App locker

1,042 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,042
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
12
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • MGB 2003 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • App locker

    1. 1. Eliminating Malware, Inappropriate Software, and Most IT Problems with AppLocker Greg Shields, MVP, vExpert Head Geek, Concentrated Technology www.ConcentratedTech.com
    2. 2. This slide deck was used in one of our many conference presentations. We hope you enjoy it, and invite you to use it within your own organization however you like. For more information on our company, including information on private classes and upcoming conference appearances, please visit our Web site, www.ConcentratedTech.com . For links to newly-posted decks, follow us on Twitter: @concentrateddon or @concentratdgreg This work is copyright ©Concentrated Technology, LLC
    3. 3. Agenda <ul><li>Part I: Today ’s IT is All Backwards. AppLocker Puts the Horse Before the Cart. </li></ul><ul><ul><li>Discuss: What security tools are you using today? </li></ul></ul><ul><ul><li>Discuss: How then could you protect yourself against something you know nothing about? </li></ul></ul><ul><ul><li>Discuss: So, was this guy crazy, or brilliant? </li></ul></ul><ul><li>Part II: Implementing AppLocker (without Completely Screwing Up Your Network!) </li></ul>
    4. 4. DISCUSS: What Security Tools are You Using Today? <ul><li>What types of products do you use today to keep your systems secure? </li></ul><ul><li>Do they work? </li></ul><ul><li>When do they fail? </li></ul>
    5. 5. Part I: Today ’s IT Security is All Backwards. AppLocker Puts the Horse Before the Cart .
    6. 6. Anti-Virus, Anti-Malware, Anti-Oh My! <ul><li>We in IT are always looking for the “anti-” solution for protecting our computers. </li></ul><ul><ul><li>Anti-virus “protects” us against viruses. </li></ul></ul><ul><ul><li>Anti-malware “protects” us against malware. </li></ul></ul><ul><ul><li>Firewalls “protect” us against incoming worms. </li></ul></ul><ul><li>These have been great solutions for years, and are used by nearly 100% of environments. </li></ul><ul><ul><li>But, in a way, they ’re all backwards . </li></ul></ul>
    7. 7. Anti-Virus, Anti-Malware, Anti-Oh My! <ul><li>Browser-based attacks, worms, viruses, there ’s a common thread in virtually all forms of malware… </li></ul><ul><li>Their code has to be processed if it is to run! </li></ul><ul><li>This begs the question: </li></ul><ul><li>“ If virtually all malware requires processing to be dangerous, could I protect myself by simply preventing that processing from occurring in the first place ?” </li></ul>
    8. 8. The Dreaded Zero-Day <ul><li>Let ’s look at this a different way: </li></ul><ul><li>“ POSIT: You cannot protect yourself against the dreaded zero-day attack.” </li></ul>
    9. 9. The Dreaded Zero-Day <ul><li>Let ’s look at this a different way: </li></ul><ul><li>“ POSIT: You cannot protect yourself against the dreaded zero-day attack.” </li></ul><ul><li>Reasons for this include: </li></ul><ul><ul><li>A zero-day means that the attack arrives before the protection from that attack arrives. </li></ul></ul><ul><ul><li>Signature- and even heuristic-based solutions require…well…signatures and heuristics. </li></ul></ul><ul><ul><li>The time distance between vulnerability and attack must be exceptionally short. </li></ul></ul><ul><ul><li>Secrecy is critically important. Yet “no-algorithm-secrecy” is also one of the tenets of cryptography. Bad. </li></ul></ul>
    10. 10. DISCUSS: So How Then Could You Protect Yourself Against Something You Know Nothing About? <ul><li>What are the protections against the zero-day? </li></ul><ul><ul><li>You can ’t write a signature… </li></ul></ul><ul><ul><li>You can ’t define a heuristic… </li></ul></ul><ul><li>Are your security vendors really just taking your money ? </li></ul>
