applocker your solution for true application smackdown l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
AppLocker : Your Solution for True Application Smackdown PowerPoint Presentation
Download Presentation
AppLocker : Your Solution for True Application Smackdown

Loading in 2 Seconds...

play fullscreen
1 / 38

AppLocker : Your Solution for True Application Smackdown - PowerPoint PPT Presentation


  • 679 Views
  • Uploaded on

Required Slide. SESSION CODE: WCL303. AppLocker : Your Solution for True Application Smackdown. Jeremy Moskowitz , Group Policy MVP Chief Propeller-Head: GPanswers.com Founder: PolicyPak Software (policypak.com). WHAT’S THE POINT? Why do you need “Application Whitelisting” technology?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'AppLocker : Your Solution for True Application Smackdown' - Antony


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
applocker your solution for true application smackdown

Required Slide

SESSION CODE: WCL303

AppLocker: Your Solution for True Application Smackdown

Jeremy Moskowitz, Group Policy MVP

Chief Propeller-Head: GPanswers.com

Founder: PolicyPak Software (policypak.com)

what s the point why do you need application whitelisting technology
WHAT’S THE POINT?Why do you need “Application Whitelisting” technology?
  • Common arguments “against” the need:
    • “We’re already locked down…”
    • “We’re already running with ‘standard user’ rights.”
  • Good uses for:
    • Prevent users from running “portable” (non-installed) applications
    • Prevent users from installing MSIs.
      • Seriously: Try FireFox or Google Chrome as local non-elevated user
    • Restricting parts of the operating system (sol.exe)
    • Restricting Junior admins or “prying eyes” from “big things” (gpmc.msc)
    • Ensuring specific applications of “correct” version numbers are used
in the beginning there was software restriction policy srp
IN THE BEGINNING….There was Software Restriction Policy (SRP)

