Windows 10 AppLocker Rules

Discussion in 'other anti-malware software' started by ParaXY, Mar 12, 2017.

  1. ParaXY

    ParaXY Registered Member

    Joined:
    Sep 2, 2015
    Posts:
    70
    Hi All

    It's been awhile since I was last on this forum so I'm a bit rusty :)

    I've been lucky enough to receive a copy of Windows 10 Enterprise LTSB and this version includes AppLocker which I am keen on trying out.

    I was hoping someone that knows AppLocker/whitelisting could have a look at my setup to see if I have missed anything.

    First a bit of info:

    1. I have two user accounts that I will use, one will be a standard non-admin account while the other one with be a full administrstor. I will use the non-admin account for day to day tasks and only use the admin account when I have to/need to
    2. I have two drives, system (C:\) and data (D:\) - I keep all my data on the D:\ drive but all programs run from C:\
    3. I'll be using the built in Defender for AV
    4. My firewall rules are hyper locked down - pretty much everything is blocked incoming and I only alway certain apps outbound (all default rules have been deleted)
    5. I'm considering using SuRun so I don't need to enter the admin password everytime I need escalated priviledges
    6. I want to lock down my system (C:\) drive with AppLocker to prevent ransomware/malware and any other nasties :cool:

    Anyways, onto the Executable AppLocker rules:

    1. Allow Everyone to run everything in C:\Program Files and C:\Program Files (x86)
    2. Allow Everyone to run everything in C:\Windows EXCEPT:
      • %WINDIR%\debug\*
        %WINDIR%\Registration\CRMLog\*
        %SYSTEM32%\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\*
        %SYSTEM32%\Com\dmp\*
        %SYSTEM32%\FxsTmp\*
        %SYSTEM32%\spool\PRINTERS\*
        %SYSTEM32%\spool\drivers\color\*
        %SYSTEM32%\Tasks\*
        %SYSTEM32%\Com\dmp\*
        %WINDIR%\Tasks\*
        %WINDIR%\Temp\*
        %WINDIR%\tracing\*
        %WINDIR%\Fonts\*
        %WINDIR%\Offline Web Pages\*
        %WINDIR%\servicing\*
    3. Allow Admin to run all files
    4. Allow non-admin account to install programs from D:\SafeInstalls (will still be prompted by UAC to continue install)
    I haven't installed many applications yet (just Office) so I'm sure some more exceptions/rules will be needed especially considering C:\Users\* is blocked with the above rules. Do I need any further folder/file exceptions?

    But as a starting point, is this a good secure/locked down setup to start with? I know there are other options like hash rules and publisher but not sure if I should be using these yet (or at all). Maybe I could use a hash rule for all the software I keep on my D:\ drive?

    I'm new to AppLocker so only started looking at it today but the goal is to lock the machine down and not have to run any 3rd party AV or anti-malware.

    Thank you.

    PS: I haven't even started looking at the Windows Installer Files, Script, DLL or Packaged Apps rules yet.
     
    Last edited: Mar 12, 2017
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    For starters, malware can run from either of those two directories. So you only want to allow specific apps to run and block everything else. You might also want to block any app execution from C:\ProgramData since malware has been know to install there also.
     
  3. ParaXY

    ParaXY Registered Member

    Joined:
    Sep 2, 2015
    Posts:
    70
    Thanks for the reply!

    So are you saying I should be more granular with what I allow to run in the Program Files folders? I thought by running as a non-admin user malware wouldn't be able to run/install in these folders?

    I think ProgramData is blocked by default as I don't have any rule(s) allowing executables to run from there for the non-admin account. Yes, the admin account is allowed to run/install anything but on a day to day basis I'll be using a non-admin account.

    The one exception I have just added in is to block Flash in the DLL Rules:

    C:\Windows\SysWOW64\Macromed
    C:\Windows\System32\Macromed\*
    I also added a Publisher Rules to block it:
    Publisher: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
    Product Name: SHOCKWAVE FLASH
     
    Last edited: Mar 12, 2017
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    No comment at the risk of sparking another virulent Wilders SUA never ending dialog:rolleyes:
     
  6. ParaXY

    ParaXY Registered Member

    Joined:
    Sep 2, 2015
    Posts:
    70
    Great link, thanks.

    That's a different approach to what I have done. So what I did was delete the Program Files/Program Files (x86) rules and used the "Automatically Generate Rules" wizard and point it to both Program Files folders. The wizare automatically created 27 Publisher rules and 6 hash based rules.

