Join GitHub today
Applocker is the Application Whitelisting technology developed by Microsoft and embedded in every recent enterprise release of the Windows Operating System.
To implement Applocker using C3 Protect you should follow these steps (Outlined in detail below):
- Enable the Applocker Analyses
- Select Applocker Policies to include
- Deploy Applocker in Audit Mode (Log but don't Enforce)
- Adjust policies as necessary
- Deploy Applocker in Enforcement Mode (Log and Enforce)
Enable the Applocker Analyses
The following analyses in the C3 Protect site should be enabled:
- Whitelisting - Applocker - Windows
- Whitelisting - Applocker - Logs - Windows
- Whitelisting - Applocker - Configuration - Windows
Decide which Applocker Policies to include as default
Recommended usage of the policies is to create a baseline with the following sections and Fixlets
- Service Enablement
- Config - Applocker Application Identity Service - Automatic Start - Windows
- Config - Cache Applocker Method - Audit All - Windows
- Config - Cache Applocker Rules - Allow Everyone to run Installed Executables - Windows
- Config - Cache Applocker Rules - Allow Everyone to run Signed Executables - Windows
- Config - Cache Applocker Rules - Allow Everyone to run Installed Scripts - Windows
- Config - Cache Applocker Rules - Allow Everyone to run Signed Installers - Windows
- Config - Cache Applocker Rules - Allow Everyone to run Cached Installers - Windows
- Config - Cache Applocker Rules - Allow Everyone to run Signed AppX - Windows
- Invoke - Commit Cached Applocker Rules - Windows
- Config - Applocker Log - AppX Deployment Max Size - 20mb - Windows
- Config - Applocker Log - AppX Execution Max Size - 20mb - Windows
- Config - Applocker Log - EXE/DLL Max Size - 20mb - Windows
- Config - Applocker Log - MSI/Script Max Size - 20mb - Windows
Deploy Applocker in Audit Mode
Assuming your baseline contains, "Config - Cache Applocker Method - Audit All - Windows" then the baseline will enable Applocker in Audit Mode. Action your new baseline against the devices you wish to enable Applocker on.
Adjust policies as necessary
Review the results of the Analysis, "Whitelisting - Applocker - Logs - Windows" to identify executables that are not being allowed but should be and create new rule sets to allow them. Add those rules to your baseline and start this process again.
You can easily make rules in your local group policy and then use a script in this repository under Helpers: https://github.com/strawgate/C3-Protect/blob/master/Helpers/Applocker/Generate%20Applocker%20Cache%20Rules.ps1 to turn those local rules into Fixlets you can use in BigFix!
Because we are building a local cache of rules, to remove a rule you must delete the cached rule. You can do this dynamically by GUID or by file name. To force a refresh of the policy simply include a delete of the "Effective.xml" file in "__Global\Applocker". This will cause the "Invoke - Commit Cached Applocker Rules - Windows" fixlet to be relevant again and will cause an update of Applocker Rules.
Deploy Applocker in Enforcement Mode
Once you feel comfortable with the rule set and what the warnings being thrown on the endpoints you can swap the audit fixlet for the, "Config - Cache Applocker Method - Enforce All - Windows" and re-deploy the baseline. This will reset the ruleset on all of the endpoints with the new enforced ruleset.
The rules fixlets themselves do not enable enforcement, only when combined with an Applocker Method fixlet is an enforcement mechanism defined. When you make your own fixlets for deploying rules you should make sure to delete the enforcement key from the XML used. If you do not you will see undefined behavior when merging applocker rules.
Applocker policy can generally be bypassed by a malicious administrator. Applocker policies are not intended to completely prevent users or administrators from launching applications. In general, a purposeful administrator can do whatever they would like to a system. Applocker helps prevent accidental application/installation launch by administrators and regular unapproved application launches by users.
Once example of a way an administrator can bypass Applocker is to move the executable in question into the Windows or Program Files directory.
A small number of warning fixlets are available in the C3-Protect site for potential configuration issues. If you see these relevant in your environment please carefully consider the description of the fixlet and take appropriate action.