In part one of this two-part technical tip, we explored application whitelisting features in Microsoft Windows 7 AppLocker, as well as how to define AppLocker rules. Here, we'll dive into how to automate AppLocker rule generation and how to apply those rules once you have AppLocker up and running.
AUTOMATING APPLOCKER RULE GENERATION
When it comes to defining rules for Windows XP/Vista Software Restriction Policies, admins are largely left to fend for themselves. With AppLocker, Microsoft included a couple of wizards to speed rule generation.
To get you started, a create-default rules wizard generates a trio of AppLocker rules that let everyone run executables only in the Windows and Program Files folders, while letting administrators run executables anywhere. These simple rules do not exploit AppLocker benefits; they create a sandbox in which to learn about AppLocker without accidentally locking yourself (an administrator) out.
To get you really rolling, the rule-creation wizard scours an entire reference PC to find all programs (executables, installers and scripts) and proposes a complete collection of AppLocker rules to allow them. Importantly, that collection maximizes program-rule use, falling back to hash rules only for programs without signatures.
You'll have a chance to preview and edit proposed rules before applying them in one fell swoop -- for example, to add exceptions or permit new program installation from network shares. This wizard speeds rule generation, but must usually be run on one of the PCs to be controlled. (Your Windows Server probably does not have a correct or complete set of reference programs.)
EASE INTO APPLOCKER
Due to its disallow-everything-else stance, take AppLocker out for a test drive using the Local Security Policy snap-in on a Windows 7 PC. Before you start, set the AppID service to start manually so you can easily recover from mistakes by rebooting. Begin with a few very broad allow rules, adding narrow deny rules to develop a feel for how AppLocker works -- including accidental lock-me-out mistakes common to whitelisting. You can also set AppLocker to run in audit-only mode, logging what would happen before changing rules to actively allow or deny programs.
Large enterprises will no doubt struggle with AppLocker due to the sheer complexity of whitelisting thousands of users, hundreds of groups, and the dizzying permutations that result from controlling diverse enterprise applications. However, midmarket businesses may find AppLocker easy enough to use -- and effective enough to make that effort worthwhile. A small office might be controlled entirely through local security policies by using the wizard to inventory each PC and fine-tune proposed rules that reflect what's currently installed there. Most midmarket businesses will prefer to apply AppLocker using centrally defined and maintained GPOs.
Lisa Phifer is vice president of Core Competence Inc. She has been involved in the design, implementation and evaluation of networking, security and management products for more than 25 years, and has advised companies large and small regarding security needs, product assessment, and the use of emerging technologies and best practices.
Send comments on this technical tip firstname.lastname@example.org.