none
Using Applocker to prevent all applications except specific ones.

    Question

  • Hi all, i recently became familiar with Applocker (via gpo) and it is a great tool!

    the thing is, i was thinking.. instead of preventing only certain apps and having to insert them manually, why not block them all and insert the ones i permit?

    that way, i know i only allow a few apps to run in my domain, so i insert those allowed apps, and prevent all of the rest. it's allot easier than having to insert denied apps one by one.. there are endless amount of apps i'd like to prevent..

    and i noticed i can achieve this goal, by turning the "allow" on the two default rules that are being created the first time i apply applocker gpo :

    "all files located in the program files folder" and "all files located in the windows folder"

    only problem is, once i deny those two rules. i am unable to login properly to my computer (obviously because nothing can be executed..) everything is being blocked and i understand that, but what rules should i create to allow proper login? (login is successful actually, its the desktop the does not get presented, and many other necessary login procedures.)

    hope my question is clear enough.. :)

    thanks

    Gil

     

    Sunday, May 08, 2011 2:35 PM

Answers

  • The problem you are getting is with the way you are apply the rules... Software Restriction Policy are a subset of AppLocker so if you are running Windows 7 dont use RSP...

    If you want a true "Whitelist" rules (ie. only allow approved applications) then you have a LOT of work ahead of you... What i would recommend....

    Trust the defaul rules... make  sure all "Approved" application are installed to "Program Files" and that the users are NOT administrators... This means users will not be able to install new programs to the computer and you as IT admin will be the only person that can install approved application... Now there are some ways around like (e.g. Firefox will install to ProgramData folder if you are not admin however then you need to plug those apps with a deny rule (either blanket deny rule on ProgramData folder or on a program by program basis.)  For the deny rule check out my post http://www.grouppolicy.biz/2010/04/how-to-configure-applocker-group-policy-in-windows-7-to-block-third-party-browsers/ 

    However if you want REALLY do white list...

    Make a computer with EVERY application you want to allow to run... Install the Group Policy Management Console on this computer....  then right click on the "Executable Rules" and then use the "Automaticlly Generate Executable" this will scan you computer and make a rule set that will only allow the programs installed to run... this means any other applications that are not install will NOT run... Problem with this is if the applciation is NOT signed then you will find yourself having to update the rule set very often when new versions of the programs are rolled out....

    I hope this helps...

     


    Alan Burchill (MVP)
    http://www.grouppolicy.biz
    Follow me on twitter @alanburchill
    Sunday, May 08, 2011 11:33 PM

All replies

  • Hi. You could use software restriction policy instead. This creates the default OS needed paths so you can specifiy only the things that are allowed.

    http://technet.microsoft.com/en-us/library/bb457006.aspx

     


    OHM http://msitpros.com
    Sunday, May 08, 2011 10:35 PM
  • The problem you are getting is with the way you are apply the rules... Software Restriction Policy are a subset of AppLocker so if you are running Windows 7 dont use RSP...

    If you want a true "Whitelist" rules (ie. only allow approved applications) then you have a LOT of work ahead of you... What i would recommend....

    Trust the defaul rules... make  sure all "Approved" application are installed to "Program Files" and that the users are NOT administrators... This means users will not be able to install new programs to the computer and you as IT admin will be the only person that can install approved application... Now there are some ways around like (e.g. Firefox will install to ProgramData folder if you are not admin however then you need to plug those apps with a deny rule (either blanket deny rule on ProgramData folder or on a program by program basis.)  For the deny rule check out my post http://www.grouppolicy.biz/2010/04/how-to-configure-applocker-group-policy-in-windows-7-to-block-third-party-browsers/ 

    However if you want REALLY do white list...

    Make a computer with EVERY application you want to allow to run... Install the Group Policy Management Console on this computer....  then right click on the "Executable Rules" and then use the "Automaticlly Generate Executable" this will scan you computer and make a rule set that will only allow the programs installed to run... this means any other applications that are not install will NOT run... Problem with this is if the applciation is NOT signed then you will find yourself having to update the rule set very often when new versions of the programs are rolled out....

    I hope this helps...

     


    Alan Burchill (MVP)
    http://www.grouppolicy.biz
    Follow me on twitter @alanburchill
    Sunday, May 08, 2011 11:33 PM
  • Great advice Alan!

    i did as you recomended in the second part of youre answer, and it seems to work perfectly so far..

    an important point to remember is to also create default rules in the  "windows installer rules" and the deny the (3) rules creatred.. :)

    that way everything (including MSI files) are blocked, except the rules imported as you explained in your answer.

    now the only challanage remaining, would be to see how enable in the GPO certain in-house apps that we use and that have no publisher to recognize them..

    thanks again

    Gil

    Tuesday, May 17, 2011 8:40 AM
  • Hi Alan, continuing this discussion, there is a strange phenomenon when i'm trying to install office 2007 std.

    what happens is if i create an executable rule in the gpo (based on publisher) and in the wizard i point to the setup.exe file of the installation, and continue with the default settings which specify (based on the setup.exe file) "publisher", "prudoct name", "file name" and "file version" , the installation on the client applied with the gpo fails with the error meaasge "microsoft office standard 2007 setup did not complete successfully. we are sorry for the inconvenience"
    the thing is, that this is not the usual error that applocker produces on a client that is trying to run a denied installation ("this program is blocked by group policy..") but rather, it seems to be passing the stage of execution, and the error message ("microsoft office standard 2007 setup did not complete successfully...") is being created in a more progressive stage of the installation.

    Any advice?

    Thank you, Gil.

     

    Wednesday, May 18, 2011 8:58 AM
  • Hi Alan, I know this is an old thread but I came across this as we need to set up some restrictions as to what and who can install Applications, more specifically to block Viruses like Crytolocker, but I just wanted to clarify that Applocker will only work on Windows 7 Ultimate, if you have Windows 7 Professional then you are stuck with SRP. Thanks John
    Wednesday, September 03, 2014 1:41 AM
  • You could technically use SRP to block CryptoLocker however most AV software will also do this. To do this you would have to have a copy of the program to scan AND if it was at all poly morphic then SRP will not work. ALSO... I doubt that CryptLocker is digitally signed so unless you did a "White List" only configuration you are not going to be able to easily use AppLocker to block it...

    Also, yes... Windows 7 Ultimate only...


    Alan Burchill (MVP)
    http://www.grouppolicy.biz

    @alanburchill

    Wednesday, September 03, 2014 3:17 AM