    For the Default Rules I now have:

    • Admins can run all files
    • Everyone can run everything in C:\Windows (except for the exceptions I mentioned in my first post)

    Is this a good approach?
     
  7. guest

    guest Guest

    +1
    for info , SUA mitigate certain risks not block all of them.
    :argh:

    If you set Applocker right away clean installing the OS yes, if not, no.

    I would block powershell's executables (most abused exe) for everybody (admins included) no one needs it except for very rare tasks.
     
  8. ParaXY

    ParaXY Registered Member

    Joined:
    Sep 2, 2015
    Posts:
    70
    Yes, this will be a clean fresh install using the official ISO media from Microsoft (I have verified the hash of the file).

    So I've been experimenting a bit with the AppLocker rules and this is what I have so far on a freshly installed Windows 10 VM with Office 2016 (both fully patched):

    1. Everyone can run anything in Program Files/Program Files (x86) that has a VMware and Microsoft certificate (Publisher Rule) (this actually helped cut down on the number of rules quite a bit!)
    2. Everyone can run anything in C:\Windows that has a Microsoft certificate (Publisher Rule)
    3. For the files that *aren't* digitally signed in the C:\Windows folder I have path rules setup for this specific exe's that allows Everyone to run them
    4. There are a handful of VMware files that weren't digitally signed so I have used File Hash rules
    5. Admin can run all files everywhere
    So far this is 11 executable rules in AppLocker.

    Thoughts? Comments?

    I was also thinking of adding the following exceptions to block the following in the Windows folder:

    • aspnet_compiler.exe
    • attrib.exe
    • auditpol.exe
    • bcdboot.exe
    • bcdedit.exe
    • bitsadmin
    • bootcfg.exe
    • bootim.exe
    • bootsect.exe
    • ByteCodeGenerator.exe
    • cacls.exe
    • csc.exe
    • debug.exe
    • DFsvc.exe
    • diskpart.exe
    • eventvwr.exe
    • hh.exe
    • IEExec.exe
    • iexplore.exe
    • iexpress.exe
    • ilasm.exe
    • InstallUtil
    • InstallUtil.exe
    • journal.exe
    • jsc.exe
    • mmc.exe
    • mrsa.exe
    • MSBuild.exe
    • mshta.exe
    • netsh.exe
    • netstat.exe
    • powershell.exe
    • powershell_ise.exe
    • PresentationHost.exe
    • quser.exe
    • reg.exe
    • RegAsm
    • regini.exe
    • Regsvcs
    • regsvr32.exe
    • RunLegacyCPLElevated.exe
    • runonce.exe
    • script.exe
    • set.exe
    • setx.exe
    • Stash
    • systemreset.exe
    • takeown.exe
    • taskkill.exe
    • UserAccountControlSettings.exe
    • vbc.exe
    • vssadmin.exe
    • wmic.exe
    • xcacls.exe
    • syskey.exe
    • utilman.exe
    How does this look? Am I missing anything? Since I have a rule that allows all Microsoft signed software to run on my machine, should I exclude all of Sysinternals software for non-admin users? What about blocking cmd.exe for non-admin users?

    I know I'll have to add more rules for when I install more software later on but I'll cross that bridge when I get to it. This is just the start and laying a good, hopefully secure, foundation!
     
  9. guest

    guest Guest

    Seems good to me. :thumb:

    Seems a complete list.

    non-admin users usually don't need any sysinternal softs. They are mostly for admin tasks/monitoring.

    Seems a good idea, however i remember some softs needing to run script via cmd to functions properly. So i advise you to make a backup of your system , then applying the list above and testing the system for some days to see if Applocker doesn't block stuff you need.
     
    Last edited by a moderator: Mar 13, 2017
  10. ParaXY

    ParaXY Registered Member

    Joined:
    Sep 2, 2015
    Posts:
    70
    Thanks for the feedback.

    Re sysinternals. What I meant was, couldn't malware use some of the sysinternals to cause the machine to become infected/etc if these tools could run as a non-admin user? In other words, should sysinternal tools be restricted for non-admin users considering I have whitelisted Microsofts certificate in my Publisher rules?

    I'll try blocking cmd.exe and see what happens.

    I've got a good feeling about running AppLocker :cool:
     
  11. guest

    guest Guest

    You can use the GPO or Registry for disabling of the Command-Prompt (or access to the Registry Editor) for non-admin users:
     
  12. ParaXY

    ParaXY Registered Member

    Joined:
    Sep 2, 2015
    Posts:
    70
    Thats helpful, thank you!

