Applocker

strawgate edited this page May 28, 2016 · 12 revisions

Applocker is the Application Whitelisting technology developed by Microsoft and embedded in every recent enterprise release of the Windows Operating System.

To implement Applocker using C3 Protect you should follow these steps (Outlined in detail below):

  1. Enable the Applocker Analyses
  2. Select Applocker Policies to include
  3. Deploy Applocker in Audit Mode (Log but don't Enforce)
  4. Adjust policies as necessary
  5. Deploy Applocker in Enforcement Mode (Log and Enforce)

Implementation Steps

Enable the Applocker Analyses

The following analyses in the C3 Protect site should be enabled:

  • Whitelisting - Applocker - Windows
  • Whitelisting - Applocker - Logs - Windows
  • Whitelisting - Applocker - Configuration - Windows

Decide which Applocker Policies to include as default

Recommended usage of the policies is to create a baseline with the following sections and Fixlets

  1. Service Enablement
  2. Config - Applocker Application Identity Service - Automatic Start - Windows
  3. Enforcement
  4. Config - Cache Applocker Method - Audit All - Windows
  5. Rules
  6. Config - Cache Applocker Rules - Allow Everyone to run Installed Executables - Windows
  7. Config - Cache Applocker Rules - Allow Everyone to run Signed Executables - Windows
  8. Config - Cache Applocker Rules - Allow Everyone to run Installed Scripts - Windows
  9. Config - Cache Applocker Rules - Allow Everyone to run Signed Installers - Windows
  10. Config - Cache Applocker Rules - Allow Everyone to run Cached Installers - Windows
  11. Config - Cache Applocker Rules - Allow Everyone to run Signed AppX - Windows
  12. Invocation
  13. Invoke - Commit Cached Applocker Rules - Windows
  14. Logs
  15. Config - Applocker Log - AppX Deployment Max Size - 20mb - Windows
  16. Config - Applocker Log - AppX Execution Max Size - 20mb - Windows
  17. Config - Applocker Log - EXE/DLL Max Size - 20mb - Windows
  18. Config - Applocker Log - MSI/Script Max Size - 20mb - Windows

Deploy Applocker in Audit Mode

Assuming your baseline contains, "Config - Cache Applocker Method - Audit All - Windows" then the baseline will enable Applocker in Audit Mode. Action your new baseline against the devices you wish to enable Applocker on.

Adjust policies as necessary

Review the results of the Analysis, "Whitelisting - Applocker - Logs - Windows" to identify executables that are not being allowed but should be and create new rule sets to allow them. Add those rules to your baseline and start this process again.

You can easily make rules in your local group policy and then use a script in this repository under Helpers: https://github.com/strawgate/C3-Protect/blob/master/Helpers/Applocker/Generate%20Applocker%20Cache%20Rules.ps1 to turn those local rules into Fixlets you can use in BigFix!

Removing Rules

Because we are building a local cache of rules, to remove a rule you must delete the cached rule. You can do this dynamically by GUID or by file name. To force a refresh of the policy simply include a delete of the "Effective.xml" file in "__Global\Applocker". This will cause the "Invoke - Commit Cached Applocker Rules - Windows" fixlet to be relevant again and will cause an update of Applocker Rules.

Deploy Applocker in Enforcement Mode

Once you feel comfortable with the rule set and what the warnings being thrown on the endpoints you can swap the audit fixlet for the, "Config - Cache Applocker Method - Enforce All - Windows" and re-deploy the baseline. This will reset the ruleset on all of the endpoints with the new enforced ruleset.

Notes

The rules fixlets themselves do not enable enforcement, only when combined with an Applocker Method fixlet is an enforcement mechanism defined. When you make your own fixlets for deploying rules you should make sure to delete the enforcement key from the XML used. If you do not you will see undefined behavior when merging applocker rules.

Implementation Caveats

Applocker policy can generally be bypassed by a malicious administrator. Applocker policies are not intended to completely prevent users or administrators from launching applications. In general, a purposeful administrator can do whatever they would like to a system. Applocker helps prevent accidental application/installation launch by administrators and regular unapproved application launches by users.

Once example of a way an administrator can bypass Applocker is to move the executable in question into the Windows or Program Files directory.

Warnings

A small number of warning fixlets are available in the C3-Protect site for potential configuration issues. If you see these relevant in your environment please carefully consider the description of the fixlet and take appropriate action.

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.