SlideShare a Scribd company logo

Windows 7 AppLocker: Understanding its Capabilities and Limitations

Download as PPTX, PDF
Lumension
Lumension

Windows 7 AppLocker is a great leap forward compared to its predecessor Software Restrictions which is good because the risks of uncontrolled software on desktops and laptops have never been greater. In this presentation, Randy Franklin Smith of UltimateWindowsSecurity highlights what AppLocker can do: how to deny all executables, scripts and Windows installer files other than those that you specifically allow on a user, group or organizational unit basis. Randy also highlights the limitations of AppLocker, including how this native functionality stacks up against the realities of today’s desktop/laptop environments where: •there are many exceptions to the rule; •many users have unique needs; •you have multiple configurations, multiple OS versions and applications; •and, where change is a constant. Depending on your environment these limitations can be significant, adding up to broken workstations and extra care and feeding. For instance, AppLocker is designed for fairly homogenous environments but in many real world environments each PC is really unique which stretches the exception capabilities of AppLocker. AppLocker’s limitations carry over to handling system and application updates - endpoint change is constant and you don’t want user productivity to screech to a halt due to updating an application without updating the AppLocker policy. Then there’s the issue of reporting and visibility into what your software restriction policies are actually doing and what impact there is to your end-users. The presentation highlights other caveats and includes a demonstration of Lumension Intelligent Whitelisting and how this innovative solution takes you beyond AppLocker and addresses the gaps and risks identified in Randy's presentation.

Technology
1 of 18
Windows 7 AppLocker: Understanding its Capabilities and Limitations ,[object Object],© 2011 Monterey Technology Group Inc.
Brought to you by Speakers Chris Chevalier, Senior Product Manager Chris Merritt, Director of Solution Marketing http://www.lumension.com/Solutions/Intelligent-Whitelisting.aspx
Preview of Key Points AppLocker How it works Capabilities Limitations Scenarios where it’s Right Wrong © 2011 Monterey Technology Group Inc.
Open Ended Survey Question If you could build your ideal endpoint security agent, what would you include? AntiVirus Application Whitelisting Patching Firewall Disk encryption DLP Device Control What else? Please respond via Chat
AppLocker Starts from a deny all point of view Can be applied to EXEs DLLs .dll and .ocx Scripts .bat, .cmd, .js, .ps1, and .vbs Windows Installer .msiand .msp
AppLocker Rules Rules User or group File criteria Publisher Path File Hash Action Allow or Deny Exceptions Publisher Path File Hash
AppLocker Rules
AppLocker Rules All deny rules processed before allow rules Otherwise sequence not important Default rule is deny Add allow rules for selected users and programs Deny rules override allow rules Only needed to override allow rules Exceptions simply cause next rule to be evaluated Multiple GPOs? Rules additive (including local policy) Enforcement mode (last GPO wins)
Implementation Create Default Rules Automatically Generate Rules Enforcement mode Audit Only Enforce
Implementation Audit Only Events logged to Application and Services LogsicrosoftindowsppLocker Use event forwarding to get centralized log Not trivial
Implementation Can’t do AppLocker without PowerShell scripting Get-AppLockerFileInformation Reads event log to report broken files New-AppLockerPolicy Can build new policy from Get-AppLockerFileInformation Set-AppLockerPolicy Plug policy into a GPO Test-AppLockerPolicy Test whether a specified list of files are allowed to run on local computer for specified user
Caveats Windows 7 Enterprise & Ultimate only No support for Windows 7 Pro, Vista, XP… Based on Computer’s OU not User’s OU users are locked out of some applications on some computers, but not others Default rules Allow any local admin run everything Allow Everyone to run everything under %Program Files% 64 bit editions
Caveats Only intended for least privilege environments Default rules Local admins can stop AppId service Local admins can add allow rules User Account Control can be a gotcha
Big Caveat Back doors? LOAD_IGNORE_CODE_AUTHZ_LEVEL on LoadLibraryEx SANDBOX_INERT on CreateRestrictedToken Links http://blog.didierstevens.com/2011/01/24/circumventing-srp-and-applocker-by-design/ http://www.wilderssecurity.com/showthread.php?p=1818199 http://www.wilderssecurity.com/showthread.php?p=1818225
When Does AppLocker Work? In Microsoft’s own words Business groups that typically use a finite set of applications Not suited for business groups that must be able to install applications as needed and without approval from the IT department Number of applications in your organization is known and manageable You have resources to test policies against the organization's requirements involve help desk or build a self-help process for end-user application access issues
Bottom Line Still designed for a homogenous environment based on a golden image Not practical for diverse PC/user environments Unless you can depend on Publisher rules, updates break AppLocker or security weakened by path rules Not effective against end-users with local admin authority On demand exceptions cumbersome Reporting is there but cumbersome Script intensive © 2011 Monterey Technology Group Inc.
Bottom Line The Need Centralized control reporting Ability to phase in whitelisting on existing PCs with unique configurations and software Ability to completely automate support for updates Support for more than Win 7 Ultimate and Enterprise © 2011 Monterey Technology Group Inc.
Brought to you by Speakers Chris Chevalier, Senior Product Manager Chris Merritt, Director of Solution Marketing http://www.lumension.com/Solutions/Intelligent-Whitelisting.aspx

