Secure apps with AppLocker

 103 total views


2021-03-27 10:47:06

Applocker is another level of security and its purpose is to restrict or allow access to software within a specific group of users.

Today, a lot of applications don’t need admin access to run, like IT Pro, because this is a threat to your environment.

While installing and configuring Applocker can increase cybersecurity and protect your data from any unauthorized access.

If you’re thinking why use Applocker, the answer is here. You can use it to protect against unwanted software, standardize or administer software.

In today’s post, Make tech easier will guide you on how to install and deploy via GPO Applocker in specific servers.

Applocker can be deployed in the following versions of Windows:

  • Windows 10 Enterprise
  • Windows Server 2012, 2016, 2019

Before starting to deploy Applocker, you must know exactly which applications are allowed to run. This is the most important step because if you try to apply Applocker without recording the required applications then you will create a lot of problems for users and day-to-day operations of the company.

In case you’re not 100% sure what apps should be allowed, you can use Applocker in Audit Mode to identify all the apps.

How to activate Applocker

Log in to the Domain Controller and open it Group Policy Management.

Right-click on the OU (Organization Unit) you want to create the Applocker Policy and select Create a GPO in this Domain and link it here.

Select Create a GPO in this Domain and link it here

Enter a favorite name and press OK.

Now, click on the new policy and in Security FilteringClick Add and select the group Domain Computers or any other groups you’ve created, including Servers or Workstations you want to deploy it.

Remember to include a specific OU that links the Applocker GPO. If not, you must link the GPO in the OU that includes all the servers or workstations where you want to deploy Applocker.

Choose a group
Choose a group

Right click on the new policy and select Edit.

Go:

Computer ConfigurationWindows SettingsSecurity SettingsApplication Control PoliciesApplocker

Extend Applocker.

Right click Executable Rules and choose Create Default Rules.

Select Create Default Rules
Select Create Default Rules

The default rules are:

  • All files located in the Program Files folder (All files are in the Program Files folder)
  • All files located in the Windows folder (All files are in Windows folder)
  • All files for the Builtin Administrators Group (All files for Builtin Administrators Group)

Until you get familiar with Applocker, you should leave these rules as is if you don’t want to break everything.

Default rules
Default rules

Right click Applocker and choose Properties.

Select Properties
Select Properties

Check it Configured and choose Audit Only.

Select Audit Only
Select Audit Only

Regime Audit Only Do not allow or deny logging in Event Viewer.

In this way, you can determine if all applications must be running or not before starting to enforce Applocker rules.

How to implement Applocker GPO

Don’t create any rules until you have verified that Applocker works without issue.

You can deploy the Applocker in the test server until you are familiar with and identified any problems.

To run Applocker, you must start the service Application Identity in the server you want to deploy.

In the Applocker GPO, go to:

Computer ConfigurationWindows SettingsSecurity SettingSystem Services

Find the service Application Identity.

Find the Application Identity service
Find the Application Identity service

Right click on the service and select Properties.

Choose Define this policy Settings.

Choose Automatic.

Press OK.

Now, when you apply Applocker GPO, service Application Identity will start.

When applying Applocker GPO, the Application Identity service will start
When applying Applocker GPO, the Application Identity service will start

Log in to the server where you want to deploy Applocker, open Command Prompt, and run:

gpupdate /force

Restart the server.

How to verify that Applocker is running in the server or the workstation

After the server has restarted, it is necessary to verify that Applocker is running:

Open Event Viewer.

Extend:

Application and Services LogsMicrosoftApplocker

Click Execute DLL.

Verify that Event ID 8001 exist.

Verify that Event ID 8001 exists
Verify that Event ID 8001 exists

How to create Applocker rules

After you have seen what applications are running on the server, you can now create the Applocker rules you need.

Open Applocker GPO.

Right click Executable Rules and choose Create New Rule.

Select Create New Rule
Select Create New Rule

Press next.

Click Next
Click Next

Determine whether you want to allow or deny and select the appropriate group.

Choose the appropriate group
Choose the appropriate group

Choose how you want to locate the application.

Choose how you want to locate the application
Choose how you want to locate the application

Note that if you choose Path Since the Domain Controller has no application to go from path, you can do the following.

Select Path
Select Path

Open Event Viewer in the server or workstation running Applocker and copy / paste Path from Logs.

Copy the path
Copy the path

Now, click Next.

Press next again unless you want to add an exception.

Add an exception
Add an exception

Enter a name and click Create.

Click Create
Click Create

Go to the server or workstation and check if the rule is applied as follows:

Extend:

Application and Services LogsMicrosoftApplocker

Click Execute DLL.

Verify that Event ID 8002 with your application exists

Applocker is not difficult to apply. The most difficult thing is to prepare all the necessary requirements before applying Applocker to avoid damaging something in your environment.

.

#Secure #apps #AppLocker

Related Posts

Leave a Reply

Your email address will not be published.

Close Bitnami banner
Bitnami