I would like to know the main differences, advantages and disadvantages between applocker (win 10) and a commercial HIPS in an enterprise environment. I can imagine a few of them but I would appreciate your input if you have experience with applocker because I have never touched it. What enterprise HIPS do you know? McAfee, Comodo...
In a "nutshell:" AppLocker can help mitigate these types of security breaches by restricting the files that users or groups are allowed to run. Software publishers are beginning to create more apps that can be installed by non-administrative users. This could jeopardize an organization's written security policy and circumvent traditional app control solutions that rely on the inability of users to install apps. By creating an allowed list of approved files and apps, AppLocker helps prevent such per-user apps from running. Because AppLocker can control DLLs, it is also useful to control who can install and run ActiveX controls. Ref.: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/applocker-overview AppLocker is used primarily to restrict user access based on privileges. Whereas, a classical HIPS is used to restrict access for processes, files, and registry areas absolutely. Additionally, some of the older HIPS's did provide a capability to lower access privileges along the lines of AppLocker for select processes like the browser.
If I'm correct, AppLocker is meant to block process execution, so it doesn't monitor process behavior, like HIPS do. So they are not really comparable.
I will also add that there are hybrid HIPS's like AppGuard that can be used in enterprise environments that combine the privilege restrictions of AppLocker and also provide HIPS like rule capability to restrict process, file, and registry modification. AppGuard provides Windows ring 0 and 1 security restrictions in the form of user and system mode restrictions. Also many endpoint solutions such as Eset use built-in default rules in their HIPS's to restrict activities from 0-day malware.
Example which itman's nutshell explanation of AppLocker. AppLocker has the option to allow specific signers to run. For instance on my wife's laptop Windows 7 ultimate laptop only Intel (Chip), Realtek (sound), Broadcom (Wireless), Lenovo (laptop), Microsoft (OS+Office), MalwareBytes, Google and Albelli (photobook) are allowed to run. Chrome puts its flash updates in and Albelli has all its executables in (AppData) user folders. It is real easy to set a explicit deny for a folder (e.g. AppData\Chrome) with an exception rule on signer and product (Google signer and Chrome Flash). So you can make this much more granular than Software Restriction Policies. AppLocker checks the validity of the signature, so I don't worry about signed malware (booooohhhhhhhh). I have set UAC to elevate silently, combined with the option to allow only signed signature to elevate. Despite trojoan's and ransomware being delivered via mail she has not been infected since upgrading from XP. Using only Windows internal mechanisms, makes a PC snappy and responsive. Her 2010 laptop (Dual Core Pentium) with a 1 TB Hybrid runs faster than her work laptop protected by Checkpoint (with HIPS) using encrypted HD with i5. After a few months using Windows 10, she asked me to degraded her laptop to Windows 7 again, because her work laptop also runs Windows 7. To be honest on Windows 10 (I had Pro), I was struggling with SRP to allow Albelli to update and with Flash updating in AppData. AppLocker is really an improvement over SRP in terms of useability.
@Windows_Security Do you utilize AppLocker's DLL filtering option on your wife's laptop? If so, have you noticed any performance hit with that option?
@WildByDesign Yes I do guard DLL's, but despite the warning and the low spec CPU I did not notice a performance drop. I use it like this Default allow all on Windows and Program Files folders Deny all on User\AppData\Temp folder except for signed DLL'svof Intel, Realtek, Broadcom, Microsoft (Windows and Office) and MalwareBytes Deny all on User\AppData\Albelli folder except for signed DLL's of Albelli Deny all on User\AppData\Chrome\User Data\PepperFlash except for sgned DLL's of Google\FLash Chrome installs in Program Files, so you don't need to exclude them in Temp Folder (default folder where most programs install). I have MalwareBytes Premium (thanks to Pedro) which also guards Albelli photobook (set as other with as many advanced options enables as possible).
Due to comments in another thread, I looked at the laptop and discovered that for daily use my wife is running as basic user. I allow to elevate to another user with admin rights. The basic user is not allowed to run cmd.exe, mshta.exe, regsrvr32, rundll32, regini, etcetera (plus 16 bits disabled).
