Windows 7 AppLocker: Understanding its Capabilities and Limitations


Published on

Windows 7 AppLocker is a great leap forward compared to its predecessor Software Restrictions which is good because the risks of uncontrolled software on desktops and laptops have never been greater. In this presentation, Randy Franklin Smith of UltimateWindowsSecurity highlights what AppLocker can do: how to deny all executables, scripts and Windows installer files other than those that you specifically allow on a user, group or organizational unit basis. Randy also highlights the limitations of AppLocker, including how this native functionality stacks up against the realities of today’s desktop/laptop environments where:

•there are many exceptions to the rule;
•many users have unique needs;
•you have multiple configurations, multiple OS versions and applications;
•and, where change is a constant.

Depending on your environment these limitations can be significant, adding up to broken workstations and extra care and feeding. For instance, AppLocker is designed for fairly homogenous environments but in many real world environments each PC is really unique which stretches the exception capabilities of AppLocker. AppLocker’s limitations carry over to handling system and application updates - endpoint change is constant and you don’t want user productivity to screech to a halt due to updating an application without updating the AppLocker policy. Then there’s the issue of reporting and visibility into what your software restriction policies are actually doing and what impact there is to your end-users.

The presentation highlights other caveats and includes a demonstration of Lumension Intelligent Whitelisting and how this innovative solution takes you beyond AppLocker and addresses the gaps and risks identified in Randy's presentation.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Windows 7 AppLocker: Understanding its Capabilities and Limitations

  1. 1. Windows 7 AppLocker: Understanding its Capabilities and Limitations <br /><ul><li>Made possible by:</li></ul>© 2011 Monterey Technology Group Inc.<br />
  2. 2. Brought to you by<br />Speakers<br />Chris Chevalier, Senior Product Manager<br />Chris Merritt, Director of Solution Marketing<br /><br />
  3. 3. Preview of Key Points<br />AppLocker<br />How it works<br />Capabilities<br />Limitations<br />Scenarios where it’s <br />Right<br />Wrong<br />© 2011 Monterey Technology Group Inc.<br />
  4. 4. Open Ended Survey Question<br />If you could build your ideal endpoint security agent, what would you include?<br />AntiVirus<br />Application Whitelisting<br />Patching<br />Firewall<br />Disk encryption<br />DLP<br />Device Control<br />What else? <br />Please respond via Chat<br />
  5. 5. AppLocker<br />Starts from a deny all point of view<br />Can be applied to<br />EXEs<br />DLLs<br />.dll and .ocx<br />Scripts<br />.bat, .cmd, .js, .ps1, and .vbs<br />Windows Installer <br />.msiand .msp<br />
  6. 6. AppLocker Rules<br />Rules<br />User or group <br />File criteria<br />Publisher<br />Path<br />File Hash<br />Action<br />Allow or Deny<br />Exceptions<br />Publisher<br />Path<br />File Hash<br />
  7. 7. AppLocker Rules<br />
  8. 8. AppLocker Rules<br />All deny rules processed before allow rules<br />Otherwise sequence not important<br />Default rule is deny<br />Add allow rules for selected users and programs<br />Deny rules override allow rules<br />Only needed to override allow rules<br />Exceptions simply cause next rule to be evaluated<br />Multiple GPOs?<br />Rules additive (including local policy)<br />Enforcement mode (last GPO wins)<br />
  9. 9. Implementation<br />Create Default Rules<br />Automatically Generate Rules<br />Enforcement mode<br />Audit Only<br />Enforce<br />
  10. 10. Implementation<br />Audit Only<br />Events logged to Application and Services LogsMicrosoftWindowsAppLocker<br />Use event forwarding to get centralized log<br />Not trivial<br />
  11. 11. Implementation<br />Can’t do AppLocker without PowerShell scripting<br />Get-AppLockerFileInformation<br />Reads event log to report broken files<br />New-AppLockerPolicy<br />Can build new policy from Get-AppLockerFileInformation<br />Set-AppLockerPolicy<br />Plug policy into a GPO<br />Test-AppLockerPolicy<br />Test whether a specified list of files are allowed to run on local computer for specified user<br />
  12. 12. Caveats<br />Windows 7 Enterprise & Ultimate only<br />No support for Windows 7 Pro, Vista, XP…<br />Based on Computer’s OU not User’s OU<br />users are locked out of some applications on some computers, but not others<br />Default rules<br />Allow any local admin run everything<br />Allow Everyone to run everything under %Program Files%<br />64 bit editions<br />
  13. 13. Caveats<br />Only intended for least privilege environments<br />Default rules<br />Local admins can stop AppId service<br />Local admins can add allow rules<br />User Account Control can be a gotcha<br />
  14. 14. Big Caveat<br />Back doors?<br />LOAD_IGNORE_CODE_AUTHZ_LEVEL on LoadLibraryEx<br />SANDBOX_INERT on CreateRestrictedToken<br />Links<br /><br /><br /><br />
  15. 15. When Does AppLocker Work?<br />In Microsoft’s own words<br />Business groups that typically use a finite set of applications<br />Not suited for business groups that must be able to install applications as needed and without approval from the IT department <br />Number of applications in your organization is known and manageable<br />You have resources to <br />test policies against the organization's requirements<br />involve help desk or build a self-help process for end-user application access issues<br />
  16. 16. Bottom Line<br />Still designed for a homogenous environment based on a golden image<br />Not practical for diverse PC/user environments<br />Unless you can depend on Publisher rules, updates break AppLocker or security weakened by path rules<br />Not effective against end-users with local admin authority<br />On demand exceptions cumbersome<br />Reporting is there but cumbersome<br />Script intensive<br />© 2011 Monterey Technology Group Inc.<br />
  17. 17. Bottom Line<br />The Need<br />Centralized control reporting<br />Ability to phase in whitelisting on existing PCs with unique configurations and software<br />Ability to completely automate support for updates<br />Support for more than Win 7 Ultimate and Enterprise<br />© 2011 Monterey Technology Group Inc.<br />
  18. 18. Brought to you by<br />Speakers<br />Chris Chevalier, Senior Product Manager<br />Chris Merritt, Director of Solution Marketing<br /><br />