Setting up software restrictions with only built-in applocker (ACP)

View previous topic View next topic Go down

Setting up software restrictions with only built-in applocker (ACP)

Post by jna90 on 18/4/2012, 02:55

Hi SSJ100 and other people reading this,

I've yet to understand quite a few bits about computer security, but I'm beginning to get the hang of it a bit. (I hope).
I have setup a standard user account or LUA and I'm quite happy with this and so far everything is going ok.
But I was wondering if it is possible or viable, in your opinion, to only set rules in the applocker part of gpedit.msc .
So lets say I won't touch any settings or rules within SRP folder of gpedit but do all of my settings in Application Control Policies (Applocker) within the local computer policy.
Would that be enough to tighten security or do I absolutely need to set anything in Software Restriction Policy folder of gpedit ?

As you can see, I'm not entirely up to par with knowledge about security, but I do try to fully understand.
Thank you very much for reading and sorry if this is a bit of a silly question, I certainly hope not. Very Happy

I forgot to mention I am running Windows 7 64-bit which is fully updated.
And I do use sandboxie within LUA account I've setup. Also I blocked the execution of scripts as you have suggested in your "Security Setup" thread at the top.

Greetings,
Jan.


Last edited by jna90 on 18/4/2012, 02:59; edited 1 time in total (Reason for editing : Forgot to include some info about OS)

jna90
Member
Member

Posts : 36
Join date : 2011-07-20
Age : 43
Location : Amsterdam, The Netherlands

View user profile

Back to top Go down

Re: Setting up software restrictions with only built-in applocker (ACP)

Post by Guest on 18/4/2012, 05:45

Windows 7 Ultimate has both SRP and AppLocker. AppLocker is what we could call SRPv2. It's a better SRP. SRP works at the user level, while AppLocker works at the kernel level. Things that, by nature, can bypass SRP, cannot bypass AppLocker, for instance.

You didn't mention the exact version of your Windows 7, but be aware that Windows 7 Pro can be used to create AppLocker rules, but you cannot enforce the rules in a Windows 7 Pro machine. Don't ask; it's a Microsoft thing. bom

So, my advise would be to opt for AppLocker and not SRP. I mean, AppLocker is just better. Not to say that you'be paid for it, you may as well just use it. Idea Sure, you also paid for SRP, it's there, but AppLocker is better. Wink

That said, I suppose you want to create a default-deny. The first thing to do is to start Application Identity service. This service needs to be running, for AppLocker to work.

Then, I'd create rules for all file types profiles, including *.dlls. Don't enforce the rules. Run it in Audit mode for a while. Run your daily applications; thing you'd normally do. Then, check with Event Viewer if AppLocker blocked* anything.

* It doesn't actually block; but, it will report what would have happened had the rules been enforced.

You can find a lot more about AppLocker, by doing to Microsoft's Technet library. Just search for "applocker + technet" in your search engine. You'll get there.

Read all the info you can, before actually starting to work with AppLocker. Smile

Guest
Guest


Back to top Go down

Re: Setting up software restrictions with only built-in applocker (ACP)

Post by jna90 on 18/4/2012, 06:04

Hello M00nbl00d,

Thank you very much about extra explanation about SRP and Applocker (srp v2).
My windows version is the ultimate version (totally forgot to mention this).
As you can see minor things just slips by, if only in my thinking or train of thoughts about security.

I'm just beginning to explore the potential of Applocker in general and indeed, one must be careful with those policies and your advice to run it in audit mode is a very good idea, especially when I'm still beginning to understand the workings of it all.

In my own opinion things can get wrong when editing both the SRP and Applocker at the same time. I think it is best to leave the SRP part alone and only change or create rules within Applocker (srp v2).
As I found out the hard way. I just didn't understand why certain rules just didn't entirely work in Applocker.

I found out that when the "Disallowed (for all users except Admins)" option is default in SRP then the rules in Applocker can clash with the rules in SRP.

Maybe, since I'm still novice at this, I just wasn't careful enough and the two are working great together, but still I think its better for me to completely focus on the Applocker.

Thanks so much for the pointers and I do see some interesting info with Applocker + Technet as you have suggested to search for.

jna90
Member
Member

Posts : 36
Join date : 2011-07-20
Age : 43
Location : Amsterdam, The Netherlands

View user profile

Back to top Go down

Re: Setting up software restrictions with only built-in applocker (ACP)

Post by Guest on 18/4/2012, 07:50

What exactly do you mean by clash with the rules in SRP?

If you had SRP rules in place, when enabling AppLocker, the latter should take the lead, and SRP rules would be useless.

Thinking better, what you're reporting makes sense. You had SRP set to "Disallowed", which meant everything else is blocked. But, as soon as you enabled AppLocker, and perhaps considering no rules were being enforced, then execution is allowed. Is this what you meant? That you were able to execute something that shouldn't have been allowed execution? That would be the expected result, because as I mentioned above, AppLocker takes precedence; SRP becomes inactive.

Guest
Guest


Back to top Go down

Re: Setting up software restrictions with only built-in applocker (ACP)

Post by Guest on 18/4/2012, 07:57

By the way, I didn't mention it before, but my advise is to create the Default rules. Just make sure you also create the default rules for *.dlls, because it won't enabled by default, when you create the rules for the first time.

To enable DLL rules, right-click AppLocker, then click Properties. Where it says DLL rules, make sure you enable it - Configured.

But, like before only in Audit mode.

