKERFour Steps to Success • Setting up the default rules (highly recommended, not required) • Adding more rules (also, highly recommended, not required) • Leveraging AUDIT vs. ENFORCE mode • Turning on the client’s Application Identity (AppID) service

  9. STEP 1: SETTING UP THE DEFAULT RULES(or… how NOT to blow your foot off) • Default rules are NOT set by default. • Different default rules for each rule type

  10. EXECUTABLE RULE DEFAULTS(Good ideas to get started with) • Allow anything to run that’s already installed in Program Files • Allow anything to run if it’s in the Windows folder • Allow local administrators to run any file

  11. STEP 2: ADDING YOUR OWN RULES • On rule type, right-click, select “Create New Rule…” • Add your rule, with conditions (will see in demonstration)

  12. STEP 3: AUDIT ONLY VS. ENFORCE • AppLocker Modes: • Enforce rules • Audit Only • Logs go to Applications and Services Logs | Microsoft | Windows AppLocker

  13. STEP 4: TURN ON APPID SERVICE ON CLIENT • Final step to fully engage AppLocker • Can be done manually (good for one-off testing) • Can be scripted • Can be done via Group Policy Preferences (my preferred way!)

  14. APPLOCKER RESULTS • Default user pop-up as seen here:

  15. AppLocker: Turn it on, making sure it works DEMO

  16. APPLOCKER: Safety PrecedenceHow safe can you get? • Hash rule: • Safest, most specific • Issue: Unmanageable at scale • Publisher Condition • Next safest • Path Condition • Next safest • Issue: Might expose “too much” file system within whitelist

  17. APPLOCKER: SECURITY AWARENESSHow the bad guys can still get you • Path Condition: They could figure out where an application isn’t allowed to run, and move it to a place that is allowed to run. (ie: move the application to somewhere in Program Files and run from there; the default rule allows me to do that.) • Publisher Condition: A publisher certificate gets compromised. A “bad guy” signs malicious code with (Allowed) certificate • Code Injection: .DLL rules; fool .EXE it’s not supposed to load. • Safe when .DLL rules are enabled

  18. APPLOCKER: SECURITY AWARENESS (Part II)How the bad guys can still get you • EXE Rules: .EXE, .COM – and that’s it. • DLL Rules: .DLL, .OCX – and that’s it. • Script Rules: .PS1, .BAT, .CMD, .VBS, .JS – and that’s it. • AppLocker is extensible by 3rd party script hosts • Windows Installer Rules: .MSI and .MSP – and that’s it.

  19. APPLOCKER: MORE INFO FOR USERSDefault vs. “more info” dialog • Optional result • Computer | Policies | Administrative Templates | Windows Components | Windows Explorer | Set a Support Web Page Link

  20. AUTOMATICALLY GENERATING RULES • Get “representative machine” • Automatically Generate Rules • Export Rules / Import Rules

  21. AppLocker: Manual Rule Creation, Automatically Generating Rules, Export and Import DEMO

  22. AppLocker + AppV - GOTCHA • AppV has a “virtual drive” it uses • Usually Q: drive • Must Allow the Q: drive, or AppLocker continues to lock

  23. AppLocker: AppV ‘Gotcha’ Remediation DEMO

  24. APPLOCKER + POWERSHELL AUTOMATIONSubtitle • Get them via PowerShell upon Windows 7 vusing • Import-module applocker • PowerShell Cmdlets • Get-AppLockerFileInformation • Get-AppLockerPolicy • Set-AppLockerPolicy • Apply specific “fully formed” AppLocker XML policy • New-AppLockerPolicy • Test-AppLockerPolicy • Check out: •