Recommended

Wardriving
WardrivingWardriving
WardrivingMonika Deswal
 
Honeypots
HoneypotsHoneypots
HoneypotsJayant Gandhi
 
Honeypot ss
Honeypot ssHoneypot ss
Honeypot ssKajal Mittal
 
Virtualization Uses - Server Consolidation
Virtualization Uses - Server Consolidation Virtualization Uses - Server Consolidation
Virtualization Uses - Server Consolidation Rubal Sagwal
 
Cloud computing
Cloud computingCloud computing
Cloud computingReetesh Gupta
 
Kali linux os
Kali linux osKali linux os
Kali linux osSamantha Lawrence
 
Pizza as a Service 2019 Update
Pizza as a Service 2019 UpdatePizza as a Service 2019 Update
Pizza as a Service 2019 UpdateAaron Sandeen
 
Program Directory For CBPDO Installation and ServerPac Reference z/OS
Program Directory For CBPDO Installation and ServerPac Reference z/OSProgram Directory For CBPDO Installation and ServerPac Reference z/OS
Program Directory For CBPDO Installation and ServerPac Reference z/OSIBM India Smarter Computing
 

Recommended

Wardriving
WardrivingWardriving
WardrivingMonika Deswal
 
Honeypots
HoneypotsHoneypots
HoneypotsJayant Gandhi
 
Honeypot ss
Honeypot ssHoneypot ss
Honeypot ssKajal Mittal
 
Virtualization Uses - Server Consolidation
Virtualization Uses - Server Consolidation Virtualization Uses - Server Consolidation
Virtualization Uses - Server Consolidation Rubal Sagwal
 
Cloud computing
Cloud computingCloud computing
Cloud computingReetesh Gupta
 
Kali linux os
Kali linux osKali linux os
Kali linux osSamantha Lawrence
 
Pizza as a Service 2019 Update
Pizza as a Service 2019 UpdatePizza as a Service 2019 Update
Pizza as a Service 2019 UpdateAaron Sandeen
 
Program Directory For CBPDO Installation and ServerPac Reference z/OS
Program Directory For CBPDO Installation and ServerPac Reference z/OSProgram Directory For CBPDO Installation and ServerPac Reference z/OS
Program Directory For CBPDO Installation and ServerPac Reference z/OSIBM India Smarter Computing
 
Cloud security
Cloud securityCloud security
Cloud securityNiharika Varshney
 
Juozas Ruolia: Vaistažolės, fitoterapiniai, homeopatiniai, vaistai gerinantys...
Juozas Ruolia: Vaistažolės, fitoterapiniai, homeopatiniai, vaistai gerinantys...Juozas Ruolia: Vaistažolės, fitoterapiniai, homeopatiniai, vaistai gerinantys...
Juozas Ruolia: Vaistažolės, fitoterapiniai, homeopatiniai, vaistai gerinantys...gillesruolia
 
Third party cloud services cloud computing
Third party cloud services cloud computingThird party cloud services cloud computing
Third party cloud services cloud computingSohailAliMalik
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack pptOECLIB Odisha Electronics Control Library
 
From cain to khazaria part 1 pdf
From cain to khazaria part 1 pdfFrom cain to khazaria part 1 pdf
From cain to khazaria part 1 pdfanglo-saxonisrael
 
