Share your ApplOcker settings

Finally surrended to AppLocker and said goodbye to good old SRP.

Curious about settings of members using AppLocker.

So here are my AppLocker settings, basically a more granular with default deny user space, Programs Files allowing only signed programs and allowing Admin to install/elevate from User Space (Desktop is also the name of the user).

Note last DLL rule is only allowed in Windows dir

Regards Kees

 

Using rules very much similar to MrBrian as shown in this post- https://www.wilderssecurity.com/showpost.php?p=1679077&postcount=7 , also have created a few exceptions in the Executable and Dll rules to disable Powershell.

 

I checked a few of those extra folders, but they all had Access Contol List (right click, security tab) for Users without "Traverse Folder/Execute File". This is good enough for me.

 

My applocker policy is similar to MrBrian with a few minor differences

 

Never tried Applocker, have always used SRP.
I'll take a look at the guide.

 

I've never tried SRP, always used Applocker

 

I am using MrBrian ruleset with some additional rules for Applocker.I can't get Google Chrome to work with Sandboxie & Applocker combination but works fine with Applocker alone.If anyone uses Sandboxie & Applocker Combination successfully with Google Chrome, please post the Applocker rules for that. I have also installed the fix Applocker bypass flaw.

 

This shouldn't be too hard to do. Did you setup applocker instant event alerts, like in this thread?: https://www.wilderssecurity.com/showthread.php?t=306861. That might help you narrow down whats being blocked and give you a good idea what rules you need to create.

 

I have enforced Audit only mode.I have whitelisted all the Dlls Located in Program Files folder yet some dlls of Google Chrome located in Program files folder are blocked for no apparent reason.Similarly I have whitelisted the whole Appdata folder of my user account for scripts,dll,exe ,yet Google chrome fails to run.I have whitelisted All Microsoft dlls yet some of them are blocked.

Edit:

I Whitelisted the whole windows partition in all the Applocker rules,enforced the rules,rebooted,restarted app identity service but chrome failed to work.

@1chaoticadult, What browser are you using?May be any browser other than chrome or its other variants.Either i have to give up Chrome or Applocker because Sandboxie works great.

 

If you look at my sig, I use applocker, chrome & sandboxie without issues. What Chrome dlls are you talking about in Program Files, I have none there. Again did you setup those alerts I mentioned? An alert would popup when a file is blocked and you could check event viewer to find out what the blocked files are. Do you mind posting some screenshots of your applocker policy?

 

I have installed Chrome in Program Files folder.I had setup those alerts.It only showed that Chrome.exe was blocked when rules were enforced(not showed a particular dll or exe or script file), when in audit mode,some Microsoft Dlls, Chrome Dlls (though whitelisted) were shown that they would have been blocked.I have installed the following extensions in Chrome: Lastpass, Downloaders plugin, Adblock and Do Not Track Plus.I have whitelisted the whole Appdata folder in Applocker settings, yet chrome seems to be blocked for no apparent reasons.Do you have any special rules for Chrome and Sandboxie in Applocker?. I have a doubt whether Applocker bypass hotfix may be the reason for Chrome being blocked.Have you installed Applocker bypass hotfix?

 

I don't have Chrome installed in Program Files. I have Chrome installed in AppData. Yes I had the hotfix installed and it should have nothing to do with the issue you are having. I have no special rules for Sandboxie as I have the default rule to run all exes, dlls, scripts from program files. As far as Chrome goes I have rules for Chrome's appdata directory in exe, dll & script.

 

I have Chromium installed in Program Files and the AppLocker fix installed, no problems. I have the flash (gcswf32.dll) and pdf dll''s moved to the Program Files directory of Chromium. No problems, with Chrome (disabled the adobe plug-in in Chrome settings).

 

My Applocker rules screenshots:

 

After some testing I found this combo of UAC, SRP, ACL and AppLocker the fastest and most secure. For some odd reason setting the UAC to deny elevation of unsigned programs, sometimes gives a irritating delay when starting programs with admin rights (e.g. sysinternals autoruns). With these settings I do not have the delay, but I have not found out what causes it (the set Applocker rules previously posted delayed signed programs elevation)

1. UAC
- Deny elevation of unsigned programs
- Disable installer detection
- Run all admins in admin approval mode
- Admin approval mode for the built in Admin Account

2. SRP
- Enforcement: All files (including DLL's), except Administrator [so applies only on standard users]
- Security level: default level is Basic User [effectively is deny execute outside Safe Places
- Only default rules (Windows and Program Files, rights are determined on user rights, not SRP)
- Registry hack of Symantec, to run MSI as admin

3. AppLocker
- Executable Rules (replaced default rules with)
a) User (Kees) is allowed to run all signed executables (publisher rule) from drive C (path exceptions on data drives)
b) Builtin Admins are allowed to execute from path Windows
c) Builtin Admins are allowed to execute from path Program Files
d) User (Kees) is allowed to run (hash rule for unsigned program) 7-zip
e) User (Kees) is allowed to tun (hash rule for unsigned program) Chrome

4. Access Control List
a) On all download/internet/e-mail/media receiving folders set a deny execute/traverse folder for everyone.
b) Same on Public User Folder.

5. GPO Hardening
a) Deny execute access on removable drives
b) Disabled Autoplay of removable drives

So back to partly SRP again, less granular control (on DLL's) but more speed in synthetic benchmarks, leaving MSI over to SRP and UAC (all MSI elevate with symantec registry hack, so only signed MSI install with UAC).

 

I wouldn't whitelist the whole appdata directory, just the specific directories under appdata you need.

 

@Kees1958:May be you aren't using Sandboxie that is why you have no problem in running Chromium with Applocker.

@1chaoticadult: Please post the Applocker rules for Chrome.

 

Nope I am not using SBIE

 

@Kees1958: Do you think your Safe Admin setup can be as good as Sandboxie in malware prevention?

 

Reading your signature, it looks like your are not happy with AppLocker. As mentioned I have a combo of UAC, SRP, Applocker and ACL to establish basically a deny execute in user space, deny elevate of unsigned and allow user only to execute signed programs. The same can be achieved with a HIPS or deny execute program more easily.

All these denies imply that I do not install a lot of software. My surfing habits won't take me to the outskirts of the web and my ISP checks my mail on virusses. So taking these considerations in mind (combined with Chromium sandbox), I would say Yes.

 

Considering security as priority,which is better among these three combinations?

1) Sandboxie + Chrome

2) Applocker + Chrome

3) Sandboxie + Applocker + Opera

 

Honestly I like option 3 but replacing Opera with Chrome.

Executable Rules: C:\Users\Nero\AppData\Local\Google\Chrome\Application\*
Script Rules: Same as above
DLL Rules: Same as above

 

I have made an interesting observation here about MSI packages.Using the Symantec registry hack to to add run as administrator to the context menu, MSI packages are still blocked if MSI packages are controlled by SRP but are elevated as it should have been when MSI is controlled by Applocker

 

@Gobbler,

You are right, on the other hand I tried an MSI and found that it asked for elevation by itself. With the SRP/AppLocker combo.

 

Either you know something Microsoft doesn't... or SRP isn't working, at all. SRP gets disabled once AppLocker gets enabled.

So... is it really working?