Thursday, 20 May 2021

Getting started with Windows AppLocker

AppLocker is a great way to limit the applications a user has access to within Windows 10 or Remote Desk Host systems.

Its quick and easy to get going and once its up and running you can add and change as needed.  Ideally you wan to start it in audit mode only as this way you will get to see what is happening on the Remote Desktop Hosts or the local workstation.

At first you are going to need to make a GPO and give it a name.  it runs at the computer level and not the user so you can disable the user part of the GPO if you do that sort of thing.

The settings are located in Computer Configuration > Polices > Windows Settings > Security Settings > Application Control Polices > AppLocker

Once you are there right click on the "AppLocker" and select "Properties" and mark the polices wish to enforce.

I would suggest at first you set it audit only, so you can monitor what would of happened if it was used.

Once you have set it to audit click "Ok" which will bring you back to the GPO and the AppLocker polices.

Right click on each policy you have enabled and select "Create Default Rules"

This will give a base line of how it just look.

From here you can adjust and add as needed,  just be carful with how many rules you make as each time an application runs the AppLocker will run the rule set until it finds a match and if not kept lean could appear to slow down applications and GPO processing.

Some system variables can be used in path rule condition and some can not,  I found that %USERPROFILE% was not accepted but you can replace it with a wildcard as such "C:\Users\*\APPDATA\LOCAL\MICROSOFT\TEAMS\" say if you wish Microsoft Teams to still work.

Once the policy is set up the only thing left is that you need is to start the Application Identity service other wise the AppLocker will not be enabled on the RDH / local workstation.  you can do this in the GPO under the "System Services" part not the "Services" part but I also like to stick a start for it in "Services" too.

Now its up and running you can check the devices event logs to see what is happening,  the AppLocker logs can be found in.

Applications and Services Log > Microsoft > Windows > AppLocker

Each policy has its own log and Event ID:8003 shows what would of been blocked if the policy was enforced.

Monitor this log for sometime and adjust the AppLocker rules until you are happy then switch to enforce on the GPO.

AppLocker (Windows 10) - Windows security | Microsoft Docs

Requirements to use AppLocker (Windows 10) - Windows security | Microsoft Docs

Optimize AppLocker performance (Windows 10) - Windows security | Microsoft Docs

Understanding the path rule condition in AppLocker (Windows 10) - Windows security | Microsoft Docs

Using Event Viewer with AppLocker (Windows 10) - Windows security | Microsoft Docs

Configure the Application Identity Service | Microsoft Docs

No comments:

Post a Comment