Last week I had a fun IT security conversation with a client where we kicked around the idea of how we’d harden an enterprise environment so that anti-virus software wasn’t necessary. (These conversations are why I love IT Audit!)
While there are multiple solutions that would need to be in place to go anti-virus free, the one that seemed to excite my client the most was AppLocker.
What is AppLocker?
AppLocker is a feature introduced with Windows Server 2008 r2. It is implemented as part of Group Policy in a Microsoft Active Directory Domain that allows the IT administrator to create a Whitelist of approved applications, prevents the installation of unauthorized/unsupported applications and prevents malicious software from running at all.
AppLocker works by creating Rule Collections, which groups applications by high level formats (Executables, Scripts, Windows Installers, DLLs, and Packaged/Win 8 apps).
Next, the systems engineer can develop Rule Conditions, which form the basis for AppLocker Rules.
There are three AppLocker Rule Conditions:
- Publisher: Requires applications to be digitally signed and verified as authentic before being allowed to run. Also allows the administrator to restrict applications by other attributes like Version Number.
- Path: Allows for rules that restricts applications to only running from approved directories, and disallows running apps from non-approved directories like the Desktop, Temp of Downloads folders.
- Hash: Checks the hash value of an application at runtime against the AppLocker stored hash to verify the software’s authenticity. (Good alternative for apps that aren’t digitally signed.)
A simple AppLocker Rule Set Scenario:
Consider how much added protection you could add to your organization by simply applying the following rules to each AppLocker Rule Collection.
- Allow applications to only run from %PROGRAMFILES%\*
- Allow only digitally signed applications
These two rules alone would stop the vast majority of malicious applications since malware will not typically be digitally signed and will attempt to execute from the Temporary Directory or Downloads folder.
Considerations for the Auditor and IT Manager
In addition to AppLocker being a great tool for mitigating the risk of malicious software running in the corporate environment, there are a few other features of AppLocker that help make the IT Auditor and Security and Compliance Manager’s life much easier.
AppLocker can also be used for:
- Generating Application Inventory lists (Think IT Asset Management)
- Generating application statistics and logging (with Audit Only mode, exportable to a spreadsheet)
- Enforcing software version controls (i.e. Adobe Acrobat Reader Version X may run, but not Version 9)
- Verifying license conformance and compliance
Conclusion and Notes on Implementing App Locker
I could write an entire post on implementing app locker. In fact, I implemented and tested it within my test domain as I wrote this post. It really is that easy! But that is outside the scope of this blog. (If you really want it, let me know in the comments!)
Instead, I would rather point you to a few pros who have already done the work for me.
- Free, almost perfect, malware protection with GPO App Locker
- YouTube: AppLocker Overview and Demonstration
- How To Geek AppLocker Guide
AppLocker is a great tool for preventing Malware, and once you take the time to build your organization’s whitelist, it is arguably more effective than even the best anti-virus solution. Consider the level of security you might achieve when used in conjunction with an effectively implemented Firewall, Intrusion Detection System and a staff with a heightened awareness of IT security.
Please leave your impressions, experiences, tips and tricks in the comments!