Anyone running AppLocker?

I have Win. 7 x64 Ultimate. Is there a starting point or something basic for someone wanting to learn how to use AppLocker?

So far I've come up with configure the rule enforcement, create a set of default rules, automatically generate the rules or create your own set of rules but to do this I think one would have to fully understand AppLocker.

I'm just looking for a starting point with the rules, then eventually work from there, but all these other different scenarios of rule making makes it somewhat confusing. I've got the SRP down now I'm ready to give AppLocker a try. Believe me I've been reading about it but when you read 5 or 6 different posts from people here at Wilders and the rules they make it does start to get a bit confusing.

Also what about the UAC? What difference will it make if it's on, off or set to high? Would this create any problems with the rules set?
I'm reading some of this here in this thread but not fully understanding what is being said.

Last thing, what if you want to download and install a program AFTER you have Applocker set up, what do you do to get the program installed? Do you also need to create a rule for installing programs?

 

@ wat0114
and for the Windows Folders? what rules you use?
Here when I tried it, I used the auto-generate wizard to create publisher/hash rules for all content in the Program Files and Windows folders, and the default ones to dlls and windows installers and when a update/installation need new rules, before perform it I use CTM to restore to a "know good" snapshot, perform the updates/installations, take a new snapshot and use the syncronize needed folders. Tried with Returnil free too, virtualizing the system.

 

Honestly, I have no idea why anyone would auto-generate rules for some random programs, particularly in folders that would allow limited users write access. But, MrBrian's caveat about auto-generating rules to accidentally allow some previously downloaded trojan seemed to require doing that sort of thing, unless I misunderstood something. And it was that scenario that I tried to address in my previous posts. It would make sense to auto-generate rules for a folder like Program Files where only admins have write access. I don't see why anyone would auto-generate rules for some limited user's profile folder or something like that.

That's exactly the way I see it, too. Some downloaded malware would only ever get allowed by AppLocker if we actually went and for some reason auto-generated rules for a folder where LUA has write access - which is something that would have obvious consequences - without checking what the files in said folder are. I can see auto-generating rules for the user's Chrome installation folder - but some folder containing unknown executables?

 

Create your defaults first as a starting policy. This way Applocker you won't inadvertantly block something necessary.

I've found the below MS Technet link to be the best, imo, for learning about Applocker. Don't miss the step-by-step guide.

http://technet.microsoft.com/en-us/library/dd723686(WS.10).aspx

 

Yeah, I cross-posted with you.

 

I also went with auto-generate for the Windows directory, but if you go with at least auto-generate on the Program files directory, then I believe it's fine to go with the default path rules for the Windows directory. I'd say your approach is solid. MrBrian's is fine too. I'm only debating this because MS states the following on default rules:

Quoted from: http://technet.microsoft.com/en-us/library/ee460941(WS.10).aspx

Now MrBrian does elaborate on the defaults by adding exceptions for all the directories an lua user could write to, so nothing wrong with that and certainly bolsters those rules considerably with those exceptions. However, I do not see anything wrong with using the Auto-generate option especially when used with some common sense. After all, I may not have the technical wherewithal of a MrBrian or Windchild to name a few, but I'm not so stupid as to allow malicious programs onto my machine, then create Applocker rules for them, Auto-generated or not.

As for the Auto-generate feature, the basic premise for using it is when the Admin has installed all the programs they want on their machine; it's set up exactly to their liking, so they might have a program profile something like:

MS Office suite
Firefox browser
Disk burning suite
Music player
Screen capture program
GPS update program
Adobe Photoshop
VM Program

In addition, there is all the MS defaults programs such as Paint, Games, Notepad/Wordpad and etc.

Administrator Auto-generates the %ProgramFiles% directory (including Program Files (x86) in 64 bit OS'), and whitelists all these safe programs and might even use exceptions on some selected lua account(s) or simply limit certain programs like I did with nVidia cp to the Admin accouint only, or to selected user(s).

Simply put, this means any other executable somehow written to the machine is going to be default denied if it attempts to execute.

 

Thanks wat0114 for the link, more to read and learn.
I remebering have a ton of questions about using SRP so this is no different, just seems like there is so much more to using Applocker.

 

Ahh, sorry about that. I took out the superfluous info Good to see you're checking out Applocker. I'm thinking a combination approach of Auto-generating rules with MrBrian's path exceptions could be the strongest way to set up Applocker, but I just don't see it necessary as of yet with Auto-generated rules to create those path exceptions. Maybe soon I'll experiment.

You're welcome. Applocker really does not involve too much more, if anything significantly more at all, than SRP. There is a features change chart from SRP at the following link:

http://technet.microsoft.com/en-us/library/ee424367(WS.10).aspx

Just scroll down a bit to see it.. I find the info on Applocker in these Technet links to be the best. Keep in mind, too, that the "Audit only" enforcement mode can be an absolute sanity saver when you are in the early stages of setting up your rules, or if you find a program isn't working right after you've enforced the ruleset. You simply go to Computer management->Event viewer->Application and services logs->Microsoft->Windows->Applocker, then check for "Error" level entries to see what was blocked. If it was a safe file that you need to run, then you simply custom-create a rule for it based on the path information given in the log details, as seen in the ss. ps, i don't use holdemindicator.exe. Someone in this forum earlier sent it to me to test with the Win 7 fw.

