Join Pete Zerger for an in-depth discussion in this video Working with Windows AppLocker, part of Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection.
I like to deploy my App Locker policies through active directory group policy because that gives me central control and also the ability to roll this out in a phased manner. So, I'm going to right click the group policy objects folder in the group policy management snap in here and I'll create a policy called App Locker demo. And so, you'll notice that I'm creating the policy. I'm not linking it to anything. So, this isn't actually applying. It's just allowing me to walk through and make my configurations. So, I'll right click that policy and select edit and we'll find the App Locker settings under the computer configuration node, under policies, Windows settings, security settings, application control policies, and here, we'll find the App Locker node.
Now, when we create these policies and then, apply that group policy object to an OU or a domain, these policies are going to be enforced unless we opt for the audit mode. And, I want to show you audit mode because this is a nice way to simply log when the App Locker policy would take effect without actually allowing it to take effect. So, we can use this as a way to track usage of an application and gauge what the impact is going to be. You know, certainly we can use group policy to roll this out right away but, if we do it without appropriate testing ahead of time, we might wind up with some unhappy users because they're suddenly no longer able to use applications that they're accustomed to using.
So, I'm going to right click that App Locker node and select properties and I just want to show you where the audit option is available. So, you'll notice here by default enforce rules is set and we can set the audit option instead. I'm going to leave this alone for now and I'm going to create a policy that would be enforceable. So, we're going to create an executable policy here to block the Firefox browser. So, I'll actually right click executable rules and I'll create new rule.
And, on the permissions page here, I'm going to deny users the right to run this policy. Now, you'll notice that everyone is default. I could scope this and scope to a specific group of users in my environment if I wish. I'm going to leave it global for purposes of our discussion. And, I have some options for the types of App Locker policies I can create. You see how I can create policies based on the publisher. I can use a file hash option which might be handy if I have custom applications that we've written internally that are inside.
Now, I'm going to use the path option. I simply want to block Firefox, the browser, at this point. So, I will browse to the Firefox app under program files, Mozilla Firefox, and you'll notice that the wizard there dropped me right into the program files directory. The wizard is expecting that the executable I'm browsing to is available on the local machine. So, it's a good idea for me to try to create this on a system where that app is installed or it will complain. I can add some exceptions here based on publisher, path, et cetera.
No exceptions here. I want to block this app and, really, that's all there is to it. So, now I have created a policy to block Firefox. And you'll notice I'm prompted here that some default rules don't exist. Now, we're always going to go ahead and hit the yes button here because this creates some default rules that ensure that important Windows system files are allowed to run. So, here's my deny policy. Here are some system rules that ensure that our policy doesn't defect anything on Windows.
So, although I didn't link that group policy to any OU and apply that policy, I wanted you to see the after of this situation. So, I've actually created a carbon copy of that policy, called App Locker, and I applied it to my Kineteco desktop's OU. So, I've actually applied this to my Windows 10 systems. And, we're going to just pop over to our Windows 10 client here and have a look at what the user experience is when we've applied an App Locker policy.
So, when I double click Mozilla Firefox, you'll see the user is simply prompted that the app has been blocked by their system administrator. Now, should you create a policy, as I did, apply it to your desktops, to your test systems, and find that you're able to launch Firefox in this case, nine times out of then, there's one problem, and that is the application identity service that I'm looking at in computer management under services here, this application identity service may not be running. This has to be running to process those App Locker policies.
You'll notice that its start type is manual by default. So, you might need to address this through a separate group policy to ensure that your clients are enforcing those App Locker policies. But, App Locker is a great complement to the other components of the Microsoft cyber security stack in implementing a layered defense.
- Configuring virtual-based security
- Securing email
- Implementing post-breach defense
- Protecting the cloud with Azure AD
- Using Windows Defender ATP
- Managing privileged access in Azure