How to Create AppLocker Policies to Secure Windows Environments Intune

Let’s check how to create AppLocker Policies to Secure Windows Environments. These Applocker policies can help to build appropriate Windows Information Protection (WIP) using Intune.

Introduction

Applocker is introduced with the Windows 7 operating system, Windows Server 2008 R2. It helps you to determine which applications, settings users can run.

If you need to prevent an application from running, AppLocker provides a simple interface to do so. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.

AppLocker helps reduce administrative overhead and the organization’s cost of managing computing resources by decreasing the number of help desk calls that result from users running unapproved apps.

Patch My PC

It requires no additional licensing.

Overview

AppLocker is included with enterprise-level editions of Windows. For a single computer, you can enforce the rules by using the Local Security Policy editor (secpol.msc). For a group of computers, you can enforce the rules using the Group Policy Management Console or MDT, SCCM, or MECM.

Requirements

  • AppLocker does not have any specific hardware requirements.
  • Operating system requirements Refer to Microsoft Blog.

Note – You can configure AppLocker policies on any edition of Windows 10, but you can only enforce AppLocker on devices running Windows 10 Enterprise, Education, or Windows Server 2016 later..

Why does AppLocker exist?

AppLocker can help you in the following ways to control applications within your organization:-

Adaptiva

AppLocker helps reduce administrative overhead and the organization’s cost of managing computing resources by decreasing the number of Help Desk calls that result from users running unapproved apps. AppLocker addresses the following app security scenarios:

Application inventory
It has the ability to enforce its policy in an audit-only mode where all app access activity is registered in event logs. These events can be collected for further analysis. Windows PowerShell cmdlets also help you analyze this data programmatically.

• Protection against unwanted software
AppLocker has the ability to deny apps from running when you exclude them from the list of allowed apps. When AppLocker rules are enforced in the production environment, any apps that are not included in the allowed rules are blocked from running.

Licensing
AppLocker can help you create rules that preclude unlicensed software from running and restrict licensed software to authorized users.

Standardization
AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This permits a more uniform app deployment.

Manageability
AppLocker includes a number of improvements in manageability as compared to its predecessor Software Restriction Policies. Importing and exporting policies, automatic generation of rules from multiple files, audit-only mode deployment, and Windows PowerShell cmdlets are a few of the improvements over Software Restriction Policies.

How does it work?

An AppLocker rule is a control placed on a file to govern whether or not it is allowed to run for a specific user or group. Rules apply to different types of conditions or collections and files.

Architecture and components

AppLocker relies on the Application Identity Service to provide attributes for a file and to evaluate the AppLocker policy for the file. AppLocker policies are conditional access control entries (ACEs), and policies are evaluated by using the attribute-based access control SeAccessCheckWithSecurityAttributes or AuthzAccessCheck functions.


AppLocker provides three ways to intercept and validate if a file is allowed to execute.

  • A new process is created
  • A script is run
  • A DLL is loaded

Process Overview for Deploying AppLocker

AppLocker Design and Deployment Process - By Microsoft - Create AppLocker Policies
AppLocker Design and Deployment Process – By Microsoft – Create AppLocker Policies

The phases are summarized as follows –

  1. Envision – Determine the objectives and scope as well as identify assumptions and risks.

2. Plan – Perform a detailed analysis of the environment with computers, users’ roles, and applications to be controlled.

3. Develop – Create AppLocker rules on reference computers for the operating system and all applications. Test and refine the rules until they are ready for formal testing, and then
export the rule sets to XML.

4. Stabilize – Configure centralized monitoring of AppLocker events by Performing detailed
validation.

5. Deploy – Change AppLocker to “Enforce rules” mode to complete the deployment of
AppLocker.

AppLocker Rule Collections

AppLocker enforces rules by grouping enforcement for different types of files. AppLocker includes five different types of rules collections:

  • Executable files: .exe and .com
  • Windows Installer files: .msi, mst, and .msp
  • Scripts: .ps1, .bat, .cmd, .vbs, and .js
  • DLLs: .dll and .ocx
  • Packaged apps and packaged app installers: .appx

Configure Enforcement Rule

  • Open Local Security Policy Editor. Type secpol.msc, click Run as administrator.
Create AppLocker Policies -  secpol.msc
Create AppLocker Policiessecpol.msc
  • Expand Application Control Policies, click on AppLocker, and click on the Configure rule enforcement on the right side
Create AppLocker Policies -   Application Control Policies
Create AppLocker Policies – Application Control Policies
  • You can configure the enforcement setting to Enforce rules or Audit only on the rule collection.
  • Enforce rules, rules are enforced for the rule collection and all events are audited.
  • Audit only, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.
  • Check the Configured box under file types and click on Apply then OK.
Create AppLocker Policies -   Properties
Create AppLocker Policies – Properties

Rule Conditions

The three primary rule conditions are publisher, path, and file hash.

This helps you to determine on which the AppLocker rule is based. what condition, controls are available, and how it is applied.

Publisher – Publisher conditions can only identify digitally signed applications. It is easier to maintain compared to the file hash rule as doesn’t need to update frequently and a single rule can be implemented for the entire product suite.

Path – Path conditions are best for known paths such as program files and windows. It provides less security compared to other rules as if a rule that is configured to use a folder path holds subfolders that are writable by the local users.

File hash – File hash rules use a cryptographic hash system of the identified file for files that are not digitally signed. It is more secure compared to path rules.

Create AppLocker Rules

Open Local Security Policy Editor. Type secpol.msc, click Run as administrator.

AppLocker includes default rules for each rule collection. These rules are intended to help ensure that important system files will be allowed to run applocker.

  • Expand Application Control Policies under AppLocker. right-click on Executable Rules Rules and click on Create Default Rules.
Create AppLocker Policies -   Create Default Rules - Intune WIP
Create AppLocker Policies – Create Default Rules – Intune WIP

Important – You can use the default rules as a template when creating your own rules to allow files within the Windows folders to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules. The default rules can be modified in the same way as other AppLocker rule types.

  • Default rules have been created successfully as shown below.
Create AppLocker Policies -   Default rules have created successfully
Create AppLocker Policies – Default rules have created successfully

In this post, I’ll walk you through an example to create a new Executable file rule to restrict Mozilla Firefox execution for everyone.

  • In the left pane under AppLocker right-click on Executable Rules then select Create New Rule.
Create AppLocker Policies -   Executable Rules - Create New Role
Create AppLocker Policies – Executable Rules – Create New Role
  • Click on Next.
Create AppLocker Policies -   Create Executable Rules
Create AppLocker Policies – Create Executable Rules
  • If you would like to specify a user or group to apply this rule on, click on Select.

Note – By default setting is Everyone for all users and groups.

A rule can be configured to use allow or deny actions:

  • Allow: You can specify which files are allowed to run for which particular user or groups of users in your environment.
  • Deny: You can specify which files are not allowed to run for which particular user or groups of users in your environment.
Create AppLocker Policies -   Permission
Create AppLocker Policies – Permission
  • Click on the Advanced button, then click on the Find Now for Select a user or group you want to allow or deny and click on OK.
Create AppLocker Policies -   Advanced button
Create AppLocker Policies – Advanced button
  • On the Conditions page, I will select File hash condition and then click Next.

File hash rules use a system-computed cryptographic hash of the identified file. For files that are not digitally signed, file hash rules are more secure than path rules.

Keep hash rules to a minimum – The rule must be updated each time that a new version of the file is released.

Create AppLocker Policies -   File Hash
Create AppLocker Policies – File Hash
  • Click Browse Folders and select the path for the apps that you want to allow or deny access. For this example, use “C:\Program Files”.

Note – If you want to block the application installation then you need to provide the executable files by Browse Files…

Create AppLocker Policies -   Select a folder containing the necessary files
Create AppLocker Policies – Select a folder containing the necessary files
  • The files in the folder have been added then click Next.
Create AppLocker Policies -   Specific file or click browse folders
Create AppLocker Policies – Specific file or click browse folders
  • On the Name page, type a name and description for the rule, and then click Create.
Create AppLocker Policies -   Name and Description
Create AppLocker Policies – Name and Description
  • The rule to restrict Mozilla firefox will now be created under “Executable Rules” as shown below.
Create AppLocker Policies -  Executable Rules
Create AppLocker Policies – Executable Rules
  • Once done, close the Local Security Policy editor.

Repeat this by changing the – FileType parameter for each of the different file types that rules will be created for (Exe, Script, WindowsInstaller, and Dll).

Export AppLocker Rules

  • To export an AppLocker policy to an XML file.
  • From the AppLocker console, right-click AppLocker, and then click Export Policy.
Create AppLocker Policies -  Export Policy
Create AppLocker Policies – Export Policy
  • Browse to the location where you want to save the XML file.
  • In the File name box, type a file name for the XML file, and then click Save.

