Thursday, October 8, 2015

How to: Software Restriction policies with AppLocker

We’ve already seen how to restrict software on Windows Server 2012 // R2 using GPOs. There’s another way available since Windows Server 2012, thanks to a feature called AppLocker.
We still use GPOs – AppLocker is a subset of GPOs – to enforce software restriction but it’s easier and more powerful.
AppLocker can manage execution permissions of:
  • Executables: files with .exe extension
  • Windows installers: Windows installer packages with .msi and .msp extensions
  • Scripts: files with .ps1, .bat, .cmd, .cbs and .js extensions
  • Packaged Apps: Windows Store apps
Open the Server Manager and launch the Group Policy Management:
Enforce Software Restriction policies with AppLocker
Create a new GPO:
Enforce Software Restriction policies with AppLocker
Edit the policy:
Enforce Software Restriction policies with AppLocker
You will find the AppLocker settings inside the path Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies\AppLocker. Click Configure rule enforcement:
Enforce Software Restriction policies with AppLocker
Check all the rules if you want to enforce them. By default AppLocker blocks all executables, installer packages and scripts, except for those specified in Allow rules:
Enforce Software Restriction policies with AppLocker
AppLocker differs from software restriction policies for the ability to automatically create rules. Right-click in the white box and select Automatically Generate Rules, a wizard will appear:
Enforce Software Restriction policies with AppLocker
Specify the users that will be affected and select the path that will be analyzed to automatically create “Allow execute” rules:
Enforce Software Restriction policies with AppLocker
You can choose to allow or not-allow the execution of unsigned executables. It’s better to create the rules based on the executable hash rather than the file path, it’s more reliable:
Enforce Software Restriction policies with AppLocker
Click Create:
Enforce Software Restriction policies with AppLocker
The new rules will appear:
Enforce Software Restriction policies with AppLocker
We can also manually create other rules. Right-click on the background and choose Create New Rule:
Enforce Software Restriction policies with AppLocker
Click Next:
Enforce Software Restriction policies with AppLocker
Specify the users who will be affected by the rule and the rule type (Allow or Deny execution):
Enforce Software Restriction policies with AppLocker
There are three ways to specify which applications will be affected by the rule:
  • Publisher: identify the applications signed by a specific publisher;
  • Path: identify specific files and paths;
  • File Hash: identifiy applications based on their digital fingerprint.
In our example we chose Path:
Enforce Software Restriction policies with AppLocker
Specify the Path:
Enforce Software Restriction policies with AppLocker
You can add exceptions if you need them:
Enforce Software Restriction policies with AppLocker
Name your new rule and click Create:
Enforce Software Restriction policies with AppLocker
The rule will appear:
Enforce Software Restriction policies with AppLocker

No comments:

Post a Comment