Enforcing AppLocker Rules

Like SRPs, AppLocker isn’t enabled by default. Even when you’re done creating rules, AppLocker won’t immediately enforce the rules on your clients. Rule enforcement requires two additional steps. First, you must specify whether you want to enforce your rules or run them only for auditing purposes. Second, you must ensure that the Application Identity Service is running on the targeted machines.

You can set AppLocker’s enforcement options in the AppLocker GPO’s properties. You can specify whether rule is configured (the default is not configured) and indicate whether the rule should be enforced or run only in audit mode, for each of the three main rule collections (i.e., Executable rules, Windows Installer rules, and Script rules).

The Audit only option is a useful new feature that isn’t available with SRPs. When a rule collection is set to Audit only mode, the rules within that rule collection aren’t enforced, but any time a user runs an application that’s affected by a rule, information about the rule and the application write to the local machine’s AppLocker event log container.

I recommend that you select the Configured check box and choose Audit only in the drop-down menu for each of the three rule collections. Not only does this protect against locking yourself out, but it also lets you see whether your rules are catching the correct applications, as well as whether they’re too permissive or too restrictive. I also recommend that you use the Audit only mode until you’ve recorded and evaluated all the rules’ effects and side effects.

Note that the Advanced tab of the AppLocker container’s properties refers to a fourth AppLocker rule collection: DLLs, to cover the *.dll and *.ocx file formats. Microsoft set this rule collection apart in the Advanced tab because of the performance impact DLL checking has when it’s enabled. In addition, the process of whitelisting all the allowed DLLs creates a significant amount of administrative overhead. You should enable AppLocker DLL protection only in organizations with extremely critical IT security (e.g., government or defense organizations).

The last step in guaranteeing AppLocker enforcement is to make sure the Application Identity Service is enabled on your Server 2008 R2 and Windows 7 machines. This service is set to manual startup by default. To properly use AppLocker, you must set the service to start up automatically. You can use GPO settings to configure all your machines at once. Because anyone with local administrator rights can stop the service and therefore bypass AppLocker policy enforcement, you need to keep tight control over your administrator accounts.

Source of Information : Windows IT Pro June 2010


Subscribe to Developer Techno ?
Enter your email address:

Delivered by FeedBurner