    Bit of an update. My Win10 Start Menu stopped working after enabling Executable based rules. Luckily its a known issue. If/when you enable Executable based rules AppLocker locks down ALL packaged apps. Luckily just adding the default rules (for a quick fix) resolved that one but it was confusing when it happened.

    I also changed the block exception for powershell from a path based rule to a publisher rule. When I blocked powershell in C:\Windows it didn't work but blocking the powershell executable with a Publisher rule and changing the slider bar so that it ONLY blocks powershell worked well.

    So I have 4 Executable rules now:

    • Allow admin to run everything
    • Allow Everyone to run Microsoft and VMware signed executables
    • Included the following path exceptions in the Microsoft Publisher rule:
        • aspnet_compiler.exe
        • attrib.exe
        • auditpol.exe
        • bcdboot.exe
        • bcdedit.exe
        • bitsadmin
        • bootcfg.exe
        • bootim.exe
        • bootsect.exe
        • ByteCodeGenerator.exe
        • cacls.exe
        • csc.exe
        • debug.exe
        • DFsvc.exe
        • diskpart.exe
        • eventvwr.exe
        • hh.exe
        • IEExec.exe
        • iexplore.exe
        • iexpress.exe
        • ilasm.exe
        • InstallUtil
        • InstallUtil.exe
        • journal.exe
        • jsc.exe
        • mmc.exe
        • mrsa.exe
        • MSBuild.exe
        • mshta.exe
        • netsh.exe
        • netstat.exe
        • powershell.exe (uses a Publisher exception)
        • powershell_ise.exe (uses a Publisher exception)
        • PresentationHost.exe
        • quser.exe
        • reg.exe
        • RegAsm
        • regini.exe
        • Regsvcs
        • regsvr32.exe
        • RunLegacyCPLElevated.exe
        • runonce.exe
        • script.exe
        • set.exe
        • setx.exe
        • Stash
        • systemreset.exe
        • takeown.exe
        • taskkill.exe
        • UserAccountControlSettings.exe
        • vbc.exe
        • vssadmin.exe
        • wmic.exe
        • xcacls.exe
        • syskey.exe
        • utilman.exe
    On top of all this, I have:

    1. Blocked cmd.exe for the non-admin user
    2. Disabled the execution of unsigned executables (saw this in guests sig so thanks)

    So I got thinking, can you successfully run a Windows 10 machine with NO third party protection? So for AV use Defender, for malware use AppLocker and non-admin account. Possible or just plain crazy?

    I'm gonna give the Executable rules a bit more thought and then start tackling the other rules (Script/Packages/Installers/dlls)

    Edit: Does anyone know how I can block "set"? I can't seem to find the executable for this file even after doing a search for it??
     
    Last edited: Mar 13, 2017
  13. guest

    guest Guest

    It is not crazy , it is the basis of security, you use (and tweak to your needs) what the OS offers then if you still feel unsecure add whatever you want.
    You have the possibility to use Applocker , which is great ( i cant anymore on Win10, im using home version); when you will master it, tighten it to the core, you will see that you won't need anything else than safe habits. However if the users are careless and run every unknown files they get...nothing much can be done.

    I know computer noobs that never get infected once (even without using any 3rd party security Apps) because they don't do stupid things.
     
  14. ParaXY

    ParaXY Registered Member

    Joined:
    Sep 2, 2015
    Posts:
    70
    Luckily I am the only person using the machine that will have AppLocker enabled on it. I'm just curious to see how secure/locked down (yet still practical/usable) I can make the machine without installing expensive 3rd party solutions that are loaded with bloatware and slow a machine down.

    I haven't run AV for 2 years now and have been fine and this is WITHOUT using AppLocker or any other whitelisting product. I am careful with what I do and always do high risk stuff in a throw away VM.

    Two more questions:

    1) Is there a "pretend" or fake bit of malware I could run on a test VM with AppLocker enabled to see if it stops itrunning?

    2) When using the "ValidateAdminCodeSignatures" to prevent unsigned exe's from running, does this just stop them from installing? So could I disable "ValidateAdminCodeSignatures" by setting it to 0, install (say) 7Zip, change "ValidateAdminCodeSignatures" to 1 again and 7Zip will run?

    AppLocker has taught me so much. I had no idea how vulnerable a machine was from powershell alone! About the only negative I can think of for AppLocker is that if you use Publisher rules (like I have) you are putting your faith in the company that signs the executable that they protect their private key/certificate but I guess trust has to start somewhere...
     
  15. guest

    guest Guest

    Exactly my opinion. All my machines just use the native security of Win10 + eventually Appguard (because as a SRP soft, it replicate Applocker model), only my main machine use some other 3rd party softwares.

    Indeed , no need to be an expert to stay safe. People seems to forgot that safe habits and some logic will prevent most risks then eventually adding one or two security apps will backup the user if he worries.

    I moderate a forum, where you can get fresh real Malware, however you have some requirements (not too difficult to get) to access them.
    https://malwaretips.com/
    you also have some old HIPS-testing tools you may ant to use, like Comodo Leak Test or the one from Spyshelter to test keylogging protection.

    Yes, for ease of use, i created 2 reg files (one "block" , one "Allow") and shortcut-ed them; so i have a kind of "switch". ;)

    Yes Applocker is a great tool if properly handled, and you learn a lot about "vulnerable" processes/directories from it.

    Indeed, another "negative" point is its learning curve, it takes time to handle it.
     
  16. guest

    guest Guest

    If you don't trust specific publishers, you can whitelist the hash, instead of using a Publisher rule.
    But after each update of the files you have to add new hashes.

    Or you can restrict the publisher rules.
    Instead of allowing *all* signed files from a publisher, you can allow only a specific "Productname" from a publisher.
    Publisher: Google Inc, Productname: Google Chrome
    Now Google Chrome is allowed to execute, all other Google-products (different Productname) are blocked.
    You can also set a file-version, so that older and vulnerable versions of Chrome cannot be executed.
     
  17. ParaXY

    ParaXY Registered Member

    Joined:
    Sep 2, 2015
    Posts:
    70
    What are the requirements for getting the test Malware from the website you mentioned? Thanks for mentioning this!

    Can I just clarify, so you *can* run install UNsigned executables IF you have the ValidateAdminCodeSignatures set to 0 but even after changing this back to 1, an UNsigned executable will stil run? Just trying to understand the details!
     
  18. ParaXY

    ParaXY Registered Member

    Joined:
    Sep 2, 2015
    Posts:
    70
    Yes, its quite useful this. I have allowed the MS certificate for ALL their products as I figured, if their private key got hacked/stolen/leaked we'd have more to worry about than our AppLocker rules!

    I did do a useful exception with Powershell using this method where I excluded the MS certificate but ONLY for the powershell executable (I left the version as *). So this blocks Powershell anywhere and everywhere for a non-admin user as I foudn out that Powershell executable seems to be all over the place in the filesystem so a path rule would have been a pain.
     
  19. guest

    guest Guest

    100 "useful" posts

    nope that is why i made the "switch"; you need to disable it every time if you want run/install a unsigned file.
     
  20. ParaXY

    ParaXY Registered Member

    Joined:
    Sep 2, 2015
    Posts:
    70
    Well I had better get posting then! ;-)

    Aaaah ok, then I will leave that option disabled. I use 7Zip all the time (and I am sure there are others that are not signed) so this would drive me nuts. Considering how locked down Windows is with the firewall and AppLocker I don't think this will be an issue.
     
  21. guest

    guest Guest

    Unsigned executables can still be executed, but they can't elevate:
    "Run as administrator" on unsigned executables is denied, and unsigned installer/applications can't request administrator rights.
     
  22. guest

    guest Guest

    I use 7zip portable, the elevation is denied , not running the apps. i think we misunderstood each other ;)
     
  23. ParaXY

    ParaXY Registered Member

    Joined:
    Sep 2, 2015
    Posts:
    70
    I just did a test with 7Zip that was already installed on my machine. If ValidateAdminCodeSignatures is set to 1, I can launch 7Zip just fine and use it as normal. If I try to run 7Zip by right clicking it and selecting "Run as administrator" then I get the (useless) message: A referal was returned from the server". I also couldn't (re)install the newer version of 7Zip that I downloaded until setting the value of ValidateAdminCodeSignatures to 0 again.

    So I think I can use this feature so long as I can run the unsigned executables I need to without doing a "Run as administrator".
     
  24. guest

    guest Guest

    that was the point, the message is proof that this tweak is working.

    yes it is just about unwanted elevation, most malware needs it and are unsigned , so this tweak block 90% of them. Then Applocker (in your case) and security solutions (in my case) will deal with the rest.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.