ThinkBox
PostsTagsCategories|
ThinkBox

Locking Down a Workstation with AppLocker

Aleks   included in Misc infrastructure
  about 1292 words  7 min 

Contents

Introduction

AppLocker is a powerful component of the Windows operating system that allows an administrator to dictate whether a user has permissions to run a file. There are a few different types of files that can be controlled by AppLocker which include executable files (.exe), DLL files (.dll), Windows Installer files (.msi), PowerShell scripts (.ps1), and packaged applications (these include graphical programs such as Settings and the GUI for Defender).

This post will examine how a workstation can be locked down with AppLocker in order to mitigate the risks of a user running a malicious piece of software, and to limit what an attacker is capable of doing on a machine.

The main goal of this post is to demonstrate the procedure of setting up and configuring AppLocker. Every environment various from one another, this means that the steps showed here must be altered to meet the requirements of your own environment. Furthermore, only executable file will be targeted in these example.

Outline

This post will start of by demonstrating how to create a AppLocker group policy object and enforce it on a workstation. Default AppLocker rules will be applied as a start. Next, cmd.exe will be blacklisted with AppLocker to prevent a user from running it. Lastly, the procedure of whitelisting applications with AppLocker will be shown based on a set of requirements.

Prerequisites

This section will introduce the environment on which AppLocker will be used.

A user named Tim located in the Test Users OU will the a domain user that will logon to a system to test AppLocker polices.

The endpoint system that will be configured will be a Windows 10 LTSC client computer that is apart of a domain. This computer account was placed in the User Workstations OU.

Before we can begin creating AppLocker polices a group policy object must be created in which all these polices will be specified. Enter gpmc.msc in order to edit the group polices. Continue by creating a new GPO as seen below.

Default Rules

This section will demonstrate how to create default executable rules for AppLocker and how to apply them to a specific workstation.

Every rule section in AppLocker has a set of default rules, the executable rules allow all executable located in the programs and windows folder to be run. Furthermore, the built in administrator is capable of running any executable.

This is a pretty useful rule set, when it is implemented it can prevent a user from running any executable located outside of the programs and windows folder.

Creating Default Rules

In order to create the default rules edit the AppLocker Rules GPO object that was created earlier in gpmc.msc.

Navigate to Computer Configuration -> Polices -> Windows Settings -> Security Settings -> Application Control Polices -> AppLocker.

Right click on the Executable Rules and select the Create Default Rules option. This can be seen below.

Next, the Executable rules must be set to enforce in order for these polices to take effect.

Lastly, the Application Identity service must be set to start automatically on the workstation. This service ensures that AppLocker polices are appliced, if this service is not running no AppLocker polices will be applied to the system.

Linking GPO

Now that the GPO object is setup it must be linked to a specfic OU. In this example the users workstation is located in the User Workstations OU, so the GPO object will be linked there.

Testing Default Rules

In order for the GPO rules to come into effect you can choose to wait until they are refreshed by the system. As an alternative you may run gpupdate in cmd.exe in order to update GPO immediately.

As can be seen below when running a executable in the Downloads folder AppLocker prevents it, this means that the polices where successfully applied and enforced.

Start Menu Not Working

NOTE: You may notice that the start menu no longer works along with programs such as Settings and Defender. When setting the executable policy to enforce it will interfere with these applications. These applications are called Packaged Apps.

In order to solve this perform the following steps:

Set Packaged App Rules to enforce.

Create the default rules under Packaged App Rules.

After either wait for the GPO’s to update on the system, or run gpupdate to force an update.

Blacklisting

This section will demonstrate how add to the default rules and black list executable. For this example cmd.exe will be blacklisted.

Begin by creating a new rule in Executable Rules.

Set the action to Deny. In this example the target group has been set to Domain Users.

Select Path as the condition.

Input the path in which the executable is located.

The end result will appear as follows.

Upon attempting to run cmd.exe it will be blocked.

Whitelisting

This section will whitelist a set of applications on the user workstation based on the following requirements:

  • A Domain User should be able to login to the desktop.
  • A Domain User should be able to open and use Firefox.

The requirements are extremely simple, the end result will be a a desktop on which only Firefox is usable. Of course in a different environment there will be different requirements. This is why the most important thing to take away is the steps taken to achieve this.

We will begin by setting the Executable rules to Audit only. This will cause AppLocker to continue working, however, instead of blocking an application a log message will be generated warning of the event. This will allow us to view what is allowed by AppLocker and what has been blocked.

In order to have a fallback mechanism and a user to run programs such as Event Viewer the Domain Admins will be allowed to run anything they want. This sort of rule may be useful during testing, in a case where a mistake is made a Domain Admin user can be used to run gpupdate to update the rules. Furthermore, running programs such as gpupdate and Event Viewer as the Domain Admin will not show up as a warning in the logs.

Run Event Viewer on the client workstation, the program name is eventvwr.msc. Navigate to Applications and Services Logs -> Microsoft -> Windows -> AppLocker. This is the location that stores the logs for AppLocker. If there are any logs clear them, then reboot the computer.

When the client workstation reboots login as a regular domain user and open the AppLocker logs in Event Viewer once again. You will see many Warning messages, these are there because there are many programs that are run on startup when the user logs in. Whitelisting these is critical for a user to be able to login. You will notice that the binary file path is located in the General details, and the user that attempted to run is is located under User.

The idea here is to perform tasks a regular user would, such as logging in and opening Firefox. Logs will be generated of which binaries are used, and these binaries must be whitelisted later on. Perform this step as many times as necessary, the rule will be adequate when you are able to perform the same workload as a user without any Warning messages showing up in Event Viewer.

In the case of this example the following rules are what is required for a user to login in and open Firefox. Feel free to remove the rule that allows all Domain Admins to run anything, it is up to the requirements for the environment.

Note, in this example any process that ran as SYSTEM was set to Everyone in the rule set.

When you are satisfied with the rules created set the Executable rules to Enforce.

The article was updated on 2019-08-11
 WindowsSecurityApplocker
Back | Home