    11. 11. AppLocker Changes the Mindset <ul><li>With AppLocker, you no longer care about signatures or heuristics. </li></ul><ul><ul><li>You care about what you ’ve specifically allowed to run. </li></ul></ul><ul><ul><li>… and you don ’t care about everything else. </li></ul></ul><ul><li>AppLocker creates an environment of “approved execution” for many types of code. </li></ul><ul><ul><li>Executable files (.exe and .com) </li></ul></ul><ul><ul><li>Scripts (.js, .ps1, .vbs, .cmd, and .bat) </li></ul></ul><ul><ul><li>Windows Installer files (.msi and .msp) </li></ul></ul><ul><ul><li>DLL files (.dll and .ocx) </li></ul></ul>
    12. 12. Blacklisting, the “Old” Way <ul><li>Most anti-Anything solutions are examples of blacklisting. </li></ul><ul><ul><li>“ I don’t want the following code to execute on my system.” </li></ul></ul>
    13. 13. Blacklisting, the “Old” Way <ul><li>Most anti-Anything solutions are examples of blacklisting. </li></ul><ul><ul><li>“ I don’t want the following code to execute on my system.” </li></ul></ul><ul><li>With blacklisting solutions, you must constantly update the blacklist with those applications which shouldn ’t run. </li></ul><ul><ul><li>Viruses shouldn ’t run </li></ul></ul><ul><ul><li>Malware shouldn ’t run </li></ul></ul><ul><ul><li>Browser Helper Objects shouldn ’t run </li></ul></ul><ul><ul><li>Bad applications shouldn ’t run </li></ul></ul>
    14. 14. Blacklisting, the “Old” Way <ul><li>Anti-Anything solutions are examples of blacklisting. </li></ul><ul><ul><li>“ I don’t want the following code to execute on my system.” </li></ul></ul><ul><li>With blacklisting solutions, you must constantly update the blacklist with those applications which shouldn ’t run. </li></ul><ul><ul><li>Viruses shouldn ’t run </li></ul></ul><ul><ul><li>Malware shouldn ’t run </li></ul></ul><ul><ul><li>Browser Helper Objects shouldn ’t run </li></ul></ul>… but the problem arrives when someone writes a piece of code that you haven ’t seen before. Now, you have to figure out what it is and what it does so you can prevent it.
    15. 15. Whitelisting, the “New” Way <ul><li>With whitelisting, you instead identify which executables are allowed to run on your systems. </li></ul><ul><ul><li>Does this sound like a hard thing to do? </li></ul></ul>
    16. 16. Whitelisting, the “New” Way <ul><li>With whitelisting, you instead identify which executables are allowed to run on your systems. </li></ul><ul><ul><li>Does this sound like a hard thing to do? </li></ul></ul>Hey Greg: Tell the story now about that one guy at your very first TechMentor! You know, the guy who needed to personally approve every application!
    17. 17. DISCUSS: So, was this guy crazy, or brilliant? <ul><li>This fellow IT Professional at my first TechMentor, the one who needed to approve each application… </li></ul><ul><li>… was this draconian…? </li></ul><ul><li>… or early brilliance…? </li></ul>
    18. 18. Whitelisting, the “New” Way <ul><li>With whitelisting, you will specify the executables and scripts which you ’ve tested and approved. </li></ul><ul><ul><li>Windows Installer and DLLs are also possible, but very, very challenging (and a performance hit). </li></ul></ul><ul><ul><li>New malware will likely never get executed in your environment, because it can ’t . </li></ul></ul>Interestingly enough: AppLocker ’s older brother “Software Restriction Policies” highlighted both blacklisting and whitelisting. With Applocker, focus on the white .
    19. 19. Whitelisting, the “New” Way <ul><li>Also good for… </li></ul><ul><ul><li>“ Not-quite-malware” . You know, those stupid apps that users install that invariably self-destruct their system. </li></ul></ul><ul><ul><li>License assurance . You won ’t get hit with a license violation for software you didn’t approve, because it can’t run. </li></ul></ul><ul><ul><li>Version assurance . Versions that you haven ’t specifically approved won’t run. Thus, users who can’t or won’t upgrade (or accept WSUS updates) can’t run software until they do. </li></ul></ul>Some will argue that these are even more exciting than anti-malware!
