AppLocker – Part 1

Introduction:
AppLocker has been around for a few years and whilst the concept is very simple, the implementation can get very complex. In this series of blogs, I will look at AppLocker rules and the implementation of these rules .

Blacklisting vs Whitelisting
The first decision you face to decide if your organization can benefit from deploying AppLocker is whether to go “whitelisting” or “blacklisting”.
Before you start, let’s look at the definition of the two.

Blacklist
A list of applications that are regarded as unacceptable or untrustworthy and should be excluded or avoided. These applications would be explicitly specified in an AppLocker rule to block these applications from running. Therefore, anything can be executed provided it hasn’t been “Blacklisted”.

Whitelist
A list of applications considered to be acceptable or trustworthy. These applications would be explicitly specified in an AppLocker rule and only these applications would be allowed to run and therefore implicitly deny anything other than the whitelist applications.

Now you have a clear idea of what these options mean and probably know what route you would like to take, but there are more considerations to look at.
Below is a small comparison between the two:

Conclusion
In very large organizations where applications are not all known, you would require enough time to gather and analyse the AppLocker event logs. Although implementing blacklisting could be easier and a “quick” win, the efforts put into whitelisting ensures a more secure environment.
Keep in mind that AppLocker is not a replacement for your anti-virus software, but rather compliments it by assisting to prevent the execution of unwanted applications.

In the next blog I will look at AppLocker Rules, Rule Conditions and how to enforce them.

AppLocker Part 2
AppLocker Part 3
AppLocker Part 4