Application Whitelisting with Applocker

If you are a part of defending an infrastructure, then you know defense-in-depth is the name of the game. The more detection systems that can be employed to detect anomalies or malicious actions, the better chance you stand to have a safe network. One of many ways to aid in this endeavor is application whitelisting. While there are many different types of application whitelisting, I’d like to focus on the Windows Applocker.

Applocker does have some cons. For starters, the feature is available in Win7 and Server 2008R2 and up. Applocker is limited to Windows 7 Enterprise and Ultimate along with Server 2008R2 clients. For XP and Vista, you can use Software Restriction Policy to provide some defense but not as much as what Applocker would provide.

To configure it, you need to go to Administrative Tools and open up Group Policy Management console on your Domain Controller. Once you are there, right click on the Default Domain Policy and click Edit to open Group Policy Management Editor. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker. You should see the below screen. Take note to the options available on the right pane after click on Applocker and those shown below in the left pane.

Applocker

The first thing we want to do is setup the rule enforcements by clicking on “Configure Rule Enforcement” in the middle of the right pane. From there we have the option of audit only (logging) or enforcing when a rule of that category is triggered.

The next thing we need to do is add the rules, which are the options under Applocker in the left pane. Below is a quick breakdown of those categories.

Executable Rules: This will contain the rules which apply to executable files.
Windows Installer Rules : This will contain the rules which apply for the windows installer packages with .msi and .msp extensions.
Script Rules : This will contain rules which apply to scripts files with .ps1, .cmd, .vbs, .bat, .js extensions.

Now that we have Applocker configured, we need to turn on the Application Identity service across the domain, in order to do that we will create a GPO. The path to said GPO is Computer Configuration > Windows Settings > Security Settings > System Services> Application Identity.