paul cooke - cissp director microsoft session code: cli322
TRANSCRIPT
Windows 7 AppLocker: Configuration and Deployment
Paul Cooke - CISSPDirectorMicrosoftSession Code: CLI322
Protecting Your Digital Assets
Traditional waysStandard user, strong authentication, …Anti-virus, firewall, IDS, …Data access control policiesAccess Control Policies (ACLs)DRM, encryption, …
However… Any software running on the user’s behalf has the same access to data as the user running it
Application Control - Situation Today
Users can install and run non-standard applications
Even standard users can install some types of software
Unauthorized applications may:
Introduce malwareIncrease helpdesk callsReduce user productivityUndermine compliance efforts
Windows 7 AppLockerTM
Eliminate unwanted/unknown applications in your networkEnforce application standardization within your organizationEasily create and manage flexible rules using Group Policy
Simple Rule StructureAllow
Limit execution to “known good” and block everything else
DenyDeny “known bad” and allow execution of everything else
ExceptionExclude files from allow/deny rule that would normally be included
“Allow all versions greater than 12 of the Office Suite to run if it is signed by the software publisher Microsoft EXCEPT Microsoft Access.”
Publisher Rules
Rules based upon application digital signaturesCan specify application attributesAllow for rules that survive application updates
“Allow all versions greater than 12 of the Office Suite to run if it is signed by the software publisher Microsoft.”
Rule Targeting
Rules can be associated with any user or groupProvides granular control of specific applicationsSupports compliance by enforcing who can run specific applications
“Allow users in the Finance Department to run…”
Multiple Rule SetsRule Types
ExecutableInstallerScriptDLL
Allows construction of rules beyond executable only solutions
Provides greater flexibility and enhanced protection
“Allow users to install updates for Office as long as it is signed by Microsoft and is for version 12.*”
Rule Creation Wizards
Step-by-step approachFully integrated helpRule creation modes
ManualAutomatically generatedImport / Export
Intuitive so that rules are easy to create and maintain
Audit Only Mode
Test rules before enforcementEvents written to local audit log
Applications and Service Logs | Microsoft | Windows | AppLocker
PowerShell cmdletsTurn audit events into rules
PowerShell Cmdlets
Core needs scriptable through PowerShellBuilding blocks for a more streamlinedend-to-end experienceInbox cmdlets
Get-AppLockerFileInformation Get-AppLockerPolicySet-AppLockerPolicyNew-AppLockerPolicy Test-AppLockerPolicy
PowerShell Example Scenario
Test-AppLockerPolicy
New-AppLocker
Policy
Get-AppLockerFileInformation
Retrieve file information from event
log
Create a new policy
Test the new policy
Set-AppLockerPolicy
Set the policy
Help Desk Local or GPO Admin
Bob calls Help Desk because AppLocker has blocked a finance application that he really needs to run for his job. Help Desk agrees to temporarily add
a rule to local GPO to allow the program.
Custom Error Messages
Configurable in Group Policy
Computer Configuration | Administrative Templates | Windows Components | Windows Explorer |Set a support web page link
Sets URL for Support Web page that is displayed to the user
Architectural OverviewProcess 1
Appid.sys
AppIDSRP
Kernel
AppID/SRP Service
SRP UM
ntoskrnl
Process 2
ntdll
Process 3
CreateProcess
CreateProcessNotification
LoadLibrary SaferIdentityLevel
QueryPolicy
AppLockerdemo
Deployment Best Practices
Create a desktop lockdown strategyInventory your applicationsSelect and test rule types (allow / deny) in a labDefine GPO strategy and structureBuild a process for managing rulesDocument your AppLocker designBuild reference computersTest and update the policy using audit-onlyEnable rule enforcementMaintain the policy
Key Takeaways
AppLocker helps the enterprise protect its digital assets by preventing unwanted software from runningAppLocker provides an improved management experience making it easier to maintain a list of approved applicationsAppLocker helps reduce support and license related costs by standardizing execution environments
Call To Action
Everyone – Adopt Signed ApplicationsSigned code comes with a higher assurance of authenticity and integrityIf you are developing applications – sign themIf you are using applications – ask for them to be signed
Call To Action
Enterprise CustomersReview your defense in depth strategyConsider allow-listing applications
ISVsLeverage this opportunity by building solutionsDevelop solutions for enterprises as they adopt application allow-listing
question & answer
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.