 

Oops, I made a mistake in my list.

The line that formerly was

"Allow Everyone to run all Windows Installer files in Windows folder"

should have been (and has been changed to)

"Allow Everyone to run all Windows Installer files in %systemdrive%\Windows\Installer folder"

In the future, if I find that I need to change this rule to "Allow Everyone to run all Windows Installer files in Windows folder," I will indeed add those same exceptions.

 

As you've since stated that you're careful about which folders you're auto generating rules for, you should be fine . I couldn't tell from what had been posted prior whether you'd meant you're auto generating rules for all folders. Be careful though of auto generating rules for anything located in those folders within the Windows folder that I listed as exceptions, because limited users (and malware running as limited user) can write to and execute at least some parts of each of those folders.

Out of curiousity, is there any specific scenario in which there is a security advantage to auto generating AppLocker rules vs. using my ruleset, given the following assumptions?
a) UAC is on highest setting
b) I'm careful and have common sense about what's allowed to elevate
c) I audit permissions on Program Files and Windows folders after every program installation (or batch of programs), and adjust any improper permissions found

 

Scenario: after the auto-generate whitelists the malware that formerly couldn't execute, the user performs the same operation which caused the buffer overflow the first time, which causes the same file to be downloaded again, but this time is executed because it's now whitelisted.

 

For what i see in your setup, no. For what i read, the weak point in use path rules to Windows folder is that some folders in it have write access to standard users... so a way to bypass applocker. How you audit your folders and create exclusions, no problems.

 

MrBrian, I think your approach is rock solid, as long as no user accessible folders are missed in the exceptions list.

One question about UAC on highest level, besides bothering the Administrator with frequent consent prompts, does it offer better security than the default setting? It looks as though with the default level running as administrator, it prompts for consent on non-Windows binaries, but prompts exactly the same as the highest setting for users as:

*EDIT*

Hmm, seems there're differences between an Enterprise environment or Group Policy Settings? As far as a single computer goes, maybe all that applies is what's explained in the link:

http://support.microsoft.com/kb/975787

It looks like the highest setting will warn of programs attempting to make both changes and install software on the machine, whereas Default level warns only of programs attempting to make changes to the computer, so it does seem more secure. It seems possible, however, to setup different UAC configurations through the GPO (MS Technet shows 10 different settings through Group Policy Editor).

Okay, found a link here that seems to describe it best, so I think I will try running with UAC at highest for a while to see if I can live with the Administrator consent nags

 

My concern on the default UAC level is that malware could execute the Windows binaries (or whatever else the default level can do without a UAC prompt) in ways that result in undesirable consequences, without triggering a UAC prompt.

 

Yes, according to MS, somewhere I read, you are right. BTW, all the extra UAC settings I found under the secpol.msc hood in the ss

 

Good find .

Regarding default UAC level (from that same link):

 

If you're using UAC and you're admin and not elevated, then rules for Administrators group will not trigger. If you're using UAC and you're admin and you're elevated, then rules for Administrators group will trigger. If you've disabled UAC and you're admin, then rules for Administrators will trigger. Since I have rules that allow Administrators to run anything, there would be a huge impact if I disabled UAC and ran as admin.

 

Yes nice. You and me good understand! By way why you no use SuRun? It Beta for Win 7 but work nice. You try?

 

Hey,
I've just started using AppLocker recently.

My rules are (running an Admin acc with UAC enabled):

1. Default rules for Executables, Windows Installers & Scripts.
2. Deny execution from any Downloads folder (for all 3).
3. Have a folder called My Safe Folder, from which i have allow execution of only .exe's using Path rules. This folder is also forced sandboxed in Sandboxie, just in case.
4. Deny execution from My Data partition (M:\).
5. Have set File Hash for few programs that dont have Publlisher rules.
6. Rules for my games using either Publisher/File Hash, which ever possible.

I've tried to keep as less rules as possible, so that pretty much any new exe or script introduced to the system will be Denied. Tried to use only Pubisher and File Hash rules (as i think this would be more secure?).

Any comments are greatly appreciated.

Ned.

 

Thanks for the suggestion . Of what benefit is it though?

 

Many benefit. One benefit is some program need run as admin like Shadow Defender. SuRun make this easy with add program to automatic run as admin. Less pop up. Ok?

 

No UAC prompt?

 

No UAC prompt. SuRun has it own one if you want. Very nice. As I say very nice if want run automatic with no prompt and easy configure like this. May be if you play game or use Shadow Defender or other program that need admin right and you run in user limited account. Then SuRun better than UAC. But it Beta only on Win 7 but seem work well.

Sorry by way if you can tell me how always run a program as admin without prompt with Win 7 then I dont need SuRun. Thanks you.

 

Thank you MrBrian. I'm also taking a close look at your ruleset, combined with the information wat0114 has given me I'm starting to get an understanding of using AppLocker. This thread is exactly what I needed.

 

Maybe, this will help you: http://www.sevenforums.com/tutorials/11949-elevated-program-shortcut-without-uac-prompt-create.html