    20. 20. DEMO: Timeout for a Quick “Where is AppLocker” Demo. <ul><li>Let ’s take a quick spin through AppLocker. </li></ul><ul><ul><li>So you can get familiarized with it before moving on. </li></ul></ul>
    21. 21. Part II: Implementing AppLocker (Without Completely Screwing Up Your Network!)
    22. 22. What you Need <ul><li>AppLocker has high-end requirements </li></ul><ul><ul><li>Windows 7 Ultimate </li></ul></ul><ul><ul><li>Windows 7 Enterprise </li></ul></ul><ul><ul><li>Windows Server 2008 R2 Standard </li></ul></ul><ul><ul><li>Windows Server 2008 R2 Enterprise </li></ul></ul><ul><ul><li>Windows Server 2008 R2 Datacenter </li></ul></ul><ul><ul><li>Group Policy to deploy rules. </li></ul></ul><ul><ul><li>RSAT (GPMC) to create rules. </li></ul></ul><ul><ul><li>A plan. </li></ul></ul><ul><ul><ul><li>(I love it when a plan comes together…) </li></ul></ul></ul>
    23. 23. The Plan. <ul><li>#1: Determine how to implement AppLocker </li></ul><ul><li>#2: Create a list of applications </li></ul><ul><li>#3: Select the types of rules to create </li></ul><ul><li>#4: Define the Group Policy structure and rule enforcement </li></ul><ul><li>#5: Create a process for managing rules </li></ul><ul><li>#6: Document your AppLocker plan </li></ul>
    24. 24. #1: Determine How to Implement AppLocker <ul><li>Determine whether interoperability with Software Restriction Policy is needed. </li></ul><ul><ul><li>Necessary for down-level clients, those not at Windows 7 U or E </li></ul></ul><ul><li>Determine and document where to use AppLocker. </li></ul><ul><ul><li>AppLocker might not be useful for all machines. </li></ul></ul><ul><ul><li>Local administrators can change settings. Change policy for administrators? </li></ul></ul><ul><li>Select whether to use “allow” actions only or “allow” and “deny”. </li></ul>
    25. 25. #2: Create a List of Applications <ul><li>Create an inventory of applications that are installed in different OUs. </li></ul><ul><ul><li>Do it manually (bleh) </li></ul></ul><ul><ul><li>Consider using “Automatically generate rules” (useful against golden images) </li></ul></ul><ul><ul><li>Consider using “Audit only mode”. (nice!) </li></ul></ul><ul><ul><li>Configure the Application Identity Service to start for computers in an OU. </li></ul></ul><ul><ul><li>Enable Audit only mode. </li></ul></ul><ul><ul><li>Forward logs (more about this in a sec). </li></ul></ul>
    26. 26. Automatically Generate Rules
    27. 27. #3: Select the Types of Rules to Create <ul><li>Select which rule collections to use </li></ul><ul><ul><li>Executable files </li></ul></ul><ul><ul><li>Windows Installer files </li></ul></ul><ul><ul><li>Scripts </li></ul></ul><ul><ul><li>DLLs </li></ul></ul><ul><li>Select which rule conditions to use </li></ul><ul><ul><li>Path Rules </li></ul></ul><ul><ul><li>File Hash Rules </li></ul></ul><ul><ul><li>Publisher Rules </li></ul></ul><ul><li>Determine how to allow system files to run </li></ul><ul><ul><li>Start by creating “Default Rules” </li></ul></ul>
    28. 28. Rule Conditions <ul><li>Path Rules </li></ul><ul><ul><li>Restrict based on name and location of the executable ’s file. Wildcards accepted. </li></ul></ul><ul><li>File Hash Rules </li></ul><ul><ul><li>Path rules are easy to bypass. Just change the filename or file path to bypass the rule. </li></ul></ul><ul><ul><li>File Hash Rules hash each file, making this impossible. </li></ul></ul><ul><ul><li>Challenging when files change (as with updates). </li></ul></ul><ul><li>Publisher Rules </li></ul><ul><ul><li>Requires that files are signed, but these files are often signed by their manufacturer. </li></ul></ul><ul><ul><li>Sliding scale of Version, File Name, Product Name, & Publisher. </li></ul></ul><ul><ul><li>Different files can have different scopes. </li></ul></ul>
    29. 29. Rule Conditions