Cloud computing
Cloud computing Cloud computing
Cloud computing Nouriddin BEN ZEKRI
 
Presentacion y Acceso Bosques De Berlin II
Presentacion y Acceso Bosques De Berlin IIPresentacion y Acceso Bosques De Berlin II
Presentacion y Acceso Bosques De Berlin IIRicardo Jaramillo
 
Hard Disk Encryptions
Hard Disk EncryptionsHard Disk Encryptions
Hard Disk Encryptionsn|u - The Open Security Community
 
Firewall ppt
Firewall pptFirewall ppt
Firewall pptsaloni mittal
 
Adicionar libreria externa jar a un proyecto java en eclipse
Adicionar libreria externa jar a un proyecto java en eclipseAdicionar libreria externa jar a un proyecto java en eclipse
Adicionar libreria externa jar a un proyecto java en eclipseEmerson Garay
 
Google App Engine
Google App EngineGoogle App Engine
Google App EngineSaiteja Kaparthi
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Teemu Tiainen
 
Moskowitz Whitepaper Microsoft App Locker And Beyond
Moskowitz Whitepaper Microsoft App Locker And BeyondMoskowitz Whitepaper Microsoft App Locker And Beyond
Moskowitz Whitepaper Microsoft App Locker And BeyondCoreTrace Corporation
 
Lublin Startup Festival - Mobile Architecture Design Patterns
Lublin Startup Festival - Mobile Architecture Design PatternsLublin Startup Festival - Mobile Architecture Design Patterns
Lublin Startup Festival - Mobile Architecture Design PatternsKarol Szmaj
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
2.-IT-266_APDET-Module-2-of-3.pptx
2.-IT-266_APDET-Module-2-of-3.pptx2.-IT-266_APDET-Module-2-of-3.pptx
2.-IT-266_APDET-Module-2-of-3.pptxKENNEDYDONATO1
 
How to run an Enterprise PHP Shop
How to run an Enterprise PHP ShopHow to run an Enterprise PHP Shop
How to run an Enterprise PHP ShopJim Plush
 
App locker
App lockerApp locker
App lockerConcentrated Technology
 
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @BratislavaGubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @BratislavaPeter Gubarevich
 
U test whitepaper_10
U test whitepaper_10U test whitepaper_10
U test whitepaper_10eshwar83
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
Compliance as Code Everywhere
Compliance as Code EverywhereCompliance as Code Everywhere
Compliance as Code EverywhereMatt Ray
 

More Related Content

What's hot

Juozas Ruolia: Vaistažolės, fitoterapiniai, homeopatiniai, vaistai gerinantys...
Juozas Ruolia: Vaistažolės, fitoterapiniai, homeopatiniai, vaistai gerinantys...Juozas Ruolia: Vaistažolės, fitoterapiniai, homeopatiniai, vaistai gerinantys...
Juozas Ruolia: Vaistažolės, fitoterapiniai, homeopatiniai, vaistai gerinantys...gillesruolia
 
Third party cloud services cloud computing
Third party cloud services cloud computingThird party cloud services cloud computing
Third party cloud services cloud computingSohailAliMalik
 
From cain to khazaria part 1 pdf
From cain to khazaria part 1 pdfFrom cain to khazaria part 1 pdf
From cain to khazaria part 1 pdfanglo-saxonisrael
 
Presentacion y Acceso Bosques De Berlin II
Presentacion y Acceso Bosques De Berlin IIPresentacion y Acceso Bosques De Berlin II
Presentacion y Acceso Bosques De Berlin IIRicardo Jaramillo
 
Adicionar libreria externa jar a un proyecto java en eclipse
Adicionar libreria externa jar a un proyecto java en eclipseAdicionar libreria externa jar a un proyecto java en eclipse
Adicionar libreria externa jar a un proyecto java en eclipseEmerson Garay
 

What's hot (11)

Cloud security
Cloud securityCloud security
Cloud security
 
Juozas Ruolia: Vaistažolės, fitoterapiniai, homeopatiniai, vaistai gerinantys...
Juozas Ruolia: Vaistažolės, fitoterapiniai, homeopatiniai, vaistai gerinantys...Juozas Ruolia: Vaistažolės, fitoterapiniai, homeopatiniai, vaistai gerinantys...
Juozas Ruolia: Vaistažolės, fitoterapiniai, homeopatiniai, vaistai gerinantys...
 
