Our next step is to configure our default (white list rules). If this was a production environment and if you were unsure if any applications are used outside the default rule locations, you would want to change this to Audit Only or do a phased rollout.Ĭonfiguring AppLocker Enforcement Properties Because this is a test environment, we are going to leave Enforce Rules as the default method. We are going to select the enforcement options for Executables and Scripts. Select the main AppLocker node and then choose Configure Rule Enforcement. Our first step is to configure how AppLocker will run. For right now, we are only concerned with executables and scripts as they comprise the bulk of threats. vbs) DLLs files (optional) Modern Apps (.appx) and MSIs (or MSPs). With AppLocker, we can control five types of files: executables (.exe. As a best practice, you should always use the latest GPMC (and RSAT tools) available. If possible, edit this GPO from a Windows 8/Server 2012 machine in order to get the most out of AppLocker. The OS you edit the GPO from will determine what AppLocker can control. If you are not on a Server OS (2008 R2+) or an Enterprise Client OS, you won’t see this service.Įnabling the Application Identity (AppLocker) ServiceĪfter enabling the service, navigate down to the Application Control Policies node and expand AppLocker. Select the Application Identity service and set it to Automatic. Edit the GPO and navigate to Computer Configuration/Windows Settings/Security Settings/System Services. Be sure that this GPO is not linked to an OU at this time. We will store our domain’s general AppLocker settings in this GPO. Create a new GPO named AppLocker Configuration. Once again, we are going to turn to Group Policy. Suddenly, you no longer have to worry about updating definitions or the latest threat! If it wasn’t trusted before, it won’t run now.
![configure executable rules enforcement for applocker. configure executable rules enforcement for applocker.](https://www.howtogeek.com/wp-content/uploads/2009/11/3applock.png)
![configure executable rules enforcement for applocker. configure executable rules enforcement for applocker.](https://www.rootusers.com/wp-content/uploads/2017/03/gpme-applocker-1024x679.png)
Anything not on the whitelist is not allowed to run. A whitelist comprises of known trusted software. In terms of security, the real power of AppLocker rests in the ability to create a whitelist. Blacklists are always limited because malware constantly changes. Malicious software is caught when it is known or when it behaves a certain way. What is so important about a Whitelist? With a traditional antivirus, malware is detected through definition files. AppLocker, available in Windows 7/8 Enterprise, addressed these limitations and added some essential features. Further, these policies lack flexibility in who they applied to or how they were deployed. While it was easy to block or allow specific applications, creating global whitelists or global blacklists was nearly impossible. If you have ever used Software Restriction Policies, you fully understand the inherit limitations. With the release of Windows 7, Microsoft essentially replaced Software Restriction Policies with the introduction of AppLocker. The biggest change though was the implementation of AppLocker with whitelisting. We were given the go ahead to do whatever was necessary to prevent a future breakout. We removed all administrative rights for users, tightened file security and the Windows firewall, and increased the level of protection provided by UAC.
![configure executable rules enforcement for applocker. configure executable rules enforcement for applocker.](https://www.anoopcnair.com/wp-content/uploads/2020/03/image-185.png)
![configure executable rules enforcement for applocker. configure executable rules enforcement for applocker.](https://www.compspice.com/wp-content/uploads/2019/01/applocker.png)
Administration was finally convinced that something had to be done with security. This caused a paradigm shift for our organization. Eventually, we took the entire site offline and imaged every machine. We couldn’t wipe machines faster than the malware could spread. A few years ago, we had a horrible conficker infection. The total infected count climbed to just under 1000 machines.