Applocker problem :(

Hello everyone,

I've setup default Applocker settings from this thread by Lucy https://www.wilderssecurity.com/showthread.php?t=262703

After configuring the default settings, I cannot run any exe files
outside Program Files and Windows folder even as Administrator!!

Am getting the following error when I try to click an exe outside
Program Files and Windows folders:

"This program is blocked by group policy. For more information,
contact your system administrator"

Please help

 

Try replicating the default rules for built-in administrators, then rename the user to the actual name of your administator account.

Example: my administrator account is called "Admin" so I have all the defaults for "MadisionB\Admin" (since my computer name is MadisonB),as well as the defaults for "BUILTIN\Administrators".

 

Hi wat,

I dint understand that part exactly. Do you mean I should right
click on Applocker and select export policy?? Sorry I dint get
you. Right now my Win 7 system has only 1 Administrator account
called soho alongwith the default "Administrator" account and
Guest account thats it.

Please help

 

No worries, just create duplicate rules of the rules you already have, then change the user on those copies to your soho name. This way you will have two sets of rules: the ones you already have, plus the new ones with "soho" as the user. Hope this helps.

 

Hello Wat,

That method did not work for me. I even deleted all the default rules
and created new rules giving only Administrators group access to all
files still I got the same error when I tried to run an executable outside
program files and windows folders. I've followed the exact same method
as described in this link by Lucy https://www.wilderssecurity.com/showthread.php?t=262703 also I've not made any changes to the
local group policy.

Please help

 

If you have UAC on you have to right click and run as administrator to run programs outside windows and program files even if you are an administrator user.

 

Hi exus,

don't delete the default rules. You just have to manually create new path rules the same aas the default except that you change the user to you administrator account name, which you said is "soho". Please see the screenshot as an example of where I created a path rule with the name of my administrative account name. So the new user for mine was "admin".

 

Okay, here is a complete run-down on how to create the rule you need...

 

The final step...

 

Applocker problem solved

Hello tcarrbrion,

After implementing Applocker I dont get any UAC prompt running as Administrator for executing exe files outside Windows and Program Files folders.
Thanks for your time buddy

Hello wat,

You have been extremely helpful. Thanks to your untiring efforts my problem
is finally solved

Cheers....

 

Re: Applocker problem solved

You're welcome exus. Being the AppLocker troll that I am it's satisfying for me to help out in this area

 

Re: Applocker problem solved

That's why you have to right click as use "run as administrator".

Adding rules for your own user is an alternative. It is slightly more convenient but gives you less security.

 

Re: Applocker problem solved

True and good point you bring up. Right-click run as administrator will work, but the additional rule is still governed by UAC, so consent still has to be given. More convenience but I'm not sure about less secure. You may be right this but either way no password is needed.

You've got me interested in trying some experiments out

 

With applocker and UAC if I am in my administrator account and I run firefox without doing "run as administrator" and if it downloads an executable it cannot run it because of applocker and I have more of the defence a limited user would. If you have a rule to allow your administrator to run any program then firefox can download and run programs and so it is less secure.

I don't mind the inconvenience of selecting "run as administrator" each time I install new software.

 

I see your point, definitely. I do all my normal activities such as surfing in a standard account, some admin tasks from the same standard account elevating with SuRun (convenience) and the rest of the admin tasks from the admin account., so I've prefered not to have to elevate from my admin account, although now you have me thinking of going your route. It would add another layer of security with only a minor incovenience for an admin account, although how it would it be more secure than that of a limited user?

BTW, thanks for your feedback, tcarrbrion

 

I meant I have a greater part of of the defence a limited user would have, but not all.

 

Another look and I realize my misinterpretation Anyway, after some careful consideration, I'm going to go with your approach, because I have to admit it's only a minor inconvenience to gain a better level of secuirty, and if
exus or anyone else is viewing this thread, I'd suggest they at least try the same. Thanks again tcarrbrion for your feedback

 

Hey wat I got a question for you. I noticed you have DLL rules enabled? How are you rules setup for this? Did you auto-generate the rules similar to how you setup executable rules, etc. or did you do something different?

 

No a little bit different than the way executable rules were set up; I'm not home now but I'll clarify later in the way basically what I did.

 

Thanks wat, appreciate it.

 

Here you go 1chaoticadult.

You can see the defaults I left in place for %WINDIR%\* and %PROGRAMFILES%\*, as well as allowing builtin\administrators allowing all "*". It gets tricky, as you can see, when you have to control what's happening in user space. My son plays these games that put files within the users\user_name\appdata... directories. Sometimes the handy Publisher rules can't be applied to many of these, so instead of using the high maintenance Hash rules (because Hash values have to be updated every time the file changes) I simply used a fully qualified path rule with wildcards to make things easier on myself, otherwise it's too much maintenance.

The %HOT%\keepass rule restricts a USB stick to that file only.

 

So basically you left default rules in place and created wildcard rules for dll files outside the %WINDIR% and %PROGRAMFILES%, correct? Does that %PROGRAMFILES% default rule cover both program files and program files (x86)? From doing a quick check on my system, only chrome being in appdata would need a dll rule for it. Seeing how the dlls in Chrome appdata directory are signed, I could just use a publisher, can I not? Yes I can see how games cause you to create those rules. Luckily I don't have to worry about that for now

 

Basically, yes.

Yes.

If they are signed, the yes I highly recommend you use Publisher rules. They are maintenance free, as opposed to hash rules.

BTW, i just posted an AppLocker-related thread here that may interest you

 

Yes the publisher rules are very well liked by me. Thanks for this. I think that I've gone full circle with security setups, I wanted to give applocker another try. Maybe I will become an applocker troll like you as well

 

I hope it goes well for you.