Académique Documents
Professionnel Documents
Culture Documents
Abstract
This guide provides steps based on your design and planning investigation for deploying application control policies by using AppLocker for Windows Server 2008 R2 and Windows 7. It is intended for security architects, security administrators, and system administrators. Through a sequential and iterative deployment process, you can create application control policies, test and adjust the policies, and implement a method for maintaining those policies as the needs in your organization change.
Copyright information
This document is provided as-is. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. 2011 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, AppLocker, Active Directory, Internet Explorer, RemoteApp, PowerShell, Windows, Windows Vista, and Windows Server are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.
Contents
AppLocker Policies Deployment Guide...........................................................................................1 Abstract ...................................................................................................................................1 Copyright information......................................................................................................................2 Contents..........................................................................................................................................3 AppLocker Policies Deployment Guide...........................................................................................6 Purpose of this guide...................................................................................................................6 Prerequisites to deploying AppLocker policies.............................................................................6 Contents of this guide..................................................................................................................6 Additional resources....................................................................................................................7 Understanding the AppLocker Policy Deployment Process............................................................7 Resources in support of the deployment process........................................................................8 Requirements for Deploying AppLocker Policies............................................................................9 Your deployment plan...............................................................................................................9 Supported operating systems.................................................................................................11 Your policy distribution mechanism........................................................................................12 Your event collection and analysis system.............................................................................12 Using Software Restriction Policies with AppLocker Policies........................................................12 Understanding the difference between SRP and AppLocker.....................................................13 Using SRP and AppLocker together..........................................................................................13 Testing and validating SRP policies and AppLocker policies that are deployed in the same environment............................................................................................................................14 Step 1: Test the effect of SRP policies....................................................................................14 Step 2: Test the effect of AppLocker policies..........................................................................14 Creating Your AppLocker Policies.................................................................................................15 AppLocker policy deployment steps..........................................................................................15 Step 1: Use your plan.............................................................................................................15 Step 2: Create your rules and rule collections........................................................................15 Step 3: Configure the enforcement setting.............................................................................15 Step 4: Update the GPO........................................................................................................16 Step 5: Test the effect of the policy.........................................................................................16 Step 6: Implement the policy..................................................................................................16 Step 7: Test the effect of the policy and adjust.......................................................................16 Next steps..................................................................................................................................16 Creating Your AppLocker Rules....................................................................................................16
Creating AppLocker rules..........................................................................................................16 Automatically generate your rules..........................................................................................17 Create your rules individually.................................................................................................17 About selecting rules.................................................................................................................17 Next steps..................................................................................................................................18 Testing and Updating an AppLocker Policy...................................................................................18 Step 1: Enable the Audit only enforcement setting....................................................................18 Step 2: Configure the Application Identity service to start automatically....................................18 Step 3: Test the policy................................................................................................................19 Step 4: Analyze AppLocker events............................................................................................19 Step 5: Modify the AppLocker policy..........................................................................................19 Step 6: Repeat policy testing, analysis, and policy modification................................................20 Deploying the AppLocker Policy into Production...........................................................................20 Understanding your design decisions.....................................................................................20 AppLocker deployment methods............................................................................................20 Deploying AppLocker Policies by Using the Enforce Rules Setting..............................................21 Background and prerequisites...................................................................................................21 Step 1: Retrieve the AppLocker policy.......................................................................................21 Step 2: Alter the enforcement setting.........................................................................................21 Step 3: Update the policy...........................................................................................................22 Step 4: Monitor the effect of the policy.......................................................................................22 Using a Reference Computer to Create and Maintain AppLocker Policies...................................22 Background and prerequisites...................................................................................................23 Step 1: Automatically generate rules on the reference computer..............................................23 Step 2: Create the default rules on the reference computer......................................................23