This link should provide enough info to know how to create the default rules: -http://technet.microsoft.com/en-us/library/ee791911(v=WS.10).aspx

Understanding AppLocker Default Rules: -http://technet.microsoft.com/en-us/library/ee460941(WS.10).aspx

Guest
Guest


Back to top Go down

Re: Setting up software restrictions with only built-in applocker (ACP)

Post by jna90 on 18/4/2012, 09:09

Indeed I'm sorry if I was somewhat confusing here. I honestly thought that SRP blocked what Applocker allowed or vice versa.
But like you said, I'm going to dig deeper into more information gathering about the possibilities of Applocker and I leave the settings inside the SRP as default, just to be sure. No blocking or allowing rules in SRP and doing everything in Applocker.
I also deleted any script blocking rules in SRP and edited or created new script/exe/com blocking rules in Applocker.

Thanks for the various links you provided and additional info about DLL rules and where to look for. Very much appreciated.

I will keep an eye on this forum and keep checking. Very Happy

jna90
Member
Member

Posts : 36
Join date : 2011-07-20
Age : 43
Location : Amsterdam, The Netherlands

View user profile

Back to top Go down

Re: Setting up software restrictions with only built-in applocker (ACP)

Post by wat0114 on 22/4/2012, 08:51

You'll want to make sure you have "No software restriction policies defined" if you use AppLocker. Also, a nice way to test your AppLocker policy is to configure your rule enforcement to "Audit only". After a considerable time using your computer normally, you would then check the Event Viewer logs under: Applications and services logs\Microsoft\Windows\AppLocker.... and look for any entries where blocks would have happened. This will aid in correcting the ruleset where necessary to prevent these when the rules are "enforced". Hope this makes sense Smile

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Setting up software restrictions with only built-in applocker (ACP)

Post by jna90 on 24/4/2012, 05:58

Thanks wat0114 for your comment.
Indeed you are right, I should be very careful with creating new rules and knowing when to run in audit mode and when in full execution mode.
I agree with you completely and I could keep running the application identify service as manual so that if things go wrong then I can reboot and the rules won't apply anymore.
Although this would weaken the security if you forget about it !. Anyway, same goes for if you forget to get out of audit mode.

Thanks for the pointers to where to look for logs and you make perfect sense Smile

Come to think of it, it would be nice if you start windows and your in the login screen, there would be a message below the password box that states "warning, application identify service running in manual mode" or "warning, applocker currently running in audit mode or disabled!". Or something to this extend.
Technically it would be possible I guess, script loading messages can also be made visible during boot up or in the welcome screen.


Last edited by jna90 on 24/4/2012, 06:11; edited 1 time in total (Reason for editing : wishlist for notification about applocker status during login or boot up)

jna90
Member
Member

Posts : 36
Join date : 2011-07-20
Age : 43
Location : Amsterdam, The Netherlands

View user profile

Back to top Go down

Re: Setting up software restrictions with only built-in applocker (ACP)

Post by wat0114 on 24/4/2012, 08:18

jna90 wrote:Thanks wat0114 for your comment.

You're welcome Smile

Come to think of it, it would be nice if you start windows and your in the login screen, there would be a message below the password box that states "warning, application identify service running in manual mode" or "warning, applocker currently running in audit mode or disabled!". Or something to this extend.
Technically it would be possible I guess, script loading messages can also be made visible during boot up or in the welcome screen.

You gave me an idea - thanks! Smile It is at least possible to create a task using Task Scheduler to warn with a pop-up message when AppLocker detects a file execution (.exe or .DLL) that "would have been blocked" when in Audit only mode. Below is an exported task I created to do just that. It is triggered on an event ID: 8003. Please note the entry: " <Author>MadisonB\Admin</Author>" that would have to be changed to your computername\administrator account name before you import the task to Task Scheduler. Hope it works for you.

Code:
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2011-12-11T15:12:15.5751953</Date>
    <Author>MadisonB\Admin</Author>
    <Description>Displays a warning message when AppLocker detects an audited executable file type.</Description>
  </RegistrationInfo>
  <Triggers>
    <EventTrigger>
      <Enabled>true</Enabled>
      <Subscription><QueryList><Query Id="0" Path="Microsoft-Windows-AppLocker/EXE and DLL"><Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*[System[Provider[@Name='Microsoft-Windows-AppLocker'] and EventID=8003]]</Select></Query></QueryList></Subscription>
    </EventTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <GroupId>S-1-5-32-545</GroupId>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
    <UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT1H</ExecutionTimeLimit>
    <Priority>7</Priority>
    <RestartOnFailure>
      <Interval>PT5M</Interval>
      <Count>3</Count>
    </RestartOnFailure>
  </Settings>
  <Actions Context="Author">
    <ShowMessage>
      <Title>WARNING!</Title>
      <Body>AppLocker has detected an audited execution attempt of an executable or DLL file type. Check the Event Viewer for details.</Body>
    </ShowMessage>
  </Actions>

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Setting up software restrictions with only built-in applocker (ACP)

Post by jna90 on 25/4/2012, 12:27

Great! Thanks for looking into this!
I will have to test it and implement this within Task Scheduler / manager.

I think this would help, I mean getting a message before you're actually completely logged in is very helpful to me anyways. I guess some piece of mind or perhaps an reminder even, like "whoops I forgot to enforce the rules and still in audit mode". Not that it would happen a lot, but we're human afterall, could happen if we 'forget' some things accidentally.

Thank you !

jna90
Member
Member

Posts : 36
Join date : 2011-07-20
Age : 43
Location : Amsterdam, The Netherlands

View user profile

Back to top Go down

Re: Setting up software restrictions with only built-in applocker (ACP)

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum