Advanced Group Policy for Security – AppLocker

This post will be the first of a series on using Group Policy for Windows Server, Windows Client, and Active Directory Security. Today, we’ll focus on implementation, configuration, and monitoring of AppLocker.

 

So, what’s AppLocker?

AppLocker is Microsoft’s native Application White-listing/Black-listing application. You can think of AppLocker as a counterpart of the Windows Firewall, but instead of filtering network traffic, if filters the execution of the applications, installers, scripts, Windows Store apps, and even DLLs. For those of you familiar with Software Restriction Policies, AppLocker is the more advanced, easier to manage, and overall more mature solution.

While there are 3rd party solutions in this space, AppLocker is compelling for a couple reasons:

  1. Deployment: Non-issue because AppLocker is built into enterprise versions of Windows 7 and above.
  2. Cost: As a built-in component, there is no added cost.
  3. Configuration: Management is done through Group Policy, also built-in.

Unfortunately, there are some shortcomings that we need to overcome, namely:

  1. Monitoring: AppLocker does not include centralized monitoring. All events are written to local event logs on the client.
  2. Rule creation: To be truly effective, customized rules need to be developed. Since there is no native centralized monitoring, it can be difficult to enumerate all of the possible application/script/installer locations that were missed during testing.

 

All right, let’s do this

Now that we’ve covered what AppLocker is, let’s make it work for your organization.

Create a Pilot computer group

As a first step, create a new Group in Active Directory. This group will include Computers to pilot AppLocker deployment. We’ll use this group in a couple of different places to scope roll out.

1. Open Active Directory Users & Computers

2. In an appropriate OU, create a new Active Directory group matching your naming convention (with mention of the groups purpose as an AppLocker pilot).

3. Add 1 or more computers to this group.

 

Create GPO:  Configure AppLocker settings in “Audit Only” mode

For the client/server endpoints that will have AppLocker enabled, there are 2 required configuration steps and 1 recommended.

1. Application Identity service: By Default, the Application Identity service is disabled. Without this enabled, AppLocker will not function.

You can enable the Application Identity service by GPO:

  • In a new GPO, navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > System Services
  • Right-click the Application Identity service and select Properties
  • Choose ‘Define this policy setting’ and select the ‘Automatic’ radio button.

2. Configure the AppLocker categories to Audit only. Importantly, rules will default to Enforce if you do not specifically choose to audit the category they are in. So, regardless of the rules you configure, you should start with setting rules to Audit Only mode.

  • Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker
  • Right-click the AppLocker node and select Properties
  • On the enforcement tab, check all of the ‘Configured’ boxes and select ‘Audit Only’.
  • On the Advanced tab, do NOT check the ‘Enable the DLL rule collection’ box. This should ONLY be enabled with extreme caution.

3. Configure AppLocker Rules: Out of the box, no rules are configured. A good starting point is adding the Default rules (assuming Audit Only mode has been configure of course). An even better place to start would be to use an example workstation. I’ll cover both below.

  • Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker
  • For the Default Rules approach:
    • Select the ‘Executable Rules’ node.
    • Right-click ‘Executable Rules’ and choose ‘Create Default Rules’.
    • Note the rules and their functions. These default rules effectively allow all normally installed application in the Program Files (and Program Files x86) and Windows folders to run properly. Administrators are able to run any application anywhere.
    • Do the same process for Windows Installers, Script Rules, and Packaged app Rules.
    • Important: The Default Rules add the Administrators group with rights to run any application/script/etc. If your organization has a problem with users being local Administrators, this approach will not work well as AppLocker will be effectively useless. However, you can choose to change the group that is allowed to execute anything to a different Active Directory group. You might consider creating a custom AD Group that allows only specific users the rights to execute anything on computers or use an existing Desktop Support / Server Support group.
  • For the baseline workstation approach:
    • Log on to a newly built, baseline workstation
    • Open gpedit.msc
    • Navigate to: Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker
    • Right-click AppLocker and select Properties
    • Ensure all of the 4 (or 3 on Windows 7) categories are enabled in “Audit Only” mode.
    • Under each of the sub-categories, right-click and choose ‘Automatically Generate Rules…’
    • Choose the location to start (“C:\Program Files” is default). Note that you can do this multiple times with multiple top-level folders (like “Program Files” and “Windows”)
    • Choose whether you would like to use File Hash (much more work to maintain) or Paths (less secure) for unsigned files.
    • Ensure “Reduce the number of rules created by grouping similar files” is selected (default).
    • Finished creating rules (which may take several rounds of automatically generating and manually adding).
    • Export the AppLocker policy: Right-Click AppLocker and select “Export Policy…”.
    • Return to the GPO created in this section and edit.
    • Navigate to: Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker
    • Right-click AppLocker and select “Import Policy”
    • IMPORTANT: This process does not create any group with the ability to execute all scripts/exes/installers/etc. Normally, the Administrators group is granted this right as part of the Default Rules, but this can be customized to anything. Just be certain you define some group defined to allow bypass in case it is required.

4. Support URL: An optional, though very useful, configuration option is setting a Support URL. This will allow users to be referred to a website for more information, to request an exception, or whatever is needed.

  • Navigate to: Computer Configuration > Policies> Administrative Templates > Windows Components > File Explorer
  • Right-click the ‘Set a support web page link’ option and choose ‘Edit’
  • Enter a URL. A test website is ok for this round, but you’ll want to change this to an informational site later.

5. Security Filter: Finally, change the Security Filtering section of this GPO (in the GPMC) to the group created in the step ‘Create a Pilot computer group‘.

 

Install an Event Log collector

Now that the GPO to configure AppLocker has been created, we still have the problem of centralized reporting. If you’ve read other posts, you’ll know that I’m a big proponent of using built-in tools when they are available. This is no different. A built-in solution is using the Event Viewer subscription service to collect this data for you, or rather, to receive this data from your endpoints. Note that my preference is to create separate collector rules for the 4 Event Logs related to AppLocker (Exe and DLL, MSI and Script, Packaged app-Deployment, and Packaged app-Execution) and configure each to send logs to the corresponding AppLocker log on the event collection server.

1. Open Event Viewer

2. Select the Subscriptions node

3. At the Event Viewer prompt, click Yes. This will start the Windows Event Collector service.

4. Right-click the Subscriptions node and select Create Subscription

5. Enter the name ‘AppLocker – Exe and Dll’

6. Under Destination Log, select the log ‘Microsoft-Windows-AppLocker/EXE and DLL’

7. Select the ‘Source computer initiated’ radio button

8. Click the ‘Select Computer Groups’ button

9. Click ‘Add Domain Computers’ and enter ‘Domain Computers’. This will allow every client/server in the environment to use this event collector. Important: This does not cause clients/servers to use this server, simply allows it. This is why we do not need to filter this to only the Pilot group created earlier.

10. Click ‘Select Events…’

11. At the ‘Query Filter’ pop-up:

  • Check the Critical, Error, and Warning levels.
  • Select the drop-down arrow near and navigate to: Event Logs > Applications and Services Logs > Microsoft > AppLocker
  • Check the box next to ‘EXE and DLL’ and click OK

12. (Optional) Click the Advanced button and choose the appropriate delivery optimization setting. In a large environment during full-scale deployment, Minimize Bandwidth may be the best option. During an initial Pilot deployment, Minimize Latency may be the best bet to ensure logs are quickly sent across.

13. Click OK to close the subscription.

14. Repeat steps 5 through 13 for ‘MSI and Script’, ‘Packaged app-Deployment’, and ‘Packaged app-Execution’.

15. In the event viewer, navigate to: Applications and Services Logs > Microsoft > Windows > AppLocker

16. For each of the AppLocker event logs, right-click > Properties. Increase the maximum size of the event log to an appropriate size depending on the number of pilot computers. I’d begin with at least 10-100 times the size (10-100MB) and increase as needed. That will give you roughly 1,000-10,000 Error events.

 

Create GPO:  Configure clients to use the Event Log collector

With the Event Collector ready, we still have to tell clients and/or servers to use the Event Log collector. to do this, we’ll create a GPO that tells computers to connect to the collector and receive instructions. Shortly thereafter, events will be sent to the collector based upon the configuration of the subscriptions.

1. Create a new GPO and name it something like ‘EventLog – Event Collector – Enable’

2. Select the GPO

2. Navigate to: Computer Configuration > Policies > Administrative Templates > Windows Components > Event Forwarding

3. Edit the setting ‘Configure target Subscription Manager’

4. Enable this setting and click ‘Show…’

5. In the Show Contents list, add the following:

  • server=<Event Collector Server FQDN>:5985
  • Note: Replace <Event Collector Server FQDN> with the fully qualified domain name of the event collector server.

6. Finally, change the Security Filtering section of this GPO (in the GPMC) to the group created in the step ‘Create a Pilot computer group‘.

 

“Audit Only” Pilot Deployment

Now that you’ve created the Audit Only GPO, the event collector GPO, and created a valid Event Collector server, you can begin the pilot roll out.

1. Link the AppLocker “Audit Only” and Event Collector configuration GPOs to an OU with the Pilot computers. Note that with a Security Filtered GPO, you can link the GPO at a higher level OU…just don’t link it to the top of the domain and be absolutely certain the security filter on both GPOs does not include Authenticated Users or Domain Computers.

2. Test the AppLocker rules:

  • Log on to one of the pilot computers with a non-Administrator
  • Run gpupdate /force
  • Run an executable from the users Desktop. An easy test: Download one or more of the Sysinternals tools to the desktop.

3. Verify log creation:

  • Open Event Viewer
  • Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker
  • Select the “Exe and Script” event log
  • Check for Event ID

 

Review Collected Event Logs

Prior to creating a central event collector, the next step would involve reading the local log files on each host with AppLocker enabled. Because we’ve configured log shipping to the event log collector, we’ll do all of the analysis at the collector.

You can, of course, manually review the event logs on the Collector. That would take substantial time if you have many clients in the pilot or if you’re hoping to aggregate data for later updates to rules after production deployment. My preference is PowerShell with some good scripting.

A simple example script:

Get-WinEvent -FilterHashTable @{LogName=”Microsoft-Windows-AppLocker/EXE and DLL”; level=3; StartTime=$EventStartDate ; EndTime=$EventEndDate} | Select Message,Id,Level,LogName,MachineName,UserId,TimeCreated | Group Message | Select @{Name=”Name”;Expression={(($_.Name).Split(“was”))[0]}},Count

This simple command would give you all of the Warning (Audit Mode) events in the EXE and DLL log in a summary state (count and EXE/DLL path).

If you want a more sophisticated approach, check out my AppLocker Auditing script on TechNet, here.

 

Reconfigure AppLocker: Update rules

After reviewing the Event Log data from the Collector, you’ll need to make edits to the Pilot “Audit Only” GPO. You can do this in a couple of ways:

1. By hand: Simply edit the GPO and add rules. If you edit the GPO from a computer with the missing software/script/app, you can choose to Automatically Generate rules and target the missing item specifically. Alternatively, you can always manual create the rule.

2. Merge automatically generated rules with GPO. If you need import the rule updates into the GPO and don’t want to do this by hand, you can create a local rule file on a computer with the offending application/script/etc, then import the XML rule into the GPO. Just be absolutely certain you have a good backup of the Pilot GPO before you merge in settings (and really, a good backup of all GPOs just in case).

Example:

Get-AppLockerFileInformation -Directory C:\MyCustomAppDirectory | New-AppLockerPolicy -RuleType Hash -User Everyone -Optimize | Set-AppLockerpolicy -ldap “LDAP://DC1.contoso.com/CN={6ECC7639-69D1-494A-85D4-591FCBC71E9F}, CN=Policies,CN=System,DC=contoso,DC=com

This PowerShell cmdlet will create a Hash rule based upon what it finds in the directory MyCustomAppDirectory, then import it directly into the GPO with GUID {6ECC7639-69D1-494A-85D4-591FCBC71E9F} by connecting to the DC listed (DC1.contoso.com). You’ll need the GUID of your AppLocker Pilot GPO to use this method.

An easy way to identify the GPO’s GUID and get the DistinguishedName for the PS cmdlets:

  1. Open the GPMC
  2. Select the Pilot AppLocker GPO
  3. Select the Details tab
  4. Note the Unique ID (the GPO GUID)
  5. Open Active Directory Users & Computers
  6. Ensure Advanced Features is enabled (View drop-down > Advanced Features)
  7. Navigate to the System container, the Policies
  8. Find the Container under Policies with the GUID you saw in step 4.
  9. Right-click the GUID-named container and select Properties
  10. Copy the data in the distinguishedName field. That’s the DN you’ll use in the cmdlets above.

 

Create GPO:  Configure AppLocker settings in “Enforce rules” mode

Now, you will create a new GPO to begin phase two with actual enforcement. This GPO will be a copy of the updated version of the “Audit Only” AppLocker GPO, but changed to “Enforce Rules”.

1. Application Identity service: Automatic start (previously configured)

2. Configure AppLocker Rules: The rules in the GPO will depend on the steps taken during the Audit Only pilot phase.  If the Audit Only rules are changed after this GPO has been created, you can import the new rules.

  • Edit the “Audit Only” AppLocker GPO
  • Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker
  • Right-Click the AppLocker node > Select Export Policy…
  • Save the XML policy file (ex: AppLockerRules.xml).
  • Edit the “Enforce rules” AppLocker GPO
  • Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker
  • Right-Click the AppLocker node > Select Import Policy…
  • Select the XML policy file created in the previous steps.
  • Note: If you use this process to update rules, you will need to reconfigure the Rule Categories to “Enforce Only”.

