windows 7 applocker: understanding its capabilities and limitations
TRANSCRIPT
Windows 7 AppLocker: Understanding its Capabilities and Limitations
Made possible by:
© 2011 Monterey Technology Group Inc.
Brought to you by
Speakers• Chris Chevalier, Senior Product Manager• Chris Merritt, Director of Solution Marketing
http://www.lumension.com/Solutions/Intelligent-Whitelisting.aspx
Preview of Key Points
AppLockerHow it worksCapabilitiesLimitationsScenarios where it’s
• Right• Wrong
© 2011 Monterey Technology Group Inc.
Open Ended Survey Question
If you could build your ideal endpoint security agent, what would you include?AntiVirusApplication WhitelistingPatchingFirewallDisk encryptionDLPDevice ControlWhat else?
Please respond via
Chat
AppLocker
Starts from a deny all point of viewCan be applied to
EXEsDLLs
• .dll and .ocx
Scripts• .bat, .cmd, .js, .ps1, and .vbs
Windows Installer • .msi and .msp
AppLocker Rules
RulesUser or group File criteria
• Publisher• Path• File Hash
Action• Allow or Deny
Exceptions• Publisher• Path• File Hash
AppLocker Rules
Check User and Program Against Next
Deny Rule
User tries to run program
File MatchesException List?
Matches
File Blocked
No
Any MoreDeny Rules?
Yes
Check User and Program Against Next
Allow Rule
No
Not a Match
File MatchesException List?
Matches
File AllowedNo
Any MoreAllow Rules?
Yes
Yes
No
Not aMatch
Yes
AppLocker Rules
All deny rules processed before allow rulesOtherwise sequence not important
Default rule is denyAdd allow rules for selected users and programsDeny rules override allow rules
Only needed to override allow rulesExceptions simply cause next rule to be
evaluatedMultiple GPOs?
Rules additive (including local policy)Enforcement mode (last GPO wins)
Implementation
Create Default RulesAutomatically Generate RulesEnforcement mode
Audit OnlyEnforce
Implementation
Audit OnlyEvents logged to Application and Services
Logs\Microsoft\Windows\AppLocker
Use event forwarding to get centralized log• Not trivial
8002 Information <File name> was allowed to run. EXE or DLL8003 Warning <File name> was allowed to run but would
have been prevented from running if the AppLocker policy were enforced.
8004 Error <File name> was not allowed to run.
8005 Information <File name> was allowed to run. Script or Installer File8006 Warning <File name> was allowed to run but would
have been prevented from running if the AppLocker policy were enforced.
8007 Error <File name> was not allowed to run.
Implementation
Can’t do AppLocker without PowerShell scriptingGet-AppLockerFileInformation
• Reads event log to report broken files
New-AppLockerPolicy • Can build new policy from Get-
AppLockerFileInformation
Set-AppLockerPolicy • Plug policy into a GPO
Test-AppLockerPolicy• Test whether a specified list of files are allowed to run
on local computer for specified user
Caveats
Windows 7 Enterprise & Ultimate onlyNo support for Windows 7 Pro, Vista, XP…
Based on Computer’s OU not User’s OUusers are locked out of some applications on some computers, but not others
Default rulesAllow any local admin run everythingAllow Everyone to run everything under %Program Files%
64 bit editions
Caveats
Only intended for least privilege environmentsDefault rulesLocal admins can stop AppId serviceLocal admins can add allow rules
User Account Control can be a gotcha
Big Caveat
Back doors?LOAD_IGNORE_CODE_AUTHZ_LEVEL on LoadLibraryEx
SANDBOX_INERT on CreateRestrictedToken Links
• http://blog.didierstevens.com/2011/01/24/circumventing-srp-and-applocker-by-design/
• http://www.wilderssecurity.com/showthread.php?p=1818199
• http://www.wilderssecurity.com/showthread.php?p=1818225
When Does AppLocker Work?
In Microsoft’s own wordsBusiness groups that typically use a finite set of
applicationsNot suited for business groups that must be able
to install applications as needed and without approval from the IT department
Number of applications in your organization is known and manageable
You have resources to • test policies against the organization's requirements• involve help desk or build a self-help process for end-
user application access issues
Bottom Line
Still designed for a homogenous environment based on a golden imageNot practical for diverse PC/user environments
Unless you can depend on Publisher rules, updates break AppLocker or security weakened by path rules
Not effective against end-users with local admin authority
On demand exceptions cumbersomeReporting is there but cumbersomeScript intensive
© 2011 Monterey Technology Group Inc.
Bottom Line
The NeedCentralized control reportingAbility to phase in whitelisting on existing PCs with unique configurations and software
Ability to completely automate support for updatesSupport for more than Win 7 Ultimate and Enterprise
© 2011 Monterey Technology Group Inc.
Brought to you by
Speakers• Chris Chevalier, Senior Product Manager• Chris Merritt, Director of Solution Marketing
http://www.lumension.com/Solutions/Intelligent-Whitelisting.aspx