Friday, September 18, 2009

Windows 7 AppLocker

AppLocker is the new version of Software Restriction Policies introduced for the first time in Windows 7. Software Restriction Policies can still be used against windows 7 as you may have a mixed environment of XP, Vista and Windows 7 machines and you want to use SRP's so you dont have to create the rules multiple times for both AppLocker and SRP.

AppLocker can be used to prevent users from accessing:
- Executable (.exe) files
- Windows Installer (.msi) files and Windows Installer Patch (.msp) files
- Script files including PowerShell (.ps1), batch (.bat), command prompt (.cmd), VBScript (.vbs), and JavaScript (.js) files
- Dynamic link library (DLL) files (optional)

To use AppLocker you must be running Windows Server 2008 R2 with Windows 7.

Below is a table comparing AppLocker to Software Restriction Policies:

AppLocker is located in group policy under Application Control Policies directly under Software Restriction Policies:

You can also set wheather AppLocker enforces the rules, audit or allows users to bypass the rule for each respective catagory:

A new built in enhancement of AppLocker is it allows administrators to apply the rules against a user or group set basis instead of just at organisational unit level. Here is a screenshot of the new rule wizard showing you what I mean:

You could get around this though in SRP's by simply creating a GPO and changing the security permissions the group policy object so it would only apply to the users and groups you wanted to set the policies against. However this meant that you could not configure any other policies under the same GPO because the other policies would also get blocked by GPO security settings. With AppLocker you could configure the AppLocker policies on something such as the Default Domain Policy to apply to particular users and groups.

One thing that is really good about AppLocker is it has the ability to scan a PC to find out which applications are installed and allow them. This means you do not have to manually add applications to the allow run list. You can do this by right clicking on the catagory you want and selecting to Automatically Generate the rules:

Another feature that I think is really important to highlight about AppLocker is its ability use files as reference files when creating Publisher rules. For example I can set wordpad.exe as a reference file:

It enters in all the attributes for wordpad. You can even specify custom attributes that are not in the list by default. If I slide the bar up, I have now just configured it so that it allows any applications developed by Microsoft to run.

This can be done just as easily for other vendors as well. AppLocker is a more effective solution then having anti-virus. Anti-virus has signature files that indicate MD5 or SH1 hashs of files that are known to be virual. It can also scan within files for common hash strings to determine if a file has been infected. However anti-virus products only contain information for most viruses out there on the internet, there are many that anti-virus products do not know about or get their anti-virus definitions out there to late! If you lock down your network to only allow application files, scripts, and patches that you know are clean to run on workstations, then files that contain viral code will not be allowed to run as AppLocker will stop them. Think about this, which is easier? To make a list of millions of virual codes out there on the internet and scan files to see if it is in alignment with any of these signatures, or to make a list of all good known peices of code on a network then block the rest?

1 comment:

  1. Great article, this is what I was looking for.

    Tushar Jadhav