  25. APPLOCKER POWERSHELL EXAMPLES Get AppLocker File Info (for .EXEs) : Get-AppLockerFileInformation -Directory 'C:\Program Files' –recurse -FileType exe Create AppLocker Policy XML rule set: (Get-AppLockerFileInformation… line above) | New-AppLockerPolicy -ruletype publisher, hash -user everyone -XML Create a new Applocker Local GPO with that rule set: Get-AppLockerFileInformation -Directory 'C:\Program Files' -recurse -FileType exe | New-AppLockerPolicy -ruletype publisher, hash -user everyone | Set-AppLockerPolicy–merge

  26. APPLOCKER POWERSHELL EXAMPLES – PART 2 Create a new GPO AppLocker Policy: Get-AppLockerFileInformation -Directory 'C:\Program Files' –recurse -FileTypeexe | New-AppLockerPolicy -ruletype publisher, hash -user everyone | Set-AppLockerPolicy-LDAP "LDAP://{4391FF66-197D-4BBE-B83E-4B536A09B543},CN=Policies,CN=System,DC=Fabrikam,DC=com" Dump a domain-based GPO’s AppLocker rules: Get-AppLockerPolicy -Domain -LDAP "LDAP://{4391FF66-197D-4BBE-B83E-4B536A09B543},CN=Policies,CN=System,DC=Fabrikam,DC=com“ –XML > output.xml The applications for which a user is blocked: Step 1: Get-AppLockerPolicy-EFFECTIVE -Xml > output2.xml Step 2: Get-ChildItem-Path "C:\Program Files" -Recurse -Filter *.exe | Convert-Path | Test-AppLockerPolicy -XMLPolicy.\output2.xml

  27. AppLocker + PowerShell DEMO

  28. Some Tips and Best Practices (PART 1 of 2)Things to think about before / during / after your rollout • ALLOW rules with DENY exceptions, likely your best bet • DLL rules – turn on if you have the horsepower and can monitor it • Subtip: Note, not all DLLs from a package are necessarily digitally signed ! • Try to get your “internal Devs” on board with digitally signed apps (.EXEs and .DLLs)

  29. Some Tips and Best Practices (PART 2 of 2)Things to think about before / during / after your rollout • When ready, use Group Policy Preferences to turn on AppID service en-mass • Don’t turn on the WRONG service, like “Application Experience” (oops!) • Start with Executable Rules, and move onward toward Install, Script, and possibly DLL rules • Emergency Troubleshooting: • Use Group Policy Preferences to DISABLE AppID service

  30. MORE INFORMATION • Microsoft AppLocker Documentation: • • as Beta) • Microsoft AppLocker PowerShell Reference • • • Understanding why users can install MSI apps as regular users (Darwin Sanoy) • • and • Hands on examples (live training, and in book form)

  31. Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Related Content • SIA12-HOL – Windows 7 AppLocker Hands-On Lab

  32. What is the Springboard Series? The Springboard Series IT pro experience offers dynamic content and structured guidance across the adoption lifecycle • Inside of Microsoft we are • A turnkey IT pro engagement platform for depth and breadth • The program to mobilize MS marketing and field to focus on desktop OS IT pros • To the IT pro, our goal is • Be the definitive resource for Desktop IT pros • Open, honest; show don’t tell • Information at right time, right level across Adoption Lifecycle DISCOVER EXPLORE PILOT DEPLOY MANAGE How does it change my work? How do I maintain and optimize? Is it worth the pain? Is our environment ready? Is the organization ready? Weekly, Monthly and Quarterly Rhythm of Topical Content Springboard Technical Experts Panel Event Support and Resources Straight-talk Monthly Feature Articles and Overview Guides one-Windows TechCenter in 10 languages TalkingAboutWindows Video Blogs Virtual Roundtable Events Visit the Springboard Series on TechNet at

  33. Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources • Resources for IT Professionals • Resources for Developers • •

  34. Required Slide Complete an evaluation on CommNet and enter to win!

  35. Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year

  36. Do MORE with Group Policy Extend Group Policy for AWESOME control • Group Policy Tips • Live Training • Online Training Free Software: Group Policy “To Go”

  37. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

  38. Required Slide