How to install and configure Applocker to improve Application Control & Security

Applocker is another Level of security and the purpose is to restrict or allow the access to software in specific group of users. 

Today lot of application aren't need administrator access to run. As IT Pro this is a threat for your environment.

While install and configure Applocker can increase the cybersecurity and  protect your data from any unathorise access.

If you are thinking why to use Applocker the answer is here. 

You can use it to protected against unwanted software , Software standardization , Software management.

If you want to more details you can read the AppLocker policy use scenarios in Microsoft Docs.

Today  i will install and Deploy through GPO Applocker in specific Servers.

Applocker can be deploy in the following Windows Versions

  • Windows 10 Enterprise
  • Windows Server 2012,2016,2019

So let's start !!

  • Before start to implement Applocker you must be know exactly which Applications must be allow to run.
  • This is the most important step because if you try to apply Applocker without note down what Applications must be allow then you will create lot of problems in your users and the daily operation of your company.
  • In case that you are not sure 100% which is the Applications that must be allow you can use Applocker in Audit Mode to identify all the applications.

 

 

How to enable Applocker

  • Login in the Domain Controller and open the Group Policy Management.
  • Right click in the Organization Until that you want to create the Applocker Policy and select Create a GPO in this Domain and link it here.

 

  • Type the preferred name and click OK
  • Now click on the new Policy and in Security Filtering click Add and select Domain Computers Group or any other Group that you have create and include the Servers or Workstations that you would like to deploy it.
  • Remember to included in the specific Organization Unit which has Link the Applocker GPO.
  • Unless you must link the GPO in the Organization Units which included all the Server or Workstations that you want  deploy the Applocker

 

  • Right click in the new Policy and select Edit
  • Go in Computer Configuration\Windows Settings\Security Settings\Application Control Policies\Applocker
  • Expand the Applocker
  • Right click in Executable Rules and select Create Default Rules

 

  • The Default Rules are 
    • All files located in the Program Files folder
    • All files located in the Windows folder
    • All files for the Builtin\Administrators Group.
  • Until familiarize with Applocker It's recommended to create and leave these Rules in the beginning because you don't want to break things.

 

  • Right click in Applocker and select Properties.

 

  • Check the Configured and select the Audit Only.

 

  • The Audit Only mode it's not Allow or Deny just write down Logs in Event Viewer.
  • With this way we can identify all the Applications that must run or not before start to  Execute Applocker Rules.

 

 

How to Deploy Applocker GPO

We don't want to create any Rule until verify that Applocker works without problems. 

So what we can do ? 

We can Deploy Applocker in a Test Server and not in Production Server until familiarize and identify any issue.

  • To run the Applocker you must start the Application Identity Service in the Server that you would like to deploy.
  • In the Applocker GPO go in Computer Configuration\Windows Settings\Security Setting\System Services.
  • Find the Application Identity Service 

 

  • Right click in the Service and select Properties.
  • Check the Define this policy Settings
  • Check the Automatic.
  • Click OK
  • Now when you apply the Applocker GPO the Application Identity service will start.

 

  • Login in the Server that you want to Deploy the Applocker open a Command Prompt and run gpupdate /force
  • Restart the Server

 

 

How to verify that Applocker Run in the Server or Workstation

After the server restart we must verify that the Applocker is run

  • Open the Event Viewer
  • Expand Application and Services Logs\Microsoft\Applocker.
  • Click on Execute DLL
  • Verify that the Event ID 8001 exist

 

 

 

How to Create an Applocker Rule

Now that we have see which Application run in our Server we can create the Applocker Rules that we need.

  • Open the Applocker GPO
  • Right click in Executable Rules and select Create New Rule

 

  • Click Next

 

  • Identify if you want to Allow or Deny and select the Appropriate Group

 

  • Select how you want to Identify the Application.

 

  • Note that if you select the Path because the Domain Controller will not has the Application to go from Path you can do the following.

 

 

  • Open the Event Viewer in the Server or Workstation that run the Applocker and copy/paste the Path from the Logs.

 

  • Now click Next.
  • Again Next except if you want to add an Exception

 

  • Type the Name and click Create.

 

  • Go in Server or Workstation and check if the Rule apply
  • How to do it? 
  • Expand Application and Services Logs\Microsoft\Applocker.
  • Click on Execute DLL
  • Verify that the Event ID 8002 with your application exist

That's it.

Applocker it's not very difficult to apply.

The difficult part is to be prepare with all the requirements before apply the Applocker to avoid break things in your environment.

 

 - - > Follow my next article which explain How to collect Applocker Logs from all Endpoints in one place

 

You can send me an email at info@askme4tech.com  or do your comments in Twitter or Facebook

I invite you to follow me on Twitter or Facebook. If you have any questions, send email to me at info@askme4tech.com.

Disqus Comments