An Introduction to AppLocker (Part 4)

by [Published on 17 Nov. 2009 / Last Updated on 17 Nov. 2009]

An introduction to AppLocker, showing you how to create a set of default rules which can help prevent AppLocker from locking you out of Windows.

If you would like to read the other parts in this article series please go to:

Before I Begin

So far in this series, I have talked about how AppLocker works, and about the various types of AppLocker rules that are available to you. In this article, I want to continue the series by showing you how to create an AppLocker rule.

Before I get started, there are a couple of key points that I need to emphasize. Firstly, it is extremely important for you to remember that once you begin creating rules, any application that is not explicitly addressed by those rules is prohibited from running. If you create AppLocker rules incorrectly, you can actually lock yourself out of your computer. I therefore strongly recommend making a backup of your computer before experimenting with AppLocker rules.

Secondly, you must keep in mind that rules are enforced, even if they are not enabled. AppLocker supports three different enforcement modes; Not Configured, Enforce Rules, and Audit Only. If rules exist, they will be enforced if the enforcement mode is set to Enforce Rules or Not Configured. I therefore recommend that you start out by setting the enforcement mode to Audit Only. Part 3 of this series contains instructions for setting the enforcement mode.

Default Rules

Once you are ready to begin creating AppLocker rules, I recommend that you get started by creating a set of default rules. Earlier, I mentioned that you could accidentally lock yourself out of Windows if you applied AppLocker rules incorrectly. Default rules are designed to keep that from happening. They create a set of rules that is designed to allow Windows to run.

Ironically enough, Default Rules are not created by default. To create the default rules, open the Group Policy Object Editor and navigate through the console tree to Computer Configuration | Windows Settings | Security Settings | Application Control Policies | AppLocker | Executable Rules. Now, right click on the Executable Rules container and choose the Create Default Rules command from the resulting shortcut menu.

When the default rules have been created, right click on the Windows Installer Rules container and select the Create Default Rules command from the shortcut. Finally, right click on the Script Rules container, and select the Create Default Rules command. At the time that this article was written, there were no default script rules, but that may eventually change, so it is a good idea to go ahead and at least try to create the default script rules

Reviewing the Default Rules

Although the default rules are designed to protect Windows, there is a chance that the default rules may conflict with your corporate security policy. You can fine tune the default rules to make them more restrictive, but you must be very careful in doing so.

If you look at Figure A, you can see that Windows creates three default executable rules. The first rule allows everyone to run all files located in the Program Files folder. The second rule allows everyone to run all files that are located in the Windows folder. The third rule allows the BUILTIN\Administrator account to run any file on the system.


Figure A: There are three default Executable rules

Let me start by saying that you should not attempt to alter the third rule. The BUILTIN\Administrator account needs full access to the system. Beyond that though, you can modify the first two rules to make them more restrictive. For example, you may want to create a set of rules that allow individual applications that are located in the Program Files directory to run, rather than granting blanket permissions to the entire folder.

As you decide how the rules should be applied, it is important to keep in mind that the default rules are only giving users permission to run applications. Creating an AppLocker rule does not give users the ability to install new applications to these locations. If a user wants to install an application, they must have the appropriate NTFS permissions. There is a loophole that you should be aware of though.

By default, users have full read / write / create rights to the C:\Windows\Temp directory. When the default executable rules are created, the user is automatically granted permission to execute applications residing in the C:\Windows\Temp directory, because it falls beneath the C:\Windows directory. This means that a user could potentially install an application to the Temp directory and run it.

Before I show you how to modify the default rules, I want to take a moment and show you the default Windows Installer rules. As was the case with the default executable rules, Windows created three default Windows Installer rules, which you can see in Figure B.


Figure B: There are three default Windows Installer rules

The first of the default Windows Installer rules allows all users to run any Windows Installer file, so long as it has been digitally signed. It does not matter who signed the Windows Installer file, or where the file came from. If the file has been digitally signed, users can run it.

The second of the default Windows Installer rules allows all users to run any Windows Installer file that is located in the %systemdrive%\Windows\Installer folder. In this case, the Windows Installer files do not even have to be signed. As long as the Windows Installer file is in the designated folder, users are allowed to run it.

The last of the Windows Installer rules allows the BUILTIN\Administrator account to run all Windows Installer files. As was the case before, you should leave this particular rule alone, because the BUILTIN\Administrator account needs these permissions.

Getting Ready to Modify the Default Rules

I realize that there are some of you who were absolutely cringing when you read some of the permissions given by the default rules. Rest assured that I am going to show you how to change those permissions. Before I get into that in the next article, there are a few more concepts that I need to address.

I have explained that Executable Rules pertain to executable files, but believe it or not, AppLocker has a very specific definition of executable files. AppLocker defines executable files as .EXE or .COM files. Even though .BAT, .PIF, and a few other formats are technically executable, they are not covered by the default executable file rules.

Just as AppLocker has a specific definition for executable files, it also has a specific definition for Windows Installer files. Windows Installer files are defined as .MSI and .MSP files.

Conclusion

In this article, I have explained how you can create a set of default AppLocker rules. In the next article in the series, I will show you how you can modify the default rules, and how to create custom rules. The process for creating and modifying rules is fairly intuitive, so if you want to jump ahead, feel free. Just keep in mind that as the number of AppLocker rules increases, performance tends to decrease, so it is a good idea to try to limit the total number of rules that you create.

If you would like to read the other parts in this article series please go to:

Advertisement

Featured Links