50ac43b6-e7ad-4c48-9d71-003d2e17d1f7Last week I had a fun IT security conversation with a client where we kicked around the idea of how we’d harden an enterprise environment so that anti-virus software wasn’t necessary. (These conversations are why I love IT Audit!)

While there are multiple solutions that would need to be in place to go anti-virus free, the one that seemed to excite my client the most was AppLocker.

What is AppLocker?

AppLocker is a feature introduced with Windows Server 2008 r2. It is implemented as part of Group Policy in a Microsoft Active Directory Domain that allows the IT administrator to create a Whitelist of approved applications, prevents the installation of unauthorized/unsupported applications and prevents malicious software from running at all.

AppLocker works by creating Rule Collections, which groups applications by high level formats (Executables, Scripts, Windows Installers, DLLs, and Packaged/Win 8 apps).

applockercollections

Next, the systems engineer can develop Rule Conditions, which form the basis for AppLocker Rules.

There are three AppLocker Rule Conditions:

  1. Publisher: Requires applications to be digitally signed and verified as authentic before being allowed to run. Also allows the administrator to restrict applications by other attributes like Version Number.

    applockerpublisher

    Click to Enlarge

  2. Path: Allows for rules that restricts applications to only running from approved directories, and disallows running apps from non-approved directories like the Desktop, Temp of Downloads folders.

    applockerpath

    Click to Enlarge

  3. Hash: Checks the hash value of an application at runtime against the AppLocker stored hash to verify the software’s authenticity. (Good alternative for apps that aren’t digitally signed.)

    applocker_filehash

    Click to Enlarge

A simple AppLocker Rule Set Scenario:

Consider how much added protection you could add to your organization by simply applying the following rules to each AppLocker Rule Collection.

  • Allow applications to only run from %PROGRAMFILES%\*
  • Allow only digitally signed applications

These two rules alone would stop the vast majority of malicious applications since malware will not typically be digitally signed and will attempt to execute from the Temporary Directory or Downloads folder.

Considerations for the Auditor and IT Manager

In addition to AppLocker being a great tool for mitigating the risk of malicious software running in the corporate environment, there are a few other features of AppLocker that help make the IT Auditor and Security and Compliance Manager’s life much easier.

AppLocker can also be used for:

  • Generating Application Inventory lists (Think IT Asset Management)
  • Generating application statistics and logging (with Audit Only mode, exportable to a spreadsheet)
  • Enforcing software version controls (i.e. Adobe Acrobat Reader Version X may run, but not Version 9)
  • Verifying license conformance and compliance

Conclusion and Notes on Implementing App Locker

I could write an entire post on implementing app locker. In fact, I implemented and tested it within my test domain as I wrote this post. It really is that easy! But that is outside the scope of this blog. (If you really want it, let me know in the comments!)

Instead, I would rather point you to a few pros who have already done the work for me.

AppLocker is a great tool for preventing Malware, and once you take the time to build your organization’s whitelist, it is arguably more effective than even the best anti-virus solution. Consider the level of security you might achieve when used in conjunction with an effectively implemented Firewall, Intrusion Detection System and a staff with a heightened awareness of IT security.

Please leave your impressions, experiences, tips and tricks in the comments!