And it was good…

  • Built-in to Windows XP
  • Has whitelisting and blacklisting ability
  • Four rule types:
    • Hash
    • Path
    • Windows Installer / Network Zone Rule
    • Certificate rules
in the beginning there was software restriction policy srp4
IN THE BEGINNING….There was Software Restriction Policy (SRP)
  • Of course, still available on XP and…
  • Also available in ALL versions of Windows 7
  • No “direct” migration path to AppLocker. Will need to re-create rules during a transition time
  • Huge gotcha ! :
    • Once AppLocker is turned on, and first rules are applied.. SRP no longer enforced!
applocker 101
APPLOCKER 101
  • Good news:
    • Under the hood, references as “SRPv2”
    • Active Directory Group Policy or Local Policy
    • Way better for whitelisting
  • Targets can be:
    • Windows 7
    • Windows Server 2008 / R2
  • Only available in the following Windows 7 editions:
    • Enterprise
    • Ultimate
immutable applocker laws
IMMUTABLE APPLOCKER LAWS
  • Applocker’s “brain” is in a loop, like this:
    • Law #1: Explicit deny: A specific rule which denies an action.
    • Law #2: Explicit allow: A specific rule which allows an action.
    • Law #3: Implicit deny: All files that are not specifically named by an Allow rule are automatically blocked.
  • Not related to Azimov’s “Three Laws or Robotics”
    • http://en.wikipedia.org/wiki/Three_Laws_of_Robotics
applocker rules
APPLOCKER “RULES”
  • Action:
    • Allow
    • Deny
  • Based upon condition:
    • Path
    • File Hash
    • Publisher
  • Rule types:
    • Executable
    • DLL
    • Windows Installer
    • Script
  • Can make “Exceptions”
  • Mix and Match, like this:
    • ALLOW Executable, based upon who PUBLISHED the application (publisher condition) EXCEPT a specific application (or version), which is DENIED
    • Windows Installer Rule, based upon a specific build (file hash)
    • DENY Scripts, based upon where its executing from (PATH condition), EXCEPT for a certain (known good) directory
applocker four steps to success
APPLOCKERFour Steps to Success
  • Setting up the default rules (highly recommended, not required)
  • Adding more rules (also, highly recommended, not required)
  • Leveraging AUDIT vs. ENFORCE mode
  • Turning on the client’s Application Identity (AppID) service
step 1 setting up the default rules or how not to blow your foot off
STEP 1: SETTING UP THE DEFAULT RULES(or… how NOT to blow your foot off)
  • Default rules are NOT set by default.
  • Different default rules for each rule type
executable rule defaults good ideas to get started with
EXECUTABLE RULE DEFAULTS(Good ideas to get started with)
  • Allow anything to run that’s already installed in Program Files
  • Allow anything to run if it’s in the Windows folder
  • Allow local administrators to run any file
step 2 adding your own rules
STEP 2: ADDING YOUR OWN RULES
  • On rule type, right-click, select “Create New Rule…”
  • Add your rule, with conditions (will see in demonstration)
step 3 audit only vs enforce
STEP 3: AUDIT ONLY VS. ENFORCE
  • AppLocker Modes:
    • Enforce rules
    • Audit Only
      • Logs go to Applications and Services Logs | Microsoft | Windows AppLocker
step 4 turn on appid service on client
STEP 4: TURN ON APPID SERVICE ON CLIENT
  • Final step to fully engage AppLocker
  • Can be done manually (good for one-off testing)
  • Can be scripted
  • Can be done via Group Policy Preferences (my preferred way!)
applocker results
APPLOCKER RESULTS
  • Default user pop-up as seen here:
applocker safety precedence how safe can you get
APPLOCKER: Safety PrecedenceHow safe can you get?
  • Hash rule:
    • Safest, most specific
    • Issue: Unmanageable at scale
  • Publisher Condition
    • Next safest
  • Path Condition
    • Next safest
    • Issue: Might expose “too much” file system within whitelist
applocker security awareness how the bad guys can still get you
APPLOCKER: SECURITY AWARENESSHow the bad guys can still get you
  • Path Condition: They could figure out where an application isn’t allowed to run, and move it to a place that is allowed to run. (ie: move the application to somewhere in Program Files and run from there; the default rule allows me to do that.)
  • Publisher Condition: A publisher certificate gets compromised. A “bad guy” signs malicious code with (Allowed) certificate
  • Code Injection: .DLL rules; fool .EXE it’s not supposed to load.
    • Safe when .DLL rules are enabled
applocker security awareness part ii how the bad guys can still get you
APPLOCKER: SECURITY AWARENESS (Part II)How the bad guys can still get you
  • EXE Rules: .EXE, .COM – and that’s it.
    • DLL Rules: .DLL, .OCX – and that’s it.
  • Script Rules: .PS1, .BAT, .CMD, .VBS, .JS – and that’s it.
    • AppLocker is extensible by 3rd party script hosts
  • Windows Installer Rules: .MSI and .MSP – and that’s it.
applocker more info for users default vs more info dialog
APPLOCKER: MORE INFO FOR USERSDefault vs. “more info” dialog
  • Optional result
  • Computer | Policies | Administrative Templates | Windows Components | Windows Explorer | Set a Support Web Page Link
automatically generating rules
AUTOMATICALLY GENERATING RULES
  • Get “representative machine”
  • Automatically Generate Rules
  • Export Rules / Import Rules
applocker appv gotcha
AppLocker + AppV - GOTCHA
  • AppV has a “virtual drive” it uses
  • Usually Q: drive
  • Must Allow the Q: drive, or AppLocker continues to lock
applocker powershell automation subtitle
APPLOCKER + POWERSHELL AUTOMATIONSubtitle
  • Get them via PowerShell upon Windows 7 vusing
    • Import-module applocker
  • PowerShell Cmdlets
    • Get-AppLockerFileInformation
    • Get-AppLockerPolicy
    • Set-AppLockerPolicy
      • Apply specific “fully formed” AppLocker XML policy
    • New-AppLockerPolicy
    • Test-AppLockerPolicy
  • Check out:
    • go.microsoft.com/fwlink/?linkid=144111
applocker powershell examples
APPLOCKER POWERSHELL EXAMPLES

Get AppLocker File Info (for .EXEs) :

Get-AppLockerFileInformation -Directory 'C:\Program Files' –recurse -FileType exe

Create AppLocker Policy XML rule set:

(Get-AppLockerFileInformation… line above) | New-AppLockerPolicy -ruletype publisher, hash -user everyone -XML

Create a new Applocker Local GPO with that rule set:

Get-AppLockerFileInformation -Directory 'C:\Program Files' -recurse -FileType exe | New-AppLockerPolicy -ruletype publisher, hash -user everyone | Set-AppLockerPolicy–merge

applocker powershell examples part 2
APPLOCKER POWERSHELL EXAMPLES – PART 2

Create a new GPO AppLocker Policy:

