Windows 7 AppLocker: Configuration and Deployment

Paul Cooke - CISSPDirectorMicrosoftSession Code: CLI322

Protecting Your Digital Assets

Traditional waysStandard user, strong authentication, …Anti-virus, firewall, IDS, …Data access control policiesAccess Control Policies (ACLs)DRM, encryption, …

However… Any software running on the user’s behalf has the same access to data as the user running it

Application Control - Situation Today

Users can install and run non-standard applications

Even standard users can install some types of software

Unauthorized applications may:

Introduce malwareIncrease helpdesk callsReduce user productivityUndermine compliance efforts

Windows 7 AppLockerTM

Eliminate unwanted/unknown applications in your networkEnforce application standardization within your organizationEasily create and manage flexible rules using Group Policy

Simple Rule StructureAllow

Limit execution to “known good” and block everything else

DenyDeny “known bad” and allow execution of everything else

ExceptionExclude files from allow/deny rule that would normally be included

“Allow all versions greater than 12 of the Office Suite to run if it is signed by the software publisher Microsoft EXCEPT Microsoft Access.”

Publisher Rules

Rules based upon application digital signaturesCan specify application attributesAllow for rules that survive application updates

“Allow all versions greater than 12 of the Office Suite to run if it is signed by the software publisher Microsoft.”

Rule Targeting

Rules can be associated with any user or groupProvides granular control of specific applicationsSupports compliance by enforcing who can run specific applications

“Allow users in the Finance Department to run…”

Multiple Rule SetsRule Types

ExecutableInstallerScriptDLL

Allows construction of rules beyond executable only solutions

Provides greater flexibility and enhanced protection

“Allow users to install updates for Office as long as it is signed by Microsoft and is for version 12.*”

Rule Creation Wizards

Step-by-step approachFully integrated helpRule creation modes

ManualAutomatically generatedImport / Export

Intuitive so that rules are easy to create and maintain

Audit Only Mode

Test rules before enforcementEvents written to local audit log

Applications and Service Logs | Microsoft | Windows | AppLocker

PowerShell cmdletsTurn audit events into rules

PowerShell Cmdlets

Core needs scriptable through PowerShellBuilding blocks for a more streamlinedend-to-end experienceInbox cmdlets

Get-AppLockerFileInformation Get-AppLockerPolicySet-AppLockerPolicyNew-AppLockerPolicy Test-AppLockerPolicy

PowerShell Example Scenario

Test-AppLockerPolicy

New-AppLocker

Policy

Get-AppLockerFileInformation

Retrieve file information from event

log

Create a new policy

Test the new policy

Set-AppLockerPolicy

Set the policy

Help Desk Local or GPO Admin

Bob calls Help Desk because AppLocker has blocked a finance application that he really needs to run for his job. Help Desk agrees to temporarily add

a rule to local GPO to allow the program.

Custom Error Messages

Configurable in Group Policy

Computer Configuration | Administrative Templates | Windows Components | Windows Explorer |Set a support web page link

Sets URL for Support Web page that is displayed to the user

Architectural OverviewProcess 1

Appid.sys

AppIDSRP

Kernel

AppID/SRP Service

SRP UM

ntoskrnl

Process 2

ntdll

Process 3

CreateProcess

CreateProcessNotification

LoadLibrary SaferIdentityLevel

QueryPolicy

AppLockerdemo

Deployment Best Practices

Create a desktop lockdown strategyInventory your applicationsSelect and test rule types (allow / deny) in a labDefine GPO strategy and structureBuild a process for managing rulesDocument your AppLocker designBuild reference computersTest and update the policy using audit-onlyEnable rule enforcementMaintain the policy

Key Takeaways

AppLocker helps the enterprise protect its digital assets by preventing unwanted software from runningAppLocker provides an improved management experience making it easier to maintain a list of approved applicationsAppLocker helps reduce support and license related costs by standardizing execution environments

Call To Action

Everyone – Adopt Signed ApplicationsSigned code comes with a higher assurance of authenticity and integrityIf you are developing applications – sign themIf you are using applications – ask for them to be signed

Call To Action

Enterprise CustomersReview your defense in depth strategyConsider allow-listing applications

ISVsLeverage this opportunity by building solutionsDevelop solutions for enterprises as they adopt application allow-listing

question & answer

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.