Configuring AppLocker in Windows Server2012 R2 - Executable Rules – Publisher Condition

Introduction

What is AppLocker?

AppLocker, which was introduced in the Windows 7 operating system and Windows Server 2008 R2, is a security setting feature that controls which applications users are allowed to run.

AppLocker provides administrators a variety of methods for determining quickly and concisely the identity of applications that they may want to restrict, or to which they may want to permit access. 

AppLocker is a powerful but often overlooked tool for increasing security by restricting user access to applications and other executable files, scripts, Windows Installer files and Dynamic Link Libraries (DLLs).

You apply AppLocker through Group Policy to computer objects within an OU. You can also apply Individual AppLocker rules to individual AD DS users or groups.

Model Solutions

Deploy (on DCSrv2012) AppLocker using Publisher condition.

        1.        On run, type dsa.msc and press enter.

2.        Create OU AppLocker and move Clt01 to new OU.

3.        On run, type gpmc.msc and press enter.

4.        In the GPMC, double click Forests: msita.local, expend until you get Group Policy Objects then right click and then click New…

5.        In New GPO box, type AppLocker Software Control GPO, and then click OK…

6.        Next, right click AppLocker Software Control GPO, and then click Edit…

7.        Once the Group Policy Management Editor open, double click Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Application Control Policies, and then expand AppLocker…

8.        Under AppLocker, right-click Executable Rules, and then click Create Default Rules, you can repeat the previous step for Windows Installer Rules, Script Rules, and Packaged app Rules…

In the AppLocker container, there are four nodes that contain the basic rule types, as follows:

■ Executable Rules  Contains rules that apply to files with .exe and .com extensions.

■ Windows Installer Rules  Contains rules that apply to Windows Installer packages with .msi and .msp extensions.

■ Script Rules  Contains rules that apply to script files with .ps1, .bat, .cmd, .vbs, and .js extensions.

■ Packaged App Rules  Contains rules that apply to applications purchased through the Windows Store.

Each of the rules you create in each of these containers can allow or block access to specific resources, based on one of the following criteria:

■ Publisher  Identifies code-signed applications by means of a digital signature extracted from an application file. You can also create publisher rules that apply to all future versions of an application.

■ Path  Identifies applications by specifying a file or folder name. The potential vulnerability of this type of rule is that any file can match the rule, as long as it is the correct name or location.

■ File Hash  Identifies applications based on a digital fingerprint that remains valid even when the name or location of the executable file changes. This type of rule functions much like its equivalent in software restriction policies; in AppLocker, however, the process of creating the rules and generating file hashes is much easier.

9.        On the Before You Begin window, click Next.

10.        On the Permissions, select Deny then click Next.

11.        On the Conditions window, select Publisher then click Next.

12.        On the Publisher window, click Browse… then select firefox.exe from C:\Program Files (x86)\Mozilla Firefox (Version 19.0.2)

13.        On the Publisher window, customize level 2 (move up) then click Next.

14.        On the Exceptions window, click Next.

15.        On the Name and Description window, click Create -> click Yes to finish.

16.       Publisher rules.

17.       On the Group Policy Management window, right click AppLocker then click Link an Existing GPO…

18.      On the Select GPO window, select AppLocker Software Control GPO then click OK.

19.      Once you completed Create Default Rules, click AppLocker, and then in the right pane, click Configure rule enforcement.

20.      Next, In the AppLocker Properties box, under Executable rules, select the Configured check box, and then from the drop-down menu, select Audit only and then click OK.

21.      Next, In the Group Policy Management Editor, go to System Services, and then double-click Application Identity, click Define this policy setting, under Select service startup mode, click Automatic, and then click OK.

22.      Test Publisher rules_01:

-          On Clt01, on run type cmd and then press enter.

-          Type gpupdate /boot /force and press enter.

- Then type gpresult /r to check the result of the command and ensure that AppLocker Software Control GPO is displayed under Computer Settings, Applied Group Policy Objects.

- Run Mozilla Firefox (Version 19.0.2)

- On run, type eventvwr.msc then press enter.

- Expand Applications and Services, expand Microsoft, expand Windows and then expand AppLocker, click EXE and DLL.

- In the Event Viewer window, under EXE and DLL, you will see there are few event log 8003 that contains the following text: %PROGRAMFILES%\MOZILLA FIREFOX\FIREFOX.EXE was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

23.      On DCSrv2012 (AppLocker server), on Group Policy Management, right click AppLocker Software Control GPO then click Edit.

24.      Click AppLocker, and then in the right pane, click Configure rule enforcement.

25.      Change settings as show in figure bellow, click OK.

26.      Next, on the Window 8 client, in the command prompt, type gpupdate /boot /force and press Enter.

27.      Then open Mozilla Firefox and you will receive a message: “You system administrator has blocked this program…”

28.      Open Event Viewer on the Windows 8 client, and you should see Event ID 8007 which error stated: “%PROGRAMFILES%\MOZILLA FIREFOX\FIREFOX.EXE was prevented from running.”

29.      On the Windows 8 client, uninstall Firefox 19.0.2 and install Firefox 34.0b11 (Firefox releases 21-Nov-2014).

30.      Run Firefox 34.0b11 and realize that firefox is running normally.

31.     On the DCSrv2012 server, compare Publisher Signature between Firefox 19.0.2 and Firefox 34.0,  you have something special.

32.     Apply new Publisher Signature (FF 34.0) then on the windows 8 client run Firefox 34.0, you will see a message below.

      ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬

                                                    ► Download this video, lesson for FREE

                                                    ► MP4 link: updating...

                                                    ► PDF link: http://fas.li/Hr9Jb

                                                    ► Youtube:  updating...

                                                    ► Alternate link: http://adf.ly/1n3zmb

                                                    ► Alternate link: http://viid.me/qWYGK1
                                                    ► Alternate link: http://linkshrink.net/7cOB5y

      ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