Get-AppLockerFileInformation -Directory 'C:\Program Files' –recurse -FileTypeexe | New-AppLockerPolicy -ruletype publisher, hash -user everyone | Set-AppLockerPolicy-LDAP "LDAP://DC.fabrikam.com/CN={4391FF66-197D-4BBE-B83E-4B536A09B543},CN=Policies,CN=System,DC=Fabrikam,DC=com"

Dump a domain-based GPO’s AppLocker rules:

Get-AppLockerPolicy -Domain -LDAP "LDAP://DC.fabrikam.com/CN={4391FF66-197D-4BBE-B83E-4B536A09B543},CN=Policies,CN=System,DC=Fabrikam,DC=com“ –XML > output.xml

The applications for which a user is blocked:

Step 1: Get-AppLockerPolicy-EFFECTIVE -Xml > output2.xml

Step 2: Get-ChildItem-Path "C:\Program Files" -Recurse -Filter *.exe | Convert-Path | Test-AppLockerPolicy -XMLPolicy.\output2.xml

some tips and best practices part 1 of 2 things to think about before during after your rollout
Some Tips and Best Practices (PART 1 of 2)Things to think about before / during / after your rollout
  • ALLOW rules with DENY exceptions, likely your best bet
  • DLL rules – turn on if you have the horsepower and can monitor it
    • Subtip: Note, not all DLLs from a package are necessarily digitally signed !
  • Try to get your “internal Devs” on board with digitally signed apps (.EXEs and .DLLs)
some tips and best practices part 2 of 2 things to think about before during after your rollout
Some Tips and Best Practices (PART 2 of 2)Things to think about before / during / after your rollout
  • When ready, use Group Policy Preferences to turn on AppID service en-mass
  • Don’t turn on the WRONG service, like “Application Experience” (oops!)
  • Start with Executable Rules, and move onward toward Install, Script, and possibly DLL rules
  • Emergency Troubleshooting:
    • Use Group Policy Preferences to DISABLE AppID service
more information
MORE INFORMATION
  • Microsoft AppLocker Documentation:
    • http://technet.microsoft.com/en-us/library/dd723678(WS.10).aspx
    • http://tinyurl.com/AppLocker1(noted as Beta)
  • Microsoft AppLocker PowerShell Reference
  • go.microsoft.com/fwlink/?linkid=144111
  • http://blogs.msdn.com/powershell/archive/2009/06/02/getting-started-with-applocker-management-using-powershell.aspx
  • Understanding why users can install MSI apps as regular users (Darwin Sanoy)
    • http://csi-windows.com/blog/videos
  • GPanswers.com/training and GPanswers.com/book
    • Hands on examples (live training, and in book form)
related content

Required Slide

Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session.

Related Content
  • SIA12-HOL – Windows 7 AppLocker Hands-On Lab
what is the springboard series
What is the Springboard Series?

The Springboard Series IT pro experience offers dynamic content

and structured guidance across the adoption lifecycle

  • Inside of Microsoft we are
  • A turnkey IT pro engagement platform for depth and breadth
  • The program to mobilize MS marketing and field to focus on desktop OS IT pros
  • To the IT pro, our goal is
  • Be the definitive resource for Desktop IT pros
    • Open, honest; show don’t tell
    • Information at right time, right level across Adoption Lifecycle

DISCOVER

EXPLORE

PILOT

DEPLOY

MANAGE

How does it change my work?

How do I maintain and optimize?

Is it worth the pain?

Is our environment ready?

Is the organization ready?

Weekly, Monthly and Quarterly Rhythm of Topical Content

Springboard Technical Experts Panel Event Support and Resources

Straight-talk Monthly Feature Articles and Overview Guides

one-Windows TechCenter in 10 languages

TalkingAboutWindows

Video Blogs

Virtual Roundtable Events

Visit the Springboard Series on TechNet at www.microsoft.com/springboard

resources

Required Slide

Resources

Learning

  • Sessions On-Demand & Community
  • Microsoft Certification & Training Resources

www.microsoft.com/teched

www.microsoft.com/learning

  • Resources for IT Professionals
  • Resources for Developers
  • http://microsoft.com/technet
  • http://microsoft.com/msdn
slide34

Required Slide

Complete an evaluation on CommNet and enter to win!

slide35

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st

http://northamerica.msteched.com/registration

You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year

do more with group policy
Do MORE with Group Policy

Extend Group Policy for AWESOME control

  • Group Policy Tips
  • Live Training
  • Online Training

Free Software: www.policypak.com

Group Policy “To Go”

slide37

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.