4. Support URL: Previously configured in the Pilot GPO. Change if necessary or leave as is.

5. Security Filter: Previously configured in the Pilot GPO.

 

“Enforce Rules” Pilot Deployment

Now that the “Enforce Rules” is ready, we’ve updated the rules to account for as much as possible, and we’ve tested the Event Log collector, it’s time to move to Enforcement.

This step is simple:

1. Link the “Enforce Rules” AppLocker GPO to the same location as the other. Be absolutely certain the Security Filter is correct and only includes the Pilot Computer group.

2. Remove the Pilot Computer Group from the “Audit Only” AppLocker GPO.

3. Log on to one of the pilot computers, and perform the same rule tests as in step “Audit Only” Pilot Deployment”

 

“Audit Only” Production Deployment

Now that we’ve finished initial Pilot deployment, it’s time to think about the remainder of production.

My preference is to roll out in waves so that new computer systems are configured with AppLocker (and subsequently uploading Event Logs to the Event collector Server).

  1. Prepare the “Audit Only” Production GPO:
    • Create a new GPO. This should be similar in name to the “Audit Only” Pilot GPO, but this will be for the remaining Production systems.
    • Select the GPO in the GPMC and click the Delegation tab.
    • Click the Advanced button from the Delegation tab.
    • Choose ‘Add’ and enter the name of the Pilot AppLocker group that you created at the very beginning of this process.
    • Uncheck the ‘Allow Read’ permission, and instead check ‘Deny Apply group policy’
    • Note: These steps ensure that system in the Pilot group will continue to use the Pilot GPOs.
  2. Once the GPO has been prepare, follow the steps in “Create GPO:  Configure AppLocker settings in “Enforce rules” mode” to import the settings from the “Audit Only” Pilot GPO.
  3. Unlike the step “Create GPO:  Configure AppLocker settings in “Enforce rules” mode”, do not change the rule categories to Enforce. Leave this as Audit Only. This GPO is your “Audit Only” Production GPO.
  4. Prepare the “Enforce Rules” Production GPO:
    • Create a new GPO. This should be similar in name to the “Audit Only” Pilot GPO, but this will be for the remaining Production systems.
    • Select the GPO in the GPMC and click the Delegation tab.
    • Click the Advanced button from the Delegation tab.
    • Choose ‘Add’ and enter the name of the Pilot AppLocker group that you created at the very beginning of this process.
    • Uncheck the ‘Allow Read’ permission, and instead check ‘Deny Apply group policy’
    • Note: These steps ensure that system in the Pilot group will continue to use the Pilot GPOs.
  5. Once the GPO has been prepare, follow the steps in “Create GPO:  Configure AppLocker settings in “Enforce rules” mode” to import the settings from the “Audit Only” Pilot GPO and update the rule categories to “Enforce Rules”. This GPO is your “Enforce Rules” Production GPO.
  6. Deploy the “Audit Only” Production GPO to a subset of computers in the environment. This could be done though:
    • Security Filter: Either Create an AppLocker group and slowly add computers, or add all department, region, etc computers to groups. Add these one at a time over the course of weeks to slowly roll out AppLocker Audit Only.
    • Link the GPO to specific OUs with subsets of computers: If your organization has an OU structure that is quite granular (like region/office/department specific OUs), you may be able to leave the Security Filter on the Production GPO as Authenticated Users and roll out settings by linking to OUs over the course of weeks.
  7. Once deployed, review the AppLocker Logs on the Event Log Collector for any missed Applications, Scripts, Installers, etc.
  8. After the “Audit Only” phase of Production roll out is complete (or at least in progress), you can then begin the “Enforce Rules” Production GPO deployment.
    • Follow the same filtering strategy as used in roll out of the “Audit Only Production GPO”.
    • If using gplinks, unlink the “Audit Only” GPO and link the “Enforce Rules” GPO.
    • If using security filtering, remove the group from the “Audit Only” GPO and add to the “Enforce Rules” GPO.
  9. Throughout this process, ensure that the Event Collector is reviewed and update GPOs as needed to account for missing rules.

 

That’s it. This covers the lifecycle of AppLocker deployment, from scoping, testing, updating, to full production deployment and management.

Lastly: Please forgive any typos in this. I’ll definitely get to them…this just ended up being a longer post than I originally envisioned 😉

 

Links:

AppLocker Event Log Auditing
https://gallery.technet.microsoft.com/AppLocker-Event-Log-b376e941

 

 

Tagged with: , ,
Posted in Group Policy, Security
One comment on “Advanced Group Policy for Security – AppLocker
  1. John says:

    Didnt even know you could do that with logs ! Thanks for the write up.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: