520 likes | 1.54k Views
Required Slide. SESSION CODE: WCL303. AppLocker : Your Solution for True Application Smackdown. Jeremy Moskowitz , Group Policy MVP Chief Propeller-Head: GPanswers.com Founder: PolicyPak Software (policypak.com). WHAT’S THE POINT? Why do you need “Application Whitelisting” technology?.
E N D
Required Slide SESSION CODE: WCL303 AppLocker: Your Solution for True Application Smackdown Jeremy Moskowitz, Group Policy MVP Chief Propeller-Head: GPanswers.com Founder: PolicyPak Software (policypak.com)
WHAT’S THE POINT?Why do you need “Application Whitelisting” technology? • Common arguments “against” the need: • “We’re already locked down…” • “We’re already running with ‘standard user’ rights.” • Good uses for: • Prevent users from running “portable” (non-installed) applications • Prevent users from installing MSIs. • Seriously: Try FireFox or Google Chrome as local non-elevated user • Restricting parts of the operating system (sol.exe) • Restricting Junior admins or “prying eyes” from “big things” (gpmc.msc) • Ensuring specific applications of “correct” version numbers are used
IN THE BEGINNING….There was Software Restriction Policy (SRP) And it was good… • Built-in to Windows XP • Has whitelisting and blacklisting ability • Four rule types: • Hash • Path • Windows Installer / Network Zone Rule • Certificate rules
IN THE BEGINNING….There was Software Restriction Policy (SRP) • Of course, still available on XP and… • Also available in ALL versions of Windows 7 • No “direct” migration path to AppLocker. Will need to re-create rules during a transition time • Huge gotcha ! : • Once AppLocker is turned on, and first rules are applied.. SRP no longer enforced!
APPLOCKER 101 • Good news: • Under the hood, references as “SRPv2” • Active Directory Group Policy or Local Policy • Way better for whitelisting • Targets can be: • Windows 7 • Windows Server 2008 / R2 • Only available in the following Windows 7 editions: • Enterprise • Ultimate
IMMUTABLE APPLOCKER LAWS • Applocker’s “brain” is in a loop, like this: • Law #1: Explicit deny: A specific rule which denies an action. • Law #2: Explicit allow: A specific rule which allows an action. • Law #3: Implicit deny: All files that are not specifically named by an Allow rule are automatically blocked. • Not related to Azimov’s “Three Laws or Robotics” • http://en.wikipedia.org/wiki/Three_Laws_of_Robotics
APPLOCKER “RULES” • Action: • Allow • Deny • Based upon condition: • Path • File Hash • Publisher • Rule types: • Executable • DLL • Windows Installer • Script • Can make “Exceptions” • Mix and Match, like this: • ALLOW Executable, based upon who PUBLISHED the application (publisher condition) EXCEPT a specific application (or version), which is DENIED • Windows Installer Rule, based upon a specific build (file hash) • DENY Scripts, based upon where its executing from (PATH condition), EXCEPT for a certain (known good) directory
APPLOCKERFour Steps to Success • Setting up the default rules (highly recommended, not required) • Adding more rules (also, highly recommended, not required) • Leveraging AUDIT vs. ENFORCE mode • Turning on the client’s Application Identity (AppID) service
STEP 1: SETTING UP THE DEFAULT RULES(or… how NOT to blow your foot off) • Default rules are NOT set by default. • Different default rules for each rule type
EXECUTABLE RULE DEFAULTS(Good ideas to get started with) • Allow anything to run that’s already installed in Program Files • Allow anything to run if it’s in the Windows folder • Allow local administrators to run any file
STEP 2: ADDING YOUR OWN RULES • On rule type, right-click, select “Create New Rule…” • Add your rule, with conditions (will see in demonstration)
STEP 3: AUDIT ONLY VS. ENFORCE • AppLocker Modes: • Enforce rules • Audit Only • Logs go to Applications and Services Logs | Microsoft | Windows AppLocker
STEP 4: TURN ON APPID SERVICE ON CLIENT • Final step to fully engage AppLocker • Can be done manually (good for one-off testing) • Can be scripted • Can be done via Group Policy Preferences (my preferred way!)
APPLOCKER RESULTS • Default user pop-up as seen here:
APPLOCKER: Safety PrecedenceHow safe can you get? • Hash rule: • Safest, most specific • Issue: Unmanageable at scale • Publisher Condition • Next safest • Path Condition • Next safest • Issue: Might expose “too much” file system within whitelist
APPLOCKER: SECURITY AWARENESSHow the bad guys can still get you • Path Condition: They could figure out where an application isn’t allowed to run, and move it to a place that is allowed to run. (ie: move the application to somewhere in Program Files and run from there; the default rule allows me to do that.) • Publisher Condition: A publisher certificate gets compromised. A “bad guy” signs malicious code with (Allowed) certificate • Code Injection: .DLL rules; fool .EXE it’s not supposed to load. • Safe when .DLL rules are enabled
APPLOCKER: SECURITY AWARENESS (Part II)How the bad guys can still get you • EXE Rules: .EXE, .COM – and that’s it. • DLL Rules: .DLL, .OCX – and that’s it. • Script Rules: .PS1, .BAT, .CMD, .VBS, .JS – and that’s it. • AppLocker is extensible by 3rd party script hosts • Windows Installer Rules: .MSI and .MSP – and that’s it.