Third party cloud services cloud computing
Third party cloud services cloud computingThird party cloud services cloud computing
Third party cloud services cloud computing
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack ppt
 
From cain to khazaria part 1 pdf
From cain to khazaria part 1 pdfFrom cain to khazaria part 1 pdf
From cain to khazaria part 1 pdf
 
Cloud computing
Cloud computing Cloud computing
Cloud computing
 
Presentacion y Acceso Bosques De Berlin II
Presentacion y Acceso Bosques De Berlin IIPresentacion y Acceso Bosques De Berlin II
Presentacion y Acceso Bosques De Berlin II
 
Hard Disk Encryptions
Hard Disk EncryptionsHard Disk Encryptions
Hard Disk Encryptions
 
Firewall ppt
Firewall pptFirewall ppt
Firewall ppt
 
Adicionar libreria externa jar a un proyecto java en eclipse
Adicionar libreria externa jar a un proyecto java en eclipseAdicionar libreria externa jar a un proyecto java en eclipse
Adicionar libreria externa jar a un proyecto java en eclipse
 
Google App Engine
Google App EngineGoogle App Engine
Google App Engine
 

Similar to Windows 7 AppLocker: Understanding its Capabilities and Limitations

Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Teemu Tiainen
 
Moskowitz Whitepaper Microsoft App Locker And Beyond
Moskowitz Whitepaper Microsoft App Locker And BeyondMoskowitz Whitepaper Microsoft App Locker And Beyond
Moskowitz Whitepaper Microsoft App Locker And BeyondCoreTrace Corporation
 
Lublin Startup Festival - Mobile Architecture Design Patterns
Lublin Startup Festival - Mobile Architecture Design PatternsLublin Startup Festival - Mobile Architecture Design Patterns
Lublin Startup Festival - Mobile Architecture Design PatternsKarol Szmaj
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
2.-IT-266_APDET-Module-2-of-3.pptx
2.-IT-266_APDET-Module-2-of-3.pptx2.-IT-266_APDET-Module-2-of-3.pptx
2.-IT-266_APDET-Module-2-of-3.pptxKENNEDYDONATO1
 
How to run an Enterprise PHP Shop
How to run an Enterprise PHP ShopHow to run an Enterprise PHP Shop
How to run an Enterprise PHP ShopJim Plush
 
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @BratislavaGubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @BratislavaPeter Gubarevich
 
U test whitepaper_10
U test whitepaper_10U test whitepaper_10
U test whitepaper_10eshwar83
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
Compliance as Code Everywhere
Compliance as Code EverywhereCompliance as Code Everywhere
Compliance as Code EverywhereMatt Ray
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Sonatype
 
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetingsSlides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings10n Software, LLC
 
Drools Presentation for Tallink.ee
Drools Presentation for Tallink.eeDrools Presentation for Tallink.ee
Drools Presentation for Tallink.eeAnton Arhipov
 
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...FINOS
 
Welcome to the Metrics
Welcome to the MetricsWelcome to the Metrics
Welcome to the MetricsVMware Tanzu
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 

Similar to Windows 7 AppLocker: Understanding its Capabilities and Limitations (20)

Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
 
Moskowitz Whitepaper Microsoft App Locker And Beyond
Moskowitz Whitepaper Microsoft App Locker And BeyondMoskowitz Whitepaper Microsoft App Locker And Beyond
Moskowitz Whitepaper Microsoft App Locker And Beyond
 
Lublin Startup Festival - Mobile Architecture Design Patterns
Lublin Startup Festival - Mobile Architecture Design PatternsLublin Startup Festival - Mobile Architecture Design Patterns
Lublin Startup Festival - Mobile Architecture Design Patterns
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
2.-IT-266_APDET-Module-2-of-3.pptx
2.-IT-266_APDET-Module-2-of-3.pptx2.-IT-266_APDET-Module-2-of-3.pptx
2.-IT-266_APDET-Module-2-of-3.pptx
 
How to run an Enterprise PHP Shop
How to run an Enterprise PHP ShopHow to run an Enterprise PHP Shop
How to run an Enterprise PHP Shop
 
