Windows 7 AppLocker is a great leap forward compared to its predecessor Software Restrictions which is good because the risks of uncontrolled software on desktops and laptops have never been greater. In this presentation, Randy Franklin Smith of UltimateWindowsSecurity highlights what AppLocker can do: how to deny all executables, scripts and Windows installer files other than those that you specifically allow on a user, group or organizational unit basis. Randy also highlights the limitations of AppLocker, including how this native functionality stacks up against the realities of today’s desktop/laptop environments where:
•there are many exceptions to the rule;
•many users have unique needs;
•you have multiple configurations, multiple OS versions and applications;
•and, where change is a constant.
Depending on your environment these limitations can be significant, adding up to broken workstations and extra care and feeding. For instance, AppLocker is designed for fairly homogenous environments but in many real world environments each PC is really unique which stretches the exception capabilities of AppLocker. AppLocker’s limitations carry over to handling system and application updates - endpoint change is constant and you don’t want user productivity to screech to a halt due to updating an application without updating the AppLocker policy. Then there’s the issue of reporting and visibility into what your software restriction policies are actually doing and what impact there is to your end-users.
The presentation highlights other caveats and includes a demonstration of Lumension Intelligent Whitelisting and how this innovative solution takes you beyond AppLocker and addresses the gaps and risks identified in Randy's presentation.
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Windows 7 AppLocker: Understanding its Capabilities and Limitations
1.
2. Brought to you by Speakers Chris Chevalier, Senior Product Manager Chris Merritt, Director of Solution Marketing http://www.lumension.com/Solutions/Intelligent-Whitelisting.aspx
4. Open Ended Survey Question If you could build your ideal endpoint security agent, what would you include? AntiVirus Application Whitelisting Patching Firewall Disk encryption DLP Device Control What else? Please respond via Chat
5. AppLocker Starts from a deny all point of view Can be applied to EXEs DLLs .dll and .ocx Scripts .bat, .cmd, .js, .ps1, and .vbs Windows Installer .msiand .msp
6. AppLocker Rules Rules User or group File criteria Publisher Path File Hash Action Allow or Deny Exceptions Publisher Path File Hash
8. AppLocker Rules All deny rules processed before allow rules Otherwise sequence not important Default rule is deny Add allow rules for selected users and programs Deny rules override allow rules Only needed to override allow rules Exceptions simply cause next rule to be evaluated Multiple GPOs? Rules additive (including local policy) Enforcement mode (last GPO wins)
10. Implementation Audit Only Events logged to Application and Services LogsicrosoftindowsppLocker Use event forwarding to get centralized log Not trivial
11. Implementation Can’t do AppLocker without PowerShell scripting Get-AppLockerFileInformation Reads event log to report broken files New-AppLockerPolicy Can build new policy from Get-AppLockerFileInformation Set-AppLockerPolicy Plug policy into a GPO Test-AppLockerPolicy Test whether a specified list of files are allowed to run on local computer for specified user
12. Caveats Windows 7 Enterprise & Ultimate only No support for Windows 7 Pro, Vista, XP… Based on Computer’s OU not User’s OU users are locked out of some applications on some computers, but not others Default rules Allow any local admin run everything Allow Everyone to run everything under %Program Files% 64 bit editions
13. Caveats Only intended for least privilege environments Default rules Local admins can stop AppId service Local admins can add allow rules User Account Control can be a gotcha
14. Big Caveat Back doors? LOAD_IGNORE_CODE_AUTHZ_LEVEL on LoadLibraryEx SANDBOX_INERT on CreateRestrictedToken Links http://blog.didierstevens.com/2011/01/24/circumventing-srp-and-applocker-by-design/ http://www.wilderssecurity.com/showthread.php?p=1818199 http://www.wilderssecurity.com/showthread.php?p=1818225
15. When Does AppLocker Work? In Microsoft’s own words Business groups that typically use a finite set of applications Not suited for business groups that must be able to install applications as needed and without approval from the IT department Number of applications in your organization is known and manageable You have resources to test policies against the organization's requirements involve help desk or build a self-help process for end-user application access issues
18. Brought to you by Speakers Chris Chevalier, Senior Product Manager Chris Merritt, Director of Solution Marketing http://www.lumension.com/Solutions/Intelligent-Whitelisting.aspx