APPLOCKER: MORE INFO FOR USERSDefault vs. “more info” dialog • Optional result • Computer | Policies | Administrative Templates | Windows Components | Windows Explorer | Set a Support Web Page Link
AUTOMATICALLY GENERATING RULES • Get “representative machine” • Automatically Generate Rules • Export Rules / Import Rules
AppLocker: Manual Rule Creation, Automatically Generating Rules, Export and Import DEMO
AppLocker + AppV - GOTCHA • AppV has a “virtual drive” it uses • Usually Q: drive • Must Allow the Q: drive, or AppLocker continues to lock
APPLOCKER + POWERSHELL AUTOMATIONSubtitle • Get them via PowerShell upon Windows 7 vusing • Import-module applocker • PowerShell Cmdlets • Get-AppLockerFileInformation • Get-AppLockerPolicy • Set-AppLockerPolicy • Apply specific “fully formed” AppLocker XML policy • New-AppLockerPolicy • Test-AppLockerPolicy • Check out: • go.microsoft.com/fwlink/?linkid=144111
APPLOCKER POWERSHELL EXAMPLES Get AppLocker File Info (for .EXEs) : Get-AppLockerFileInformation -Directory 'C:\Program Files' –recurse -FileType exe Create AppLocker Policy XML rule set: (Get-AppLockerFileInformation… line above) | New-AppLockerPolicy -ruletype publisher, hash -user everyone -XML Create a new Applocker Local GPO with that rule set: Get-AppLockerFileInformation -Directory 'C:\Program Files' -recurse -FileType exe | New-AppLockerPolicy -ruletype publisher, hash -user everyone | Set-AppLockerPolicy–merge
APPLOCKER POWERSHELL EXAMPLES – PART 2 Create a new GPO AppLocker Policy: Get-AppLockerFileInformation -Directory 'C:\Program Files' –recurse -FileTypeexe | New-AppLockerPolicy -ruletype publisher, hash -user everyone | Set-AppLockerPolicy-LDAP "LDAP://DC.fabrikam.com/CN={4391FF66-197D-4BBE-B83E-4B536A09B543},CN=Policies,CN=System,DC=Fabrikam,DC=com" Dump a domain-based GPO’s AppLocker rules: Get-AppLockerPolicy -Domain -LDAP "LDAP://DC.fabrikam.com/CN={4391FF66-197D-4BBE-B83E-4B536A09B543},CN=Policies,CN=System,DC=Fabrikam,DC=com“ –XML > output.xml The applications for which a user is blocked: Step 1: Get-AppLockerPolicy-EFFECTIVE -Xml > output2.xml Step 2: Get-ChildItem-Path "C:\Program Files" -Recurse -Filter *.exe | Convert-Path | Test-AppLockerPolicy -XMLPolicy.\output2.xml
Some Tips and Best Practices (PART 1 of 2)Things to think about before / during / after your rollout • ALLOW rules with DENY exceptions, likely your best bet • DLL rules – turn on if you have the horsepower and can monitor it • Subtip: Note, not all DLLs from a package are necessarily digitally signed ! • Try to get your “internal Devs” on board with digitally signed apps (.EXEs and .DLLs)
Some Tips and Best Practices (PART 2 of 2)Things to think about before / during / after your rollout • When ready, use Group Policy Preferences to turn on AppID service en-mass • Don’t turn on the WRONG service, like “Application Experience” (oops!) • Start with Executable Rules, and move onward toward Install, Script, and possibly DLL rules • Emergency Troubleshooting: • Use Group Policy Preferences to DISABLE AppID service
MORE INFORMATION • Microsoft AppLocker Documentation: • http://technet.microsoft.com/en-us/library/dd723678(WS.10).aspx • http://tinyurl.com/AppLocker1(noted as Beta) • Microsoft AppLocker PowerShell Reference • go.microsoft.com/fwlink/?linkid=144111 • http://blogs.msdn.com/powershell/archive/2009/06/02/getting-started-with-applocker-management-using-powershell.aspx • Understanding why users can install MSI apps as regular users (Darwin Sanoy) • http://csi-windows.com/blog/videos • GPanswers.com/training and GPanswers.com/book • Hands on examples (live training, and in book form)
Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Related Content • SIA12-HOL – Windows 7 AppLocker Hands-On Lab
What is the Springboard Series? The Springboard Series IT pro experience offers dynamic content and structured guidance across the adoption lifecycle • Inside of Microsoft we are • A turnkey IT pro engagement platform for depth and breadth • The program to mobilize MS marketing and field to focus on desktop OS IT pros • To the IT pro, our goal is • Be the definitive resource for Desktop IT pros • Open, honest; show don’t tell • Information at right time, right level across Adoption Lifecycle DISCOVER EXPLORE PILOT DEPLOY MANAGE How does it change my work? How do I maintain and optimize? Is it worth the pain? Is our environment ready? Is the organization ready? Weekly, Monthly and Quarterly Rhythm of Topical Content Springboard Technical Experts Panel Event Support and Resources Straight-talk Monthly Feature Articles and Overview Guides one-Windows TechCenter in 10 languages TalkingAboutWindows Video Blogs Virtual Roundtable Events Visit the Springboard Series on TechNet at www.microsoft.com/springboard
Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet • http://microsoft.com/msdn
Required Slide Complete an evaluation on CommNet and enter to win!
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year
Do MORE with Group Policy Extend Group Policy for AWESOME control • Group Policy Tips • Live Training • Online Training Free Software: www.policypak.com Group Policy “To Go”
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.