Application Control: Powerful Microsoft AppLocker

Although the concept of blocking special applications from running on the network is not new, the methods of blocking are constantly evolving. Previously, network administrators may think it is best to use third-party software to handle this problem. However, the emergence of AppLocker in Windows 7 and Windows Server 2008 R2 has brought a more effective way to manage application execution. AppLocker is an evolutionary version of Windows Software Restriction Policies.

Block individual applications

Employees of the company began to use remote desktop clients to access their home computers to bypass Internet content filtering and pass work hours. In this article, we will discuss how to use applockerto block the execution of mstsc.exe to bring these guys back to work.

You can enter AppLocker by entering gpedit. msc in the Windows 7 Start Menu, or you can create a new group policy object in Windows Server 2008 R2. After entering AppLocker, browse Computer Configuration, Windows Settings, Security Settings, Application Control Policies.

 

You will soon find that three options will appear when you expand the AppLocker in the left pane. These three options are the Rule Set and the types used to classify file extensions controlled by AppLocker. The following table shows the file extensions associated with each rule:

Rule file type
Executable files (Executable files). exe,. com
Scripts (SCRIPT). ps1,. bat,. cmd,. vbs,. js
Windows Installer files (Windows Installation File). msi,. msp

The object we want to block is an Executable file, so we need to create a new rule in the Executable file rule set. This operation is done as follows: Right-click Executable Rules, then select Create New Rule ).

The execution rule creation Wizard will pop up. Click Next to skip the introduction. We want to block access to mstsc executable files, so we need to select the Deny option. On this screen, you can select the user or group to which the policy applies. Of course, we want to ensure that administrators and major users can access this application when logging on to their computers. Therefore, we select a user group as the policy.

In the next step, the main options for rule application selection will pop up, which mainly include the following three options, which are also used in all rules:

• Publisher-when selecting a condition, this option is the most flexible and can only be used in software applications signed by application creators

• PATH-this rule creates a rule for a specified file or folder path

• File Hash-this option is most suitable when the application is signed. This rule is created based on the hash of the application.

MSTSC is a signature application, so we select Publisher as the main condition. Click Next to go to the next week. Click Browse and find the file you want to block. The file address is in C: WindowsSystem32mstsc.exe. After the file is selected, the slide bar on the screen will be able to slide up and down. For signature applications, we have several levels of granularity to support rules. We can block all applications from a certain publisher and sign all applications using a product name, file name, or a version number of the application.

 

As you know, these options have strong flexibility and capabilities. We can block all applications designed by a computer game developer, file names related to large virus infections, or even force users to keep updating software, however, they are not allowed to run applications with version numbers or lower. Here, we aim to stop all mstsc.exe operations without the version number, so the slide will be set next to the file name option.

The next screen will allow you to add the necessary special cases, and the final screen will allow you to name the new rule. As you get familiar with AppLocker, you will find that creating these rules is fast, so it is best to use standard names for these rules to facilitate future management and modification. After naming the rule, click Create to complete the rule creation process. If this is the first rule you have created, a prompt will pop up asking you to create "Default Rules" to allow users and administrators to access system files. This is required (especially when you are running a system earlier than Windows 7), because if this is not set, the system will be blocked from being started. After you click "yes" in the prompt, the rule is automatically created for you.

There is one final step to ensuring your rules apply properly. the Application Identity service must be enabled and set to run automatically so that AppLocker can properly identify applications. you can do this by typing services. msc into the Start Menu search box, locating the Application Identity service, double clicking it, clicking Start, and choosing Automatic in the Startup Type field. after a final reboot of the system your users will be presented with this lovely message shoshould they attempt to run mstsc.exe

The last step is required to ensure that the new rule can be used properly. The application identity service must be enabled and set to run automatically so that AppLocker can authenticate the application. In this way, enter services. msc in the search bar of the Start Menu, find the Application identity service, double-click it, click Start, and select automatic in Startup Type. After the system is restarted, the following message is displayed when the user starts mstsc.exe.

Block all untrusted applications

In the previous operation, we knew the type of the application to be blocked, so the operation was relatively simple. That situation is more suitable for users to allow access to some system files. However, in some enterprises, IT policies will stipulate that users cannot run any programs explicitly specified by the IT department, in this case, the only effective method is to block all untrusted applications.

AppLocker can help us implement this setting quickly. AppLocker is highly secure. This is precisely because, when we create a permit rule, AppLocker defaults to, in addition to the applications that are explicitly specified to allow use, all other applications must be blocked. For example, when I create an allow rule for the C: folderfile.exe application, all other applications in the C: folder cannot be executed, and only file.exe can be executed. This means that, to meet the requirements of blocking all untrusted applications, we need to create permit rules for each allowed application.

In this way, we need to create permit rules for each single execution file, including the applications we have installed and the default secure Windows applications. Fortunately, Microsoft has taken this into consideration. AppLocker allows us to automatically generate rules based on the applications installed in specific working groups. Now let's start setting.

If you have not created a default rule to allow all required systems to run the program, you must first create such a default rule. Right-click Executable Rules and choose Create Default Rules. After creation, we need to delete the permit Rules that allow everyone to execute all programs in the C: Program Files directory because this rule violates our requirements.

The next step is to automatically generate permit rules. First, right-click Executable Rules and select Automatically Generate Executable Rules. There are two main locations for storing applications: the first is the Windows directory, because the default rules allow all users to execute programs under this directory (and we recommend that you keep this rule ), we do not need to create any rules for this folder. Then there is the Program Files directory. In the first dialog box, select this folder. In this example, you can select the user group used by the policy. Finally, you need to select a name to identify this set of rules. This name will appear in the brackets before the rule description. Complete these operations and click Next to go to the Next screen.

The rule parameter selection screen allows you to select the type of the rule you want to create. First, you will need to create the issuer rules for all Digitally Signed files and create file hash rules for those unsigned files. These options are the default settings. You can also reduce the number of rules by grouping similar files. This will obviously reduce the number of rules, but if you need to maintain a level of granularity in access control, I recommend you delete this option. Click Next to start the rule application discovery process. After a while, a dialog box is displayed. In this dialog box, you can view the created rule. Click Create to Create these rules to complete the operation.

DLL rule set

Although I only list three rule sets, another rule set needs to be mentioned. The DLL rule set is used to block applications that call specific DLL files. This is an advanced rule set. Do not use it unless necessary. This type of rule also seriously affects system performance because it requires AppLocker to check that each DLL is used during application initialization.

By default, the DLL rule is not enabled because of the aforementioned reasons. If you want to create a DLL Rule, you can do this: Go to the main AppLocker configuration screen, select Configure Rule Enforcement, select the Advanced option, and select Enable the DLL Rule option. After this operation, you will find the DLL rules and the other three rules in the left pane.

 

Audit vs. execution rules

So far, all the rules we have created are used to execute allow or block