Clearing – Deleting AppLocker Rule

Once all of the AppLocker policies have been created and exported to XML, the local security policy of the reference computers should be cleared.

This will ensure that policy can be deployed and managed centrally, and the effective policy on the reference computers won’t contain rules from the local policy.

To clear AppLocker policy

  • From the AppLocker console, right-click AppLocker, and then click Clear Policy.
Create AppLocker Policies -  Clear Policy
Create AppLocker Policies – Clear Policy
  • On the Clear Policy prompt, Click on Yes to confirm.
Create AppLocker Policies -  Clear Policy Window - Yes
Create AppLocker Policies – Clear Policy Window – Yes
  • The AppLocker dialog box will notify you of how many rules were permanently removed. Click on OK.
Create AppLocker Policies -  Application Control Policies
Create AppLocker Policies – Application Control Policies
  • Reboot the machine.

To delete a rule in an AppLocker policy

  1. Open the AppLocker console.
  2. Click the appropriate rule collection for which you want to delete the rule, then click Yes.
Create AppLocker Policies -  Application Control Policies - Executable Rules
Create AppLocker Policies – Application Control Policies – Executable Rules

Develop Phase

Points to consider to test AppLocker validation.

  • Deploy a reference computer that will be used for authoring of AppLocker rules.
  • Configure the Application Identity service set to Automatic and running.
  • Put AppLocker into “Audit only” mode so that the rules created don’t actually block execution.
  • Auto-generate AppLocker rules for each of the file categories that will be used, and manually edit them to meet exact requirements.
  • Performed testing for all end-user and administrative usage cases, and review audit entries in the Event Log.
  • Export AppLocker policies into individual XML files for later import.

On Target Devices Make sure the Application Identity service is enabled, set to Automatic, and running. AppLocker cannot enforce rules if this service is not running.

  • The Application Identity service determines and verifies the identity of an application. Stopping this service will prevent AppLocker policies from being enforced.
  • Start to command prompt Run as administrator.
  • Run the below command to make sure the Application Identity service is enabled and set to Automatic and running.
sc config "AppIDSvc" start=auto & net start "AppIDSvc"
Create AppLocker Policies  sc config "AppIDSvc" start=auto & net start "AppIDSvc"
Create AppLocker Policies sc config “AppIDSvc” start=auto & net start “AppIDSvc”
  • To start the Application Identity service manually.
  • Type services.msc in the start menu search box.
  • Click the Services Run as an administrator, find Display Name “Application Identity”, and then click Start Service.
  • Verify that the status for the Application Identity service is running.
Create AppLocker Policies  Application Identity Properties
Create AppLocker Policies Application Identity Properties

Analyze AppLocker Events

This gives you a fair understanding of how an AppLocker policy is delivered to the devices and is implemented to the devices.

All AppLocker events are logged to Applications and Services event logs under the path Microsoft\Windows\AppLocker

  • Microsoft-Windows-AppLocker/EXE and DLL
  • Microsoft-Windows-AppLocker/MSI and Script
  • Microsoft-Windows-AppLocker/Packaged app-Deployment
  • Microsoft-Windows-AppLocker/Packaged app-Execution

A list of relevant AppLocker event IDs can be found in Microsoft Blog.

Event Viewer - Create AppLocker Policies
Event Viewer – Create AppLocker Policies
  • Event ID – 8001, Indicates that the AppLocker policy was successfully applied to the computer.
Event Viewer -  Event ID - 8001
Event Viewer – Event ID – 8001
  • Event ID – 8004, Indicated The .exe or .dll file cannot run.
Event Viewer -  Event ID - 8004
Event Viewer – Event ID – 8004

Results

Once policies are successfully applied, when users will try to open a blocked executable (Mozilla Firefox) then you will get a prompt as shown.

“This app has been blocked by your system administrator”

Create AppLocker Policies -  Results
Create AppLocker Policies – Results

I will try to cover later how can we apply the applocker policies based on path or publisher rules, using SCCM or MECM. For that time Stay Tuned!!

Resources

  • AppLocker design guide
  • How AppLocker works
  • AppLocker deployment guide

5 thoughts on “How to Create AppLocker Policies to Secure Windows Environments Intune”

  1. *Note – You can configure AppLocker policies on any edition of Windows 10, but you can only enforce AppLocker on devices running Windows 10 Enterprise, Education or Windows Server 2016 later..*

    Does the above sentence mean on the Windows Information Protection policy / Applocker policies with respect to WIP, will not get enforced on the Windows 10 Pro and Windows 10 Home devices?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.