In the previous blog we looked at the two paths, “whitelisting” and “blacklisting”, you could follow implementing AppLocker. In this blog I will look at the AppLocker Rules, Rule Conditions and how to enforce them.
NB. The Application Identity service is required to run for AppLocker to function. This can be configured in a GPO to automatically start the service.
AppLocker Group Policy
AppLocker is configured via GPO by creating various rules to either allow or deny applications. The AppLocker GPO setting can be found under Computer Configuration – Policies – Windows Settings – Security Settings – Application Control Policies – AppLocker
AppLocker is organized into four areas called rule collections. The four rule collections are executable files, scripts, Windows Installer files and Packaged app. The following table lists the file formats included in each rule collection.
|Rule collection||Associated file formats|
|Scripts||.ps1 .bat .cmd .vbs .js|
|Windows Installer||.msi .msp .mst|
|Packaged Apps||Packaged apps and packaged app installers: .appx|
AppLocker Rule Conditions
Rule conditions are criteria that the AppLocker rule is based on. Primary conditions are required to create an AppLocker rule. The three primary rule conditions are:
- File Hash
- This condition identifies an application based on its digital signature and extended attributes. The digital signature contains information about the company that created the application (the publisher). The extended attributes, which are obtained from the binary resource, contain the name of the product that the application is part of and the version number of the application. The publisher may be a software development company, such as Microsoft, or the information technology department of your organization.
- Publisher conditions can be created to allow applications to continue to function even if the location of the application changes or if the application is updated.
- When you select a reference file for a publisher condition, the wizard creates a rule that specifies the publisher, product, file name, and version number. You can make the rule more generic by moving the slider down or by using a wildcard character (*) in the product, file name, or version number fields.
- The Path condition identifies an application by its location in the file system of the computer or on the network.
- AppLocker uses its own path variables for directories in Windows. (See the table below)
- AppLocker does not enforce rules that specify paths with short names. You should always specify the full path to a file or folder when creating path rules so that the rule will be properly enforced.
|Windows directory or drive||AppLocker path variable||Windows environment variable|
|Windows installation directory||%OSDRIVE%||%SystemDrive%|
|Program Files||%PROGRAMFILES%||%ProgramFiles% and %ProgramFiles(x86)%|
|Removable media (for example, CD or DVD)||%REMOVABLE%|
|Removable storage device (for example, USB flash drive)||%HOT%|
- When the file hash condition is chosen, the system computes a unique cryptographic hash of the identified file that is based on the SHA256 algorithm that Windows uses. The hash condition type is unique. Therefore, each time a publisher updates a file, you must create a new rule.
- For files that are not digitally signed, file hash rules are more secure than path rules. •Allows applications, which may not be signed by their publishers, to be managed under AppLocker.
- The advantage is that, because each file has a unique hash, a file hash rule condition applies to only one file.
- The disadvantage is that each time the file is updated (such as a security update or upgrade) the file’s hash will change, thus making it immune to the current AppLocker policy, requiring a new rule to be created.
AppLocker rule enforcement can be configured in the GPO by navigating to Computer Configuration – Policies – Windows Settings – Security Settings – Application Control Policies – AppLocker and clicking on the Configure rule enforcement
The rule enforcement option are as follow:
- Not configured (If rules are present in the corresponding rule collection, they are enforced. If rule enforcement is configured in a higher-level linked Group Policy object (GPO), that enforcement value overrides the Not configured value.)
- Enforce rules (Rules are enforced for the rule collection, and all rule events are audited.)
- Audit only (Rule events are audited only. Use this value when planning and testing AppLocker rules.)
IMPORTANT: By default, AppLocker blocks all Packaged Apps if an EXE ruleset exists without a Packaged App ruleset
In this blog we looked at the rules and rule conditions for AppLocker. It is important to understand each rule condition to ensure you apply the rules effectively.
In the next blog we will look at AppLocker in Audit mode.