none
Applocker to only allow particular users to powershell

    Question

  • To block PowerShell from all users (and only allow for a group of authorised users). We have put in place the Applocker group policy.

    In the AppLocker gpo > Computer configuration > Policies > Windows Settings > Security Settings > Application Control Policies ? AppLocker:

    I defined 'Allow' for one SG (E.g. SG A) to run %system32%\WindowsPowerShell\v1.0\powershell.exe

    By doing so, have I deny all users, no matter which machine they running from (besides than the SG A) from using PowerShell?

    thank you


    Best Regards,

    Wednesday, May 18, 2016 1:03 AM

Answers

  • Hi Ray,

    You don't need a deny rule.

    The default rules in the above screenshot will allow everyone to run PowerShell - both 32 and 64-bit.

    As you've already pointed out, there is an exception in your implementation for the default rule that pertains to the Windows folder the excludes %windir%\System32\WindowsPowerShell\*. If you simply add %windir%\Syswow64\WindowsPowerShell\* then that will also stop the 32-bit PowerShell host from being accessible to everyone.

    What this leaves you with is the task of creating a new "allow" rule for which you should create a controlling security group and add as members the people/groups you wish to grant access. One member should almost certainly be the SYSTEM account as well as potentially the TrustedInstaller account, as it's becoming more common to see PowerShell tasks executed as part of software installers.

    Also don't forget to set up the rules in audit mode and review the success and failures to avoid accidentally and possibly seriously impacting production scenarios and users.

    Keep in mind that deny rules trump all other rules - just as is the case with most other Microsoft systems (just like with file permissions). You don't want to use these unless you have to.

    Cheers,
    Lain

    • Marked as answer by BlueBerries Friday, May 20, 2016 3:51 AM
    Friday, May 20, 2016 1:59 AM
  • Hi Ray,

    There's a number of ways you can achieve this just depending on how pedantic you want to be.

    The easiest way forward which only requires one rule is to create a rule the same as the default Windows directory rule (i.e. a path rule) without the exceptions and use your control group as the filter.

    If you want to exert a little more control, you could create two path-type rules, one for %windir%\System32\WindowsPowerShell\* and the other for %windir%\SysWoW64\WindowsPowerShell\*, both of which would use the same control group.

    I'd suggest going for the former unless you are going to come up with more categorisations in the future for other Windows executables.

    Cheers,
    Lain

    • Marked as answer by BlueBerries Friday, May 20, 2016 7:24 AM
    Friday, May 20, 2016 5:17 AM
  • PS: I only just noticed the final question as I was proof reading my post for mistakes.

    The directory structure doesn't actually represent the PowerShell version. Your v3, v4 and so on binaries are still in the v1 subdirectory.

    Cheers,
    Lain

    • Marked as answer by BlueBerries Friday, May 20, 2016 7:24 AM
    Friday, May 20, 2016 5:19 AM
  • PPS: If you're ever looking for how to block or unblock something, your greatest source of proof/information is within Event Viewer under \Application and Services Logs\Microsoft\Windows\AppLocker.

    Cheers,
    Lain

    • Marked as answer by BlueBerries Friday, May 20, 2016 7:24 AM
    Friday, May 20, 2016 5:21 AM

All replies

  • Hi BlueBerries,

    Based on my test, to achieve your goal, you could perform these actions below.

    1. Create a rule
    2. Click Allow in permission tab and click Select to select the group which could use PowerShell
    3. Click Publisher and Click next on Conditions tab
    4. Click Browse and select PowerShell.exe on Publisher and click next
    5. Click next on Exceptions
    6. Click Create on name tab

    7. If you do not want Administrator to run PowerShell, you could double-click the ACL, which User=administrator, and click Exceptions tab select Publisher on Add exceptions.

    8. Repeat Step-7 for those two ACL which user=everyone

    Then click Add and click browse to add Powershell.exe

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 18, 2016 9:19 AM
    Moderator
  • Hi Jay,

    Thanks.

    Do I have to create a second ALLOW rule to achieve the same as above for x86 PowerShell? I noticed that the PowerShell's path for x86 and x64 are different.

    The result i'm trying to achieve is for the same group of people to ALLOW both version of PowerShell, and DENY the rest from both version of PowerShell.

    Thank you

     

    Wednesday, May 18, 2016 12:49 PM
  • Hi Jay,

    Thanks for the instruction.

    Question: Step 7:- just double checking, it is to DENY or ALLOW 'everyone' in this step? (Administrator can have access to PowerShell, just want to block general users).

    Thank you


    Best Regards,


    • Edited by BlueBerries Thursday, May 19, 2016 12:32 AM
    Thursday, May 19, 2016 12:31 AM
  • Hi BlueBerries,

    it is ALLOW 'everyone'. just like the picture below shows.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 19, 2016 1:58 AM
    Moderator
  • Hi Ray,

    Have you create a DENY rule before?

    If yes, I suggest you delete it and create new one ALLOW rule.

