none
Dear Microsoft: AppLocker, Application rules, UAC, local administrators

    General discussion

  • I want to employ AppLocker + UAC as a defensive layer over locally administrative accounts. My desired behavior: local administrators must elevate (UAC) to run an application; the default rule for local administrators must not activate to allow launch of un-elevated applications for local administrators. However, because un-elevated applications launched by local administrators are silently allowed, I cannot utilize AppLocker to protect administrative accounts from malicious applications. While I have seen it suggested that the default local admin app rule be deleted and replaced with one only allowing specific locations for local administrators - this would negatively impact the workflow of my locally administrative users and is not suitable for my organization. Lastly, it is bizarre that the default local admin script rule behaves as expected (un-elevated = not allowed), but the default local admin application rule does not.


    born to learn!


    • Edited by AJM Admin Thursday, February 19, 2015 4:46 PM
    Thursday, February 19, 2015 4:45 PM

All replies

  • Hi,

    In fact, if the accounts are local admins of workstations, we can't really restrict them, for they can revert the changes or avoid the restrictions we make if they know how to.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, February 23, 2015 2:09 PM
    Moderator
  • Sure, but as it stands, I can't even lay down a reasonable default behavior for them. It's all-or-nothing on the most sensitive accounts in my organization, and that's not good enough. Yes, there are certainly 3rd party solutions for this problem - but it is silly that a system 1 mm away from a reasonable solution already exists, but doesn't behave as expected.

    born to learn!


    • Edited by AJM Admin Monday, February 23, 2015 6:58 PM
    Monday, February 23, 2015 6:58 PM