App locker
App lockerApp locker
App locker
 
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @BratislavaGubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
Gubarevich Peter - 11-Feb-2016 - Show IT 2016 @Bratislava
 
U test whitepaper_10
U test whitepaper_10U test whitepaper_10
U test whitepaper_10
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Compliance as Code Everywhere
Compliance as Code EverywhereCompliance as Code Everywhere
Compliance as Code Everywhere
 
Anajli_Synopsis
Anajli_SynopsisAnajli_Synopsis
Anajli_Synopsis
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
 
Slides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetingsSlides from LAX & DEN usergroup meetings
Slides from LAX & DEN usergroup meetings
 
Drools Presentation for Tallink.ee
Drools Presentation for Tallink.eeDrools Presentation for Tallink.ee
Drools Presentation for Tallink.ee
 
Android for the Enterprise and OEMs
Android for the Enterprise and OEMsAndroid for the Enterprise and OEMs
Android for the Enterprise and OEMs
 
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
 
Welcome to the Metrics
Welcome to the MetricsWelcome to the Metrics
Welcome to the Metrics
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 

More from Lumension

Using SCCM 2012 r2 to Patch Linux, UNIX and Macs
Using SCCM 2012 r2 to Patch Linux, UNIX and MacsUsing SCCM 2012 r2 to Patch Linux, UNIX and Macs
Using SCCM 2012 r2 to Patch Linux, UNIX and MacsLumension
 
2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers Guide2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers GuideLumension
 
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate InformationTop 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate InformationLumension
 
2014 BYOD and Mobile Security Survey Preliminary Results
2014 BYOD and Mobile Security Survey Preliminary Results2014 BYOD and Mobile Security Survey Preliminary Results
2014 BYOD and Mobile Security Survey Preliminary ResultsLumension
 
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Lumension
 
Careto: Unmasking a New Level in APT-ware
Careto: Unmasking a New Level in APT-ware Careto: Unmasking a New Level in APT-ware
Careto: Unmasking a New Level in APT-ware Lumension
 
Securing Your Point of Sale Systems: Stopping Malware and Data Theft
Securing Your Point of Sale Systems: Stopping Malware and Data TheftSecuring Your Point of Sale Systems: Stopping Malware and Data Theft
Securing Your Point of Sale Systems: Stopping Malware and Data TheftLumension
 
2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...
2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...
2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...Lumension
 
2014 Data Protection Maturity Survey: Results and Analysis
2014 Data Protection Maturity Survey: Results and Analysis2014 Data Protection Maturity Survey: Results and Analysis
2014 Data Protection Maturity Survey: Results and AnalysisLumension
 
Greatest It Security Risks of 2014: 5th Annual State of Endpoint Risk
Greatest It Security Risks of 2014: 5th Annual State of Endpoint RiskGreatest It Security Risks of 2014: 5th Annual State of Endpoint Risk
Greatest It Security Risks of 2014: 5th Annual State of Endpoint RiskLumension
 
Windows XP is Coming to an End: How to Stay Secure Before You Migrate
Windows XP is Coming to an End: How to Stay Secure Before You MigrateWindows XP is Coming to an End: How to Stay Secure Before You Migrate
Windows XP is Coming to an End: How to Stay Secure Before You MigrateLumension
 
Adobe Hacked Again: What Does It Mean for You?
Adobe Hacked Again: What Does It Mean for You? Adobe Hacked Again: What Does It Mean for You?
Adobe Hacked Again: What Does It Mean for You? Lumension
 
Real World Defense Strategies for Targeted Endpoint Threats
Real World Defense Strategies for Targeted Endpoint Threats Real World Defense Strategies for Targeted Endpoint Threats
Real World Defense Strategies for Targeted Endpoint Threats Lumension
 
APTs: The State of Server Side Risk and Steps to Minimize Risk
APTs: The State of Server Side Risk and Steps to Minimize RiskAPTs: The State of Server Side Risk and Steps to Minimize Risk
APTs: The State of Server Side Risk and Steps to Minimize RiskLumension
 
2014 Ultimate Buyers Guide to Endpoint Security Solutions
2014 Ultimate Buyers Guide to Endpoint Security Solutions2014 Ultimate Buyers Guide to Endpoint Security Solutions
2014 Ultimate Buyers Guide to Endpoint Security SolutionsLumension
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Lumension
 
Java Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant VulnerabilitiesJava Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant VulnerabilitiesLumension
 
BYOD & Mobile Security: How to Respond to the Security Risks
BYOD & Mobile Security: How to Respond to the Security RisksBYOD & Mobile Security: How to Respond to the Security Risks
BYOD & Mobile Security: How to Respond to the Security RisksLumension
 
3 Executive Strategies to Reduce Your IT Risk
3 Executive Strategies to Reduce Your IT Risk3 Executive Strategies to Reduce Your IT Risk
3 Executive Strategies to Reduce Your IT RiskLumension
 
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...Lumension
 

More from Lumension (20)

Using SCCM 2012 r2 to Patch Linux, UNIX and Macs
Using SCCM 2012 r2 to Patch Linux, UNIX and MacsUsing SCCM 2012 r2 to Patch Linux, UNIX and Macs
Using SCCM 2012 r2 to Patch Linux, UNIX and Macs
 
2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers Guide2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers Guide
 
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate InformationTop 10 Things to Secure on iOS and Android to Protect Corporate Information
Top 10 Things to Secure on iOS and Android to Protect Corporate Information
 
2014 BYOD and Mobile Security Survey Preliminary Results
2014 BYOD and Mobile Security Survey Preliminary Results2014 BYOD and Mobile Security Survey Preliminary Results
2014 BYOD and Mobile Security Survey Preliminary Results
 
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
 
Careto: Unmasking a New Level in APT-ware
Careto: Unmasking a New Level in APT-ware Careto: Unmasking a New Level in APT-ware
Careto: Unmasking a New Level in APT-ware
 
Securing Your Point of Sale Systems: Stopping Malware and Data Theft
Securing Your Point of Sale Systems: Stopping Malware and Data TheftSecuring Your Point of Sale Systems: Stopping Malware and Data Theft
Securing Your Point of Sale Systems: Stopping Malware and Data Theft
 
2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...
2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...
2014 Security Trends: SIEM, Endpoint Security, Data Loss, Mobile Devices and ...
 
2014 Data Protection Maturity Survey: Results and Analysis
2014 Data Protection Maturity Survey: Results and Analysis2014 Data Protection Maturity Survey: Results and Analysis
2014 Data Protection Maturity Survey: Results and Analysis
 
Greatest It Security Risks of 2014: 5th Annual State of Endpoint Risk
Greatest It Security Risks of 2014: 5th Annual State of Endpoint RiskGreatest It Security Risks of 2014: 5th Annual State of Endpoint Risk
Greatest It Security Risks of 2014: 5th Annual State of Endpoint Risk
 
Windows XP is Coming to an End: How to Stay Secure Before You Migrate
Windows XP is Coming to an End: How to Stay Secure Before You MigrateWindows XP is Coming to an End: How to Stay Secure Before You Migrate
Windows XP is Coming to an End: How to Stay Secure Before You Migrate
 
Adobe Hacked Again: What Does It Mean for You?
Adobe Hacked Again: What Does It Mean for You? Adobe Hacked Again: What Does It Mean for You?
Adobe Hacked Again: What Does It Mean for You?
 
Real World Defense Strategies for Targeted Endpoint Threats
Real World Defense Strategies for Targeted Endpoint Threats Real World Defense Strategies for Targeted Endpoint Threats
Real World Defense Strategies for Targeted Endpoint Threats
 
APTs: The State of Server Side Risk and Steps to Minimize Risk
APTs: The State of Server Side Risk and Steps to Minimize RiskAPTs: The State of Server Side Risk and Steps to Minimize Risk
APTs: The State of Server Side Risk and Steps to Minimize Risk
 
2014 Ultimate Buyers Guide to Endpoint Security Solutions
2014 Ultimate Buyers Guide to Endpoint Security Solutions2014 Ultimate Buyers Guide to Endpoint Security Solutions
2014 Ultimate Buyers Guide to Endpoint Security Solutions
 
Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?Data Protection Rules are Changing: What Can You Do to Prepare?
Data Protection Rules are Changing: What Can You Do to Prepare?
 
