AppLocker it's a great solution for your security and it's free. Also you can use it with Intune to apply the Rules in workstations that aren't connected in your LAN.
However has some limitations and prerequisites that i have mention in previous articles.
You can find the prerequisites in the article How to install and configure AppLocker to improve Application Control & Security
As every product or feature AppLocker has some Best Practices that you must follow to do your life easier and not create more troubles.
I understand that Best Practices not followed every time because most of the them are very general.
But with AppLocker spend some time to read it because it's very easy to break things with a very small change.
So let's start !!
Identify all the applications in your environment.
Before start to use AppLocker in your Local Server or AppLocker in Intune the first thing that you must do is to collect and create a list with all the Applications in your environment.
It’s essential to know all your Applications that has been installed in Desktops and Servers because you can design much better what applications must be allow or deny and in which systems.
Remember you don’t want to create more errors and more troubleshooting time. You want to improve your security of your environment. Don't hurry up and design careful.
Identify the list of the applications that use each department or group.
It’s very important to know the applications that every user or department use it. If you don’t have been done then run this task and create a list to represent your Department Groups and the associate applications.
The list must include the following details:
- Application Name.
- Full Path of the application.
- The type of the application in the Department Group. For example it’s critical , application in productions, personal application.
- Installation files of the application that needs administrator access. You can help you to install this application as administrator without need every time to create a new Rule in AppLocker.
When you have the list ready you will have what needs to take better decisions of how will design the Rules in the AppLocker.
However lot of times the applications that has been installed in the past forgotten. So get ready to find application that you should be removed but it never happened.
Create the Security Groups in Active Directory base on the list of applications that use
AppLocker Rules can’t apply in individual user but only in Security Groups. You must create the Security Groups in your Active Directory base on the list from previous step.
Identify the members for every Security group.
Create the default rules in AppLocker
Default Rules in AppLocker Allow all the applications and files from Program Files and Windows.
These folders are important to keep Windows OS working. It’s essential to create the Default Rules to avoid broke things in your environment.
Probably when you first time run the Applocker.
Record all the GPO that must be created in your environment
Design how will apply the Group Policies in your environment. Record and create a list of the Group Policies base on the AppLocker Rules that will use.
You must design very careful how Group Policies will be apply and where should be Enforce or not. You can understand better with the following image from Microsoft how Group Policies applied.
Use the Rules in Audit Only before enforce it
Never Enforce the Rules without test it before. AppLocker has the option to Audit only the Rules.
When you apply the Audit only it written in the Event Logs but not block anything.
Audit only can use it as solution to identify all your application in your environment.
Use a Log Management Server to keep the logs from Applocker
Log Management Server to collect all the logs related with the AppLocker it’s necessary to have an eye in the application security.
Because logs from AppLocker written in any Workstation or Server. You can’t monitor Event logs from every PC and Server. It’s waste of time and will never get the right results in total.
Unfortunately AppLocker not has any solution to collect all the logs so you can do it by yourself.
Read my article to see how can do it How to collect AppLocker Logs from all Endpoints in one place
Monitoring the Logs and do the appropriate changes before enforce.
Monitoring the logs for 3-4 weeks before enforce your first Rules in the environment.
Users will not use all the applications every day. Also remember that a number of users maybe are sick, has annual leave.
If reduce the time of the monitoring maybe some of the applications will not use it by the users. This can be break things in the future because will not have create the appropriate Rule.
After apply in different environments the AppLocker i understand that it's necessary to follow the Best Practices probably if it's first time that you will try to apply the AppLocker.
The best will be to try it in a Lab environment to have the opportunity to do wrongs and resolve it. With this way you will get some experience and avoid basic problems that maybe arise.
If you don't have Lab then start with these Best Practices and keep it every time that need to apply the Applocker
Have a nice weekend