    30. 30. Default Rules <ul><li>Executable default rule types </li></ul><ul><ul><li>Allow members of the local Administrators group to run all applications. </li></ul></ul><ul><ul><li>Allow members of the Everyone group to run applications that are located in the Windows folder. </li></ul></ul><ul><ul><li>Allow members of the Everyone group to run applications that are located in the Program Files folder. </li></ul></ul><ul><li>Windows Installer default rule types </li></ul><ul><ul><li>Allow members of the local Administrators group to run all Windows Installer files. </li></ul></ul><ul><ul><li>Allow members of the Everyone group to run digitally signed Windows Installer files. </li></ul></ul><ul><ul><li>Allow members of the Everyone group to run all Windows Installer files located in the WindowsInstaller folder. </li></ul></ul><ul><li>Script default rule types </li></ul><ul><ul><li>Allow members of the local Administrators group to run all scripts. </li></ul></ul><ul><ul><li>Allow members of the Everyone group to run scripts located in the Program Files folder. </li></ul></ul><ul><ul><li>Allow members of the Everyone group to run scripts located in the Windows folder. </li></ul></ul><ul><li>DLL default rule types </li></ul><ul><ul><li>Allow members of the local Administrators group to run all DLLs. </li></ul></ul><ul><ul><li>Allow members of the Everyone group to run DLLs located in the Program Files folder. </li></ul></ul><ul><ul><li>Allow members of the Everyone group to run DLLs located in the Windows folder. </li></ul></ul>
    31. 31. #4: Define the Group Policy Structure and Rule Enforcement <ul><li>Select enforcement settings for each OU. </li></ul><ul><li>Determine rule and enforcement setting inheritance in Group Policy. </li></ul><ul><ul><li>Rule collections that are not configured will be enforced. </li></ul></ul><ul><ul><li>Group Policy does not overwrite or replace rules that are already present in a linked GPO. </li></ul></ul><ul><ul><li>AppLocker processes the explicit deny rule configuration before the allow rule configuration. </li></ul></ul><ul><ul><li>For rule enforcement, the last write to the GPO is applied. </li></ul></ul>
    32. 32. #5: Create a Process for Managing Rules <ul><li>Document an end-user support policy for blocked applications. </li></ul><ul><ul><li>Remember the guy at my first TechMentor. He had a user policy for unblocking applications! </li></ul></ul><ul><ul><li>Set a Support Page Link via Group Policy. </li></ul></ul><ul><ul><li>Found in Policies | Administrative Tools | Windows Components | Windows Explorer | Support Web page URL </li></ul></ul><ul><li>Determine whether to use event forwarding. </li></ul><ul><ul><li>AppLocker events are stored under Applications and SettingsLogsMicrosoftWindowsAppLocker. </li></ul></ul><ul><ul><li>Consider setting up event forwarding to collect events. </li></ul></ul>
    33. 33. #6: Document the Plan <ul><li>I know, I know, we all hate to document. </li></ul><ul><ul><li>But with something as powerful as this, wouldn ’t you want an offline copy…? </li></ul></ul><ul><li>Document your AppLocker plan to use when deploying AppLocker and for future reference. </li></ul>
    34. 34. What if you DO Screw Up? <ul><li>Advice: Don ’t. </li></ul><ul><ul><li>AppLocker does not provide a way to undo an action. </li></ul></ul><ul><ul><li>However, there is a slight delay in the application of policies, so you can change your rules if you still have the AppLocker snap-in open . </li></ul></ul><ul><ul><li>The policy will take some time to propagate to a client computer that is joined to a domain </li></ul></ul><ul><ul><li>So you might be able delete the erroneous rules and create the correct ones before the policy is applied. </li></ul></ul>
    35. 36. This slide deck was used in one of our many conference presentations. We hope you enjoy it, and invite you to use it within your own organization however you like. For more information on our company, including information on private classes and upcoming conference appearances, please visit our Web site, www.ConcentratedTech.com . For links to newly-posted decks, follow us on Twitter: @concentrateddon or @concentratdgreg This work is copyright ©Concentrated Technology, LLC

    ×