05 Feb

AppLocker: An Alternative to Anti-Virus

50ac43b6-e7ad-4c48-9d71-003d2e17d1f7Last week I had a fun IT security conversation with a client where we kicked around the idea of how we’d harden an enterprise environment so that anti-virus software wasn’t necessary. (These conversations are why I love IT Audit!)

While there are multiple solutions that would need to be in place to go anti-virus free, the one that seemed to excite my client the most was AppLocker.

What is AppLocker?

AppLocker is a feature introduced with Windows Server 2008 r2. It is implemented as part of Group Policy in a Microsoft Active Directory Domain that allows the IT administrator to create a Whitelist of approved applications, prevents the installation of unauthorized/unsupported applications and prevents malicious software from running at all.

AppLocker works by creating Rule Collections, which groups applications by high level formats (Executables, Scripts, Windows Installers, DLLs, and Packaged/Win 8 apps).

applockercollections

Next, the systems engineer can develop Rule Conditions, which form the basis for AppLocker Rules.

There are three AppLocker Rule Conditions:

  1. Publisher: Requires applications to be digitally signed and verified as authentic before being allowed to run. Also allows the administrator to restrict applications by other attributes like Version Number.

    applockerpublisher

    Click to Enlarge

  2. Path: Allows for rules that restricts applications to only running from approved directories, and disallows running apps from non-approved directories like the Desktop, Temp of Downloads folders.

    applockerpath

    Click to Enlarge

  3. Hash: Checks the hash value of an application at runtime against the AppLocker stored hash to verify the software’s authenticity. (Good alternative for apps that aren’t digitally signed.)

    applocker_filehash

    Click to Enlarge

A simple AppLocker Rule Set Scenario:

Consider how much added protection you could add to your organization by simply applying the following rules to each AppLocker Rule Collection.

  • Allow applications to only run from %PROGRAMFILES%\*
  • Allow only digitally signed applications

These two rules alone would stop the vast majority of malicious applications since malware will not typically be digitally signed and will attempt to execute from the Temporary Directory or Downloads folder.

Considerations for the Auditor and IT Manager

In addition to AppLocker being a great tool for mitigating the risk of malicious software running in the corporate environment, there are a few other features of AppLocker that help make the IT Auditor and Security and Compliance Manager’s life much easier.

AppLocker can also be used for:

  • Generating Application Inventory lists (Think IT Asset Management)
  • Generating application statistics and logging (with Audit Only mode, exportable to a spreadsheet)
  • Enforcing software version controls (i.e. Adobe Acrobat Reader Version X may run, but not Version 9)
  • Verifying license conformance and compliance

Conclusion and Notes on Implementing App Locker

I could write an entire post on implementing app locker. In fact, I implemented and tested it within my test domain as I wrote this post. It really is that easy! But that is outside the scope of this blog. (If you really want it, let me know in the comments!)

Instead, I would rather point you to a few pros who have already done the work for me.

AppLocker is a great tool for preventing Malware, and once you take the time to build your organization’s whitelist, it is arguably more effective than even the best anti-virus solution. Consider the level of security you might achieve when used in conjunction with an effectively implemented Firewall, Intrusion Detection System and a staff with a heightened awareness of IT security.

Please leave your impressions, experiences, tips and tricks in the comments!

3 thoughts on “AppLocker: An Alternative to Anti-Virus

  1. Shane,
    Thanks for bringing this to our attention. Very interesting. Good post.

    If the Simple AppLocker Rule Set was applied to a server, then you wouldn’t be able to run other admin utilities on the box from across the network (like Tivoli, Hyena, etc.). So then you’d have to have another rule to allow those utilities.

    That rule would have to be updated occasionally, and it would get applied to servers on which some of those admin apps do not need to be run. Or you’d need one rule for Exchange servers, another for file servers, etc. Then those rules would need updates.

    Even at this point, you’ve added complexity, and complexity leads to mistakes in support, not to mention all the help desk calls these rules would generate.

    Then the IT auditor would come along and demonstrate you’re not keeping your rules up-to-date, and question whether the security you’re adding is worth an extra 1000 help desk calls a year.

    I’m not advocating against security, but when it adds complexity and results in lots of help desk calls, then you have to think about the impact to the business (of course, you should think about that anyway).

    As I’ve often said “security/audit serves the business, not the other way around.”

    I realize this is ‘fun IT security conversation’ post, not necessarily a recommendation, but I always urge readers to consider usability.

    I can see this configured on a select number of really critical servers or in the DMZ, but I think overall, it’s too complex to be truly workable, even if you can control it with group policy.

    Just wanted to add the perspective of a former network/server admin. Don’t mean to gather the rainclouds…

    What does everyone else think?

    • @ITAuditSecurity –

      Speaking out of ignorance here (never been a Network Admin) – but can AppBlocker be implemented at the domain controller level so the rules propagate across all of the servers downstream? That would alleviate some of the burden of updating across servers (and the helpdesk ticket issue). Of course you would have to make the rules a little bit more broad so they apply across all servers, but it might be a good solution for the highest risk items.

      As with anything – no solution is the end-all-solution, but just another tool in the tool-bag.

      • App Locker works via Group Policy, so the rules propagate out in the same fashion any other GPOs (such as password policies) would.

Leave a Reply