none
Applocker rules and Office 2010 issues.

    Question

  • Hello Everyone,

    I have been facing issues with implementing Applocker rules and making them work along Office 2010.

    The rule causing problems is to DENY all access to %program files% for a specific group of users with an exception for the path "C:\Program Files (x86)\Microsoft Office\OFFICE 14\*"

    Excel.exe does not run and is logged in Events as being blocked which as far as I understand contradicts what the rule is set to. I have tried setting explicit allow using File Hash for Excel.exe and still face the same problem.

    Other rules work as they should with no problems. Has anyone faced this issue before?

    Thanks in advance,

    Chris


    Edit: If you need any more information let me know.
    • Edited by CLPierris Thursday, November 29, 2012 2:14 PM
    Thursday, November 29, 2012 2:08 PM

Answers

  • Hi Jonny,

    I finally got to the bottom of it. The applied rule was to deny everything in the Program Files folder and allow only the Microsoft Office folder.

    In reality I was approaching AppLocker with a blacklist mentality. The solution is to have a single rule for the Microsoft Office set to allow and the "DeniedByDefault" rule will take care of the program files folder without having to specify anything extra. The confusion lies to relying on the default rules of AppLocker as a guide. To be more specific there is an explicit Allow for %WINDIR% which needs individual exceptions if you want to deny access to anything in that folder. Based on that I proceeded to create the rest of the rules which presented the aforementioned issues.

    Again thank you for your time, greatly appreciated.


    Friday, November 30, 2012 10:52 AM

All replies

  • Hi CLPierris,

    Maybe the problem isn't only with permissions. Actually you have to check if this specific group is member of another group who applies different permissions that you want. As I can see you have a conflict there.


    Regards,

    Jonny Moura

    MCP:W2k3| MCTS:W7,W2k8| MCSA:W2k12| ITILv3

    If useful, rate it!


    • Edited by Jonny Moura Thursday, November 29, 2012 4:10 PM
    Thursday, November 29, 2012 3:57 PM
  • Hello Jonny,

    Thank you for replying. Although your suggestion initially looked promising when I looked exactly into how groups are structured and where this specific group belongs to, it was apparent there are 0 rules being applied to the parent group. Also if it was such a generic issue nothing would work as the rest of the rules being applied on the same group wouldn't work either.

    To summarize the problem, if I set an explicit deny of the %Program Files%, Excel.exe doesn't run, if I deny %program files% and allow the Office path, Excel.exe still fails to start. With an explicit allow of Excel.exe using File Hash & Publisher rules, Excel.exe again fails to start. The whole of %program files% must be Allowed for Excel.exe to run, which leads me to believe that this is something relating to the Office family (as other applications do not have the same issue and behave as expected).


    By the way this is something that I can replicate in different machines (all running windows server 2008 R2).
    • Edited by CLPierris Thursday, November 29, 2012 5:36 PM
    Thursday, November 29, 2012 4:45 PM
  • Hi CLPierris,

    Did you try to disable inheritance on the office's folder? Go to the Properties> Security > Advanced

    Unmark the checkbox. Tell me if it works or not.


    Regards,

    Jonny Moura

    MCP:W2k3| MCTS:W7,W2k8| MCSA:W2k12| ITILv3

    If useful, rate it!

    Thursday, November 29, 2012 6:05 PM
  • Hi Jonny,

    I finally got to the bottom of it. The applied rule was to deny everything in the Program Files folder and allow only the Microsoft Office folder.

    In reality I was approaching AppLocker with a blacklist mentality. The solution is to have a single rule for the Microsoft Office set to allow and the "DeniedByDefault" rule will take care of the program files folder without having to specify anything extra. The confusion lies to relying on the default rules of AppLocker as a guide. To be more specific there is an explicit Allow for %WINDIR% which needs individual exceptions if you want to deny access to anything in that folder. Based on that I proceeded to create the rest of the rules which presented the aforementioned issues.

    Again thank you for your time, greatly appreciated.


    Friday, November 30, 2012 10:52 AM
  • Hey CLPierris,

    I'm glad to hear you could find the solution! Thanks for the reply.


    Regards,

    Jonny Moura

    MCP:W2k3| MCTS:W7,W2k8| MCSA:W2k12| ITILv3

    If useful, rate it!

    Friday, November 30, 2012 11:22 AM