Is there any reason not to go with SRP on Windows 10 in 2020? I like the ability to use a Path rule to block an .exe file anywhere on the drive just by naming it. I did not find AppLocker to have the same flexibility. Are any of you still using it, or is there a better way to go these days?
I use SRP on Windows 10 Pro, although nowadays I almost never use Windows, opting for Linux instead. The Path rules work great, and more so if you use wildcards for the more critical directories in userspace. I'm surprised you didn't find the same flexibility with Applocker. It should also give you the added bonus of utilizing Publisher rules, unless something has changed in Win 10. EDIT: You're also probably better off just using a default-deny approach, rather than blacklisting executables, but that's just my opinion.
Thanks for the response. It seems on further investigation (I had not tried to use AppLocker in the past due to the extensive rules we already had set up in SRP) that it does not function on Windows 10 Pro, despite being available to setup with no warning that it is useless. As SRP still seems to function it gives me a clear direction forward. Now for the tedious job of setting up the rules I want to roll out.
If you plan on enforcing dll's as well as executables, you will want to set up advanced logging in the registry, which is easily done as explained in the link: https://www.itprotoday.com/security/q-how-can-we-verify-software-restriction-policy-srp-rule-we-defined-one-our-applications This will log any disallowed dll's. It is tedious job to properly allow only what's required in a default-deny policy, though it will give you far better security than a blacklisting approach. Some examples of "tedious" path rules i have for unrestricted dll's: Code: C:\Users\username\AppData\Local\Temp\????????-????-????-????-????????????\DismCorePS.dll C:\Users\username\AppData\Local\Temp\????????-????-????-????-????????????\dismhost.exe C:\Users\username\AppData\Local\Temp\????????-????-????-????-????????????\Dismprov.dll C:\Users\username\AppData\Local\Temp\????????-????-????-????-????????????\OSProvider.dll C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{*}\*.dll C:\ProgramData\Microsoft\Windows Defender\Offline Scanner\*.dll C:\ProgramData\Microsoft\Windows Defender\Offline Scanner\*.exe C:\ProgramData\Microsoft\Windows Defender\platform\*.*.*.*\*.dll C:\ProgramData\Microsoft\Windows Defender\platform\*.*.*.*\*.exe C:\ProgramData\Microsoft\Windows Defender\platform\*.*.*.*\X86\*.dll C:\ProgramData\Microsoft\Windows Defender\Scans\*.bin C:\ProgramData\Microsoft\Windows Defender\Scans\*.bin.* C:\ProgramData\Microsoft\Windows Defender\Scans\*.exe C:\ProgramData\Microsoft\Windows Defender\Scans\MsMpEngSvc.dll C:\ProgramData\Microsoft\Windows Defender\Support\*.bin C:\ProgramData\Synaptics\Intel(R)_SGX_Windows_x64_PSW_*.exe C:\Users\username\AppData\Local\*\Engine\HostAppServiceUpdater.exe I replaced my actual user name with "username". There have several more than these, especially for onedrive. For better granularity, I started using the "?" instead of the "*" in some of my more recent rules. It's a work in progress.