    And you need add both version of PowerShell to ALLOW and add both of version of PowerShell to Exceptions of allow everyone ACL.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 19, 2016 2:03 AM
    Moderator
  • Hi Jay,

    No, have not create a DENY rule.

    However, there is currently in-place an Exception rule for to ALLOW *WINDIR%* with Exception to %WINDIR%\System32\WindowsPowerShell\*

    However, there is no Exception to x32 PowerShell - i think this is why all users are ALLOW to use x32 PowerShell.

    I will try your suggestion by removing the above Exception.

    and then create new ALLOW rules for both version of PowerShell.

    Just to clarify - I will two ALLOW rules for both version of PowerShell or just one rule?

    Thank you


    • Edited by Ray'Weil Friday, May 20, 2016 12:30 AM
    Friday, May 20, 2016 12:29 AM
  • Hi Ray,

    You don't need a deny rule.

    The default rules in the above screenshot will allow everyone to run PowerShell - both 32 and 64-bit.

    As you've already pointed out, there is an exception in your implementation for the default rule that pertains to the Windows folder the excludes %windir%\System32\WindowsPowerShell\*. If you simply add %windir%\Syswow64\WindowsPowerShell\* then that will also stop the 32-bit PowerShell host from being accessible to everyone.

    What this leaves you with is the task of creating a new "allow" rule for which you should create a controlling security group and add as members the people/groups you wish to grant access. One member should almost certainly be the SYSTEM account as well as potentially the TrustedInstaller account, as it's becoming more common to see PowerShell tasks executed as part of software installers.

    Also don't forget to set up the rules in audit mode and review the success and failures to avoid accidentally and possibly seriously impacting production scenarios and users.

    Keep in mind that deny rules trump all other rules - just as is the case with most other Microsoft systems (just like with file permissions). You don't want to use these unless you have to.

    Cheers,
    Lain

    • Marked as answer by BlueBerries Friday, May 20, 2016 3:51 AM
    Friday, May 20, 2016 1:59 AM
  • I should clarify my audit mode statement above.

    You should use audit mode if you're only just setting up AppLocker for the first time - as it sounds like you are. If you already use AppLocker and it's already in enforce mode, then it's unlikely you can afford to revert back to audit mode for testing purposes.

    Cheers,
    Lain

    Friday, May 20, 2016 2:04 AM
  • Thanks Lain.

    >> Added exception: %windir%\syswow64\windowspowershell\* as suggested --- now both 32 & 64 PowerShell are blocked! Thanks

    >> Allow rule

    Should the allow rule be set to:

    64-bit

    %system32%\WindowsPowerShell\v1.0\powershell.exe or %system32%\windowspowershell\*

    32-bit

    %syswow64%\windowspowershell\v1.0\powershell.exe or %syswow64%\windowspowershell\*

    ?

    by setting it to ...\v1.0\PowerShell.exe >> does this actually only allow user for using v1.0 of PowerShell?

    thank you


    Best Regards,

    Friday, May 20, 2016 4:15 AM
  • Hi Ray,

    There's a number of ways you can achieve this just depending on how pedantic you want to be.

    The easiest way forward which only requires one rule is to create a rule the same as the default Windows directory rule (i.e. a path rule) without the exceptions and use your control group as the filter.

    If you want to exert a little more control, you could create two path-type rules, one for %windir%\System32\WindowsPowerShell\* and the other for %windir%\SysWoW64\WindowsPowerShell\*, both of which would use the same control group.

    I'd suggest going for the former unless you are going to come up with more categorisations in the future for other Windows executables.

    Cheers,
    Lain

    • Marked as answer by BlueBerries Friday, May 20, 2016 7:24 AM
    Friday, May 20, 2016 5:17 AM
  • PS: I only just noticed the final question as I was proof reading my post for mistakes.

    The directory structure doesn't actually represent the PowerShell version. Your v3, v4 and so on binaries are still in the v1 subdirectory.

    Cheers,
    Lain

    • Marked as answer by BlueBerries Friday, May 20, 2016 7:24 AM
    Friday, May 20, 2016 5:19 AM
  • PPS: If you're ever looking for how to block or unblock something, your greatest source of proof/information is within Event Viewer under \Application and Services Logs\Microsoft\Windows\AppLocker.

    Cheers,
    Lain

    • Marked as answer by BlueBerries Friday, May 20, 2016 7:24 AM
    Friday, May 20, 2016 5:21 AM
  • The %windir%\system32\windowspowershell\* allow access to all files & folders within the windowspowershell directory, including some .dll file. To allow powershell, will the controlling SG of users also need the .dll files? or by setting the path to %windir%\system32\windowspowershell\v1.0\powershell.exe is sufficient?

    >> One member should almost certainly be the SYSTEM account

    I thought SYSTEM account is granted access to PS by default?

    thank you




    • Edited by Ray'Weil Sunday, May 29, 2016 3:49 AM
    Friday, May 20, 2016 1:31 PM