Java Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant VulnerabilitiesJava Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant Vulnerabilities
 
BYOD & Mobile Security: How to Respond to the Security Risks
BYOD & Mobile Security: How to Respond to the Security RisksBYOD & Mobile Security: How to Respond to the Security Risks
BYOD & Mobile Security: How to Respond to the Security Risks
 
3 Executive Strategies to Reduce Your IT Risk
3 Executive Strategies to Reduce Your IT Risk3 Executive Strategies to Reduce Your IT Risk
3 Executive Strategies to Reduce Your IT Risk
 
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Windows 7 AppLocker: Understanding its Capabilities and Limitations

  • 1.
  • 2. Brought to you by Speakers Chris Chevalier, Senior Product Manager Chris Merritt, Director of Solution Marketing http://www.lumension.com/Solutions/Intelligent-Whitelisting.aspx
  • 3. Preview of Key Points AppLocker How it works Capabilities Limitations Scenarios where it’s Right Wrong © 2011 Monterey Technology Group Inc.
  • 4. Open Ended Survey Question If you could build your ideal endpoint security agent, what would you include? AntiVirus Application Whitelisting Patching Firewall Disk encryption DLP Device Control What else? Please respond via Chat
  • 5. AppLocker Starts from a deny all point of view Can be applied to EXEs DLLs .dll and .ocx Scripts .bat, .cmd, .js, .ps1, and .vbs Windows Installer .msiand .msp
  • 6. AppLocker Rules Rules User or group File criteria Publisher Path File Hash Action Allow or Deny Exceptions Publisher Path File Hash
  • 8. AppLocker Rules All deny rules processed before allow rules Otherwise sequence not important Default rule is deny Add allow rules for selected users and programs Deny rules override allow rules Only needed to override allow rules Exceptions simply cause next rule to be evaluated Multiple GPOs? Rules additive (including local policy) Enforcement mode (last GPO wins)
  • 9. Implementation Create Default Rules Automatically Generate Rules Enforcement mode Audit Only Enforce
  • 10. Implementation Audit Only Events logged to Application and Services LogsicrosoftindowsppLocker Use event forwarding to get centralized log Not trivial
  • 11. Implementation Can’t do AppLocker without PowerShell scripting Get-AppLockerFileInformation Reads event log to report broken files New-AppLockerPolicy Can build new policy from Get-AppLockerFileInformation Set-AppLockerPolicy Plug policy into a GPO Test-AppLockerPolicy Test whether a specified list of files are allowed to run on local computer for specified user
  • 12. Caveats Windows 7 Enterprise & Ultimate only No support for Windows 7 Pro, Vista, XP… Based on Computer’s OU not User’s OU users are locked out of some applications on some computers, but not others Default rules Allow any local admin run everything Allow Everyone to run everything under %Program Files% 64 bit editions
  • 13. Caveats Only intended for least privilege environments Default rules Local admins can stop AppId service Local admins can add allow rules User Account Control can be a gotcha
  • 14. Big Caveat Back doors? LOAD_IGNORE_CODE_AUTHZ_LEVEL on LoadLibraryEx SANDBOX_INERT on CreateRestrictedToken Links http://blog.didierstevens.com/2011/01/24/circumventing-srp-and-applocker-by-design/ http://www.wilderssecurity.com/showthread.php?p=1818199 http://www.wilderssecurity.com/showthread.php?p=1818225
  • 15. When Does AppLocker Work? In Microsoft’s own words Business groups that typically use a finite set of applications Not suited for business groups that must be able to install applications as needed and without approval from the IT department Number of applications in your organization is known and manageable You have resources to test policies against the organization's requirements involve help desk or build a self-help process for end-user application access issues
  • 16. Bottom Line Still designed for a homogenous environment based on a golden image Not practical for diverse PC/user environments Unless you can depend on Publisher rules, updates break AppLocker or security weakened by path rules Not effective against end-users with local admin authority On demand exceptions cumbersome Reporting is there but cumbersome Script intensive © 2011 Monterey Technology Group Inc.
  • 17. Bottom Line The Need Centralized control reporting Ability to phase in whitelisting on existing PCs with unique configurations and software Ability to completely automate support for updates Support for more than Win 7 Ultimate and Enterprise © 2011 Monterey Technology Group Inc.
  • 18. Brought to you by Speakers Chris Chevalier, Senior Product Manager Chris Merritt, Director of Solution Marketing http://www.lumension.com/Solutions/Intelligent-Whitelisting.aspx