Applocker configuration

Can anyone help me (or guide me) on setting up Applocker on my PC.

I understand general idea, and willing to learn.
I want to know general rules to set up.
Or if there is already some usefull reading on setting up Applocker can anybody link it to me?

And I noticed something, Is it true that Deny has more priority then Allow?
As I have put Deny all executables for standard user. And put Allow everyone to execute from Windows and Program Files folders.
I bet you already know what happened. I Denys to Log into User account.
So First attempt on white-listing was fail
Now will do the same but put Program Files and Windows into exceptions.
Thank you.

EDIT: I can login and run some programs. I think I should put User/Appdate into exception aswell to run one user installed programs (like google Chrome), Am I right?

 

Ok, first of all I suggest you use publisher rules if possible. In cases where apps don't have a signature, then use hash rules.

To start, open the AppLocker configuration screen (go to the start menu and enter "secpol.msc" in order to start the policy configuration tool. You will need admin access to do this). Once you open it, it will look like this:



As you can see there are 3 possible file types to set rules for: .exe's, windows installer files, and various scripts. Start with executables. First, right click on "executable rules." You will see an option for "Create Default Rules." This will create a baseline of your system and allow everything that needs to run to be able to run. Do the same for Windows Installer Rules and Script Rules. (NOTE: I recommend doing this with a fresh Windows install, or else questionable files already on the system might get whitelisted here).

Next, you need to create a whitelist for applications not included in this baseline. To do this, right click on "executable rules" if the file is an executable (or "Windows Installer File" if it's a windows installer file, or "Scripts" if the file is a script). Then click "Create New Rule." You will see an initial screen that is only a nag screen. Just click next.


Then you will come to the second screen:



You will want to click allow, which is the default. (Remember, AppLocker is useful for creating whitelists, so allow should be what you use most of the time). Below you can pick for whom this rule will apply. I prefer to pick "everyone," especially if I am setting this up to protect myself. If you have other people using your machine, you can specify for the rule to only apply to their user account. Now, click next.

You will see this screen:



You will want to click "Publisher" if the app in question is signed. Most every app from the major publishers will be signed (MS, Google, Sun, Apple, Mozilla, etc.) Some independent developers also sign their apps (if they are reputable they should already be doing this). Now click next.

You will now come to this screen:



This screen essentially allows you to enter the reference file that contains the digital signature. So, for instance, if you downloaded Google Chrome, you would find the installer file you just downloaded and enter it here. AppLocker should automatically import the signature.

Once you import the reference file, you will see this screen:



In the above example, I imported a "TomTom" executable that is used to install the software for my TomTom car GPS software. As you can see, the file is digitally signed and this particular screen is asking what type of rule I want to make. So, for instance, if you want to allow all programs signed by "TomTom International" to be installed on the machine, then you want to go up to "Publisher." If you only want to allow this particular piece of software from TomTom, you click "Product Name." If you only want to allow this particular version of the software (2.2.7) and no future versions, then click on "File Version." As you can see, this gives quite a bit of granularity over what exactly can get installed -- that is, if allowing everything from a publisher is too much for you, then you can limit it to a specific app or an app version. The nice thing about the "publisher rule" at the top is that all Google apps from now on will automatically be allowed without having to add more rules. The same goes for any other publisher. At any rate, once you make your selection click next.

Now you will see the exceptions screen. You will only need this if there are files you want to exclude from the rule you are making. Since this is an "allow" rule and it entails allowing a publisher, I see no reason to use exceptions here. I am not sure why this screen is even here when making an allow rule, quite frankly. Just click next.

You will come to the final screen. This screen just verifies what you've done and gives you the option to give a "description" to the rule. Enter a description (optional) and click "create." (I would include a screenshot, but I am over my 5 per post limit).

That's it. You should now see this rule appear in the main AppLocker screen. Rinse and repeat for every publisher.

 

Thank you very much!
It was very useful.

1. So everything except what I put in allow is denied by default, am I right?
So there was actually no point for me creating Deny rule to deny everything and then creating allow rules (how stupid from my side )

2. And what I do for portable programs? Just allow their main executable by publisher rule if possible? and otherwise by hash key?


Thank you again.

 

Yes, after you create the "default rules," the only apps that will be allowed to execute are those apps specifically allowed through the Applocker policies you create (assuming AppLocker is in enforce mode). This is the white listing approach and it's very effective. You can throw out your AV software if you run your machine this way (assuming you only white list apps from trusted publishers and individuals).

If you trust the publisher and think all of his/her/their software is legit, then I prefer to just allow everything signed by that publisher. Again, that is unless they release a specific program that you don't like for other reasons (not related to maliciousness). Creating the rules works the same for executables, windows installers, and scripts.

If the software is not signed, then you can use a hash or a path rule. This would be the same as the old SRP, of which there are many threads here describing.

 

Jav,

if an application isn't working/opening after you've created your rules, you can easily troubleshoot the reason as follows.

The logs will display exactly the path that is affected.

 

@chronomatic thank you for clarifying.

@wat0114 Thank you, I read your post before and remember it.
I did run applocker in audit mode after first fail.


Now look guys:
I created rule To allow google Chrome in publisher rule by product name, and same to google update. And some portable games by hash key only their main executable.
Allowed all installer from Downloads folder.
(note I did put to Everyone, as I only use to accounts anyway (Administrator and LUA)

I run all of those programs on my limited user account.
Google chrome opened bookmarks, history, watched flash, divx video and so on..
On games loaded and tried online mode.

The I went to event viewer Applocker log:
There were only Warnings from Google chrome
ok, it might be something I did wrong.
But no, I skip to informations and see that google chrome was allowed to run without problems 20 seconds ago then warning

look at pics:

EDIT:
Clearing logs and rules.
Creating new rules and will test again.

Got the same results: it was allowed some times but denied other requests.
Will try allow everything by publisher (google) (which i wouldn't like to do much)

EDIT 2:
Allowed all aplications to execute by google publisher.
Got the same results. Sometimes allowed some times denied

 

ok, now new experiment.

Will enforce rules and try.

And I will see when is google Chrome denied.
Every time I tried quick links, bookmarks, Watch flash video, Divx video. post in forums (it wasn't intended to test, just happened )

P.S. btw I found Why I wasn't able even to login first time, As I had enforced DLL rules as-well. (which are I see turned off by default, and on your example you haven't showed them so, I turned off them too)

EDIT:
ok, this experiment was productive.

It actually allowed me to load Google Chrome.
BUT I was unable to o anything in it.
It was just blank page, (even quick page didn't load)

when I wrote anything to address bar and press enter.
It hasn't done anything, just returned address bar to "blank page"
Now, I am confused

 

Those APPDATA rules can be troublesome. I just used a wildcard for the couple I created,

 

I allowed whole google folder got the same result.

Starting to hate Google chrome for that, why they couldn't make it like other browsers did. (For example Opera works fine under those policies)

 

Never used Chrome for long but maybe you need to adjust the slider on the Publisher rule to make things a bit more liberal. It could be for some reason chrome.exe file version is changing, although I can't imagine why. Either that or go with a path rule, even though they are weaker tha publisher or hash rules.

 

I tried all of them.
I put publisher rule to accept all applications by google. (same result)
I put whole google folder into allowed path rule (same result)

 

I did extreme.

I allowed executables publisher rule signed by * (anybody)

No improvements

 

Is AppLocker still showing in the logs to be the culprit? I didn't have this problem with Chrome -- it works fine on my end.

 

Yeah, it still says that it would have been blocked if policy were enforced.
And sometimes it says it was allowed.

But actaully when I enforce rules and try.
It allows me to load Chrome but not it's components so I just see browser but can't do anything.

I left all rules on audit mode and used my PC as normal for a day, in event viewer I can see only warnings from Chrome. So it seems it's the only problem.

 

Could be something to do with the Chrome Sandbox.

 

I will try some more tweaking after New Year and will post back if helps.

Anyway,
Thank you and Happy New Year

 

http://code.google.com/p/chromium/i... Type Status Summary Modified Owner Mstone OS

Issue was reported on Google code.


So seems noway to use google chrome and applocker together.

actually only way is to disable google chrome sandbox, but it's pointless. and will kill whole security purpose of google chrome.

 

UPDATE:

I am getting really confused now.
I disabled Applocker rules.
And created sipmle default-deny SRP rules:

Enforcement rules:
1. Enforce to all users.
2. Enforce all files including DLLs (note in AppLocker I had disabled DLL rule collection)
3. Ignore Certificate rules
Default Security level set to Disallow.
Unrestricted:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
C:\Users\My User\AppData\Local\Google\Chrome\Application
C:\Users\My User\AppData\Local\Google\Update
And some other portable game and program directories.

And thing is it's dosen't block Google Chrome.
So, SRP even with DLL block enabled dosen't block google Chrome as long as I exclude whole Google Application and Update folders.
But if I do the same with Applocker. Both with/without DLL rules enabled, exluding whole Google folder (not just application and update folder like with SRP) it will block it.

With Applocker I do it even more independent excluding whole google folder with all files signed by google and DLL rule collection disabled. But it still blocked.

So, I conclude from this, That:
1. It's a bug with Applocker.
or
2. AppLocker has stronger and tighter rules then SRP. (which will explain google Chrome internal sanbox being blocked by Applocker but not SRP under the same conditions and rules)

So either it's bug with Applocker not Google Chrome as I thought according to last post (in this case it should be reported to Microsoft) or AppLocker isn't just SRP with ease of use but it implements more tighter rules which makes it more stronger and secure then SRP.

Your thoughts?

EDIT 1: Forgot to mention that under Applocker I also tried installing google Chrome with Google Pack so it was installed on Program Files folder like all programs. But still it was blocked, even though default rules enable all files in Program Files folder.
So The theory that there was problems because google Chrome wasn't installed like all programms in Programm Files is unfortunately false.

EDIT 2: I got a suggestion from Kees to Applocker with Iron which is the open source browser created by independent developer from Chromium project (which is the core of google Chrome)
But untill now (while discussing with Kees) we have seen iron's most advantage over Chome as it's installation path which is Program files.
But according to my experiment on "Edit 1". Installing Google Chrome in Programm Files willn't change results, so I am not waiting much results from Iron aswell.
Will post back when I try it.
But I think if it works with Iron it means that Iron dosen't implement google chrome's internal sandbox which is the main security aspect of google chrome and so makes Iron vulnerable. (note: I started with "I think" and "If", so it's not actuall facts yet)

 

Big Update:

Guys, I have happy news:
http://code.google.com/p/chromium/issues/detail?id=10576

On the newest build of Chromuim problem with AppLocker has been fixed!

But I wonder how long it will take the fix to come to the Google Chrome

What's the risk of using just Chromium build which is not yet implemented to Google Chrome? http://build.chromium.org/buildbot/continuous/LATEST/