Applocker problem :(

Discussion in 'other security issues & news' started by exus69, Aug 13, 2011.

Thread Status:
Not open for further replies.
  1. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Hello everyone,

    I've setup default Applocker settings from this thread by Lucy https://www.wilderssecurity.com/showthread.php?t=262703

    After configuring the default settings, I cannot run any exe files
    outside Program Files and Windows folder even as Administrator!!

    Am getting the following error when I try to click an exe outside
    Program Files and Windows folders:

    "This program is blocked by group policy. For more information,
    contact your system administrator"

    Please help
     
  2. wat0114

    wat0114 Guest

    Try replicating the default rules for built-in administrators, then rename the user to the actual name of your administator account.

    Example: my administrator account is called "Admin" so I have all the defaults for "MadisionB\Admin" (since my computer name is MadisonB),as well as the defaults for "BUILTIN\Administrators".
     
  3. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Hi wat,

    I dint understand that part exactly. Do you mean I should right
    click on Applocker and select export policy?? Sorry I dint get
    you. Right now my Win 7 system has only 1 Administrator account
    called soho alongwith the default "Administrator" account and
    Guest account thats it.

    Please help
     
  4. wat0114

    wat0114 Guest

    No worries, just create duplicate rules of the rules you already have, then change the user on those copies to your soho name. This way you will have two sets of rules: the ones you already have, plus the new ones with "soho" as the user. Hope this helps.
     
  5. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Hello Wat,

    That method did not work for me. I even deleted all the default rules
    and created new rules giving only Administrators group access to all
    files still I got the same error when I tried to run an executable outside
    program files and windows folders. I've followed the exact same method
    as described in this link by Lucy https://www.wilderssecurity.com/showthread.php?t=262703 also I've not made any changes to the
    local group policy.

    Please help
     
  6. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    55
    If you have UAC on you have to right click and run as administrator to run programs outside windows and program files even if you are an administrator user.
     
  7. wat0114

    wat0114 Guest

    Hi exus,

    don't delete the default rules. You just have to manually create new path rules the same aas the default except that you change the user to you administrator account name, which you said is "soho". Please see the screenshot as an example of where I created a path rule with the name of my administrative account name. So the new user for mine was "admin".
     

    Attached Files:

  8. wat0114

    wat0114 Guest

    Okay, here is a complete run-down on how to create the rule you need...
     

    Attached Files:

    Last edited by a moderator: Aug 14, 2011
  9. wat0114

    wat0114 Guest

    The final step...
     

    Attached Files:

  10. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Applocker problem solved :)

    Hello tcarrbrion,

    After implementing Applocker I dont get any UAC prompt running as Administrator for executing exe files outside Windows and Program Files folders.
    Thanks for your time buddy :)

    Hello wat,

    You have been extremely helpful. Thanks to your untiring efforts my problem
    is finally solved :)

    Cheers....
     
  11. wat0114

    wat0114 Guest

    Re: Applocker problem solved :)

    You're welcome exus. Being the AppLocker troll that I am :D it's satisfying for me to help out in this area ;)
     
  12. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    55
    Re: Applocker problem solved :)

    That's why you have to right click as use "run as administrator".

    Adding rules for your own user is an alternative. It is slightly more convenient but gives you less security.
     
  13. wat0114

    wat0114 Guest

    Re: Applocker problem solved :)

    True and good point you bring up. Right-click run as administrator will work, but the additional rule is still governed by UAC, so consent still has to be given. More convenience but I'm not sure about less secure. You may be right this but either way no password is needed.

    You've got me interested in trying some experiments out :)
     
  14. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    55
    With applocker and UAC if I am in my administrator account and I run firefox without doing "run as administrator" and if it downloads an executable it cannot run it because of applocker and I have more of the defence a limited user would. If you have a rule to allow your administrator to run any program then firefox can download and run programs and so it is less secure.

    I don't mind the inconvenience of selecting "run as administrator" each time I install new software.
     
  15. wat0114

    wat0114 Guest


    I see your point, definitely. I do all my normal activities such as surfing in a standard account, some admin tasks from the same standard account elevating with SuRun (convenience) and the rest of the admin tasks from the admin account., so I've prefered not to have to elevate from my admin account, although now you have me thinking of going your route. It would add another layer of security with only a minor incovenience for an admin account, although how it would it be more secure than that of a limited user?

    BTW, thanks for your feedback, tcarrbrion :thumb:
     
  16. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    55
    I meant I have a greater part of of the defence a limited user would have, but not all.
     
  17. wat0114

    wat0114 Guest


    Another look and I realize my misinterpretation :ouch: Anyway, after some careful consideration, I'm going to go with your approach, because I have to admit it's only a minor inconvenience to gain a better level of secuirty, and if
    exus or anyone else is viewing this thread, I'd suggest they at least try the same. Thanks again tcarrbrion for your feedback :)
     
  18. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Hey wat I got a question for you. I noticed you have DLL rules enabled? How are you rules setup for this? Did you auto-generate the rules similar to how you setup executable rules, etc. or did you do something different?
     
  19. wat0114

    wat0114 Guest

    No a little bit different than the way executable rules were set up; I'm not home now but I'll clarify later in the way basically what I did.
     
  20. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Thanks wat, appreciate it.
     
  21. wat0114

    wat0114 Guest

    Here you go 1chaoticadult.

    You can see the defaults I left in place for %WINDIR%\* and %PROGRAMFILES%\*, as well as allowing builtin\administrators allowing all "*". It gets tricky, as you can see, when you have to control what's happening in user space. My son plays these games that put files within the users\user_name\appdata... directories. Sometimes the handy Publisher rules can't be applied to many of these, so instead of using the high maintenance Hash rules (because Hash values have to be updated every time the file changes) I simply used a fully qualified path rule with wildcards to make things easier on myself, otherwise it's too much maintenance.

    The %HOT%\keepass rule restricts a USB stick to that file only.
     

    Attached Files:

  22. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    So basically you left default rules in place and created wildcard rules for dll files outside the %WINDIR% and %PROGRAMFILES%, correct? Does that %PROGRAMFILES% default rule cover both program files and program files (x86)? From doing a quick check on my system, only chrome being in appdata would need a dll rule for it. Seeing how the dlls in Chrome appdata directory are signed, I could just use a publisher, can I not? Yes I can see how games cause you to create those rules. Luckily I don't have to worry about that for now :D
     
    Last edited: Sep 4, 2011
  23. wat0114

    wat0114 Guest

    Basically, yes.

    Yes.

    If they are signed, the yes I highly recommend you use Publisher rules. They are maintenance free, as opposed to hash rules.

    BTW, i just posted an AppLocker-related thread here that may interest you :)
     
  24. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Yes the publisher rules are very well liked by me. Thanks for this. I think that I've gone full circle with security setups, I wanted to give applocker another try. Maybe I will become an applocker troll :D like you as well :p
     
    Last edited: Sep 4, 2011
  25. wat0114

    wat0114 Guest

    I hope it goes well for you.
     
Loading...
Thread Status:
Not open for further replies.