none
AppLocker GPO

    Question

  • Currently, there is a AppLocker GPO in place that has a rule to 'Allow' a security group to run %system32%\WindowsPowerShell\v1.0\powershell.exe.

    This rule is working - as users who are not in the 'Allow' security group are not able to launch x64 of PowerShell :

    %systemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe, &

    %windir%\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe

    Which is good.

    However, problem I am seeing now is all user can launch the x86 of PowerShell:

    %systemroot%\syswow64\WindowsPowerShell\v1.0\powershell.exe; also the

    %windir%\sysWOW64\WindowsPowerShell\v1.0\PowerShell_ISE.exe

    How can I DENY all users from both version of PowerShell? and to only allow authorized users (in the 'Allow' Security Group) to use both version of x64 and x86 powershell?

    As i cannot find a DENY rule for PowerShell but just the ALLOW rule, does this mean PowerShell is by default DENY when push out the AppLocker GPO?

    please shed some lights.

    thank you

    


    Best Regards,



    • Edited by BlueBerries Wednesday, May 18, 2016 5:30 AM
    Wednesday, May 18, 2016 4:05 AM

Answers

  • Hi,

    See below Q&A:

    Does a deny action on a rule always take precedence?

    Yes. However, AppLocker contains a feature that allows you to state exceptions to a deny action on a rule. Rule exceptions, which can be applied to the deny or allow action, permit you to specify files or folders to exclude from the rule. For example, a rule can be created to allow the Everyone group to run any application in the Windows folder except regedit.exe. Another rule can be created to allow the Helpdesk group to run regedit.exe. However, if there was an explicit deny action on regedit.exe, then no other rule permitting the Helpdesk group access to regedit.exe would supersede that rule.

    I think you may consider continue using Allow rules with exceptions.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by BlueBerries Friday, May 20, 2016 3:46 AM
    Friday, May 20, 2016 3:05 AM
    Moderator

All replies

  • Hi,

    Thanks for your post.

    First, regarding the sentence “cannot find a DENY rule for PowerShell but just the ALLOW rule”, do you mean that you cannot set deny rules for PowerShell using AppLocker GPO? Please check the below screenshot and tell me if my understanding is incorrect.

    Generally, you can use Software Restriction Policies (SRPs) or Applocker to disable .ps1 files from running. If you want to stop PowerShell from running, you may also opt to restrict Powershell.exe through SRPs/Applocker.

    Using Software Restriction Policies to Protect Against Unauthorized Software
    http://technet.microsoft.com/en-us/library/cc507878.aspx

    In our case, you should put Powershell and the Powershell_ISE for both x86 and x64 into the deny rules. Both locations are as below:

    The 32-bit PowerShell is found at C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe & powershell_ise.exe, and the 64-bit PowerShell is at

    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe& powershell_ise.exe.

    You should also be able to use the Administrative Template "Don't run specified Windows Applications" and put Powershell and the Powershell_ISE for both x86 and x64 in there. You can then link it in the OUs that you don't want the users to have access to PowerShell.

    Hope the above information is helpful to you.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 18, 2016 6:16 AM
    Moderator
  • Hi Alvin, Thanks for your reply. it was great.

    Answer to your question:

    Yes - Cannot find a DENY rule for PowerShell. There is an ALLOW rule - to allow for a Security Group.

    Because we already have the AppLocker GPO in place, so we try to stick with one (instead of having both SPRs or Don't run specific windows application).

    The existing AppLocker GPO's Allow rules seem to be working. If the user is not a member of the security group, they cannot launch x64 powershell (which is good).

    However, they can launch x86 PowerShell (which is no good).

    Question 1: which I am really stretching my head on. I am not seeing any DENY rule under Execution Policy or Script rule in the AppLocker GPO. How does this ALLOW rule work? (unless AppLocker GPO by default locked down PowerShell -- which I do not think so)?

    Question 2: Since there is no DENY rule, should I create an Execution Policy to DENY x86 PowerShell?

    If I create a DENY rule to deny 'Everyone' from x86 PowerShell. Do I then have to create another ALLOW rule to allow authorized users for using both x86 PowerShell?

    Thanks again


    Best Regards,



    • Edited by BlueBerries Wednesday, May 18, 2016 7:04 AM
    Wednesday, May 18, 2016 6:57 AM
  • Hi,

    You can create rules that use the deny action. When applying rules, AppLocker first checks whether any explicit deny actions are specified in the rule list. If you have denied a file from running in a rule collection, the deny action will take precedence over any allow action, regardless of which Group Policy Object (GPO) the rule was originally applied in. Because AppLocker functions as an allowed list by default, if no rule explicitly allows or denies a file from running, AppLocker's default deny action will block the file.

    More information:

    Understanding AppLocker Allow and Deny Actions on Rules

    https://technet.microsoft.com/en-us/library/ee460955(v=ws.11).aspx

    How to configure AppLocker Group Policy to prevent software from running

    http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 19, 2016 9:03 AM
    Moderator
  • Hi Alvin,

    as Deny rule always take precedence (i.e. deny everyone from PowerShell), on can I then create an ALLOW for a group of users to use PowerShell?

    Thank you


    Best Regards,

    Friday, May 20, 2016 1:39 AM
  • Hi,

    See below Q&A:

    Does a deny action on a rule always take precedence?

    Yes. However, AppLocker contains a feature that allows you to state exceptions to a deny action on a rule. Rule exceptions, which can be applied to the deny or allow action, permit you to specify files or folders to exclude from the rule. For example, a rule can be created to allow the Everyone group to run any application in the Windows folder except regedit.exe. Another rule can be created to allow the Helpdesk group to run regedit.exe. However, if there was an explicit deny action on regedit.exe, then no other rule permitting the Helpdesk group access to regedit.exe would supersede that rule.

    I think you may consider continue using Allow rules with exceptions.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by BlueBerries Friday, May 20, 2016 3:46 AM
    Friday, May 20, 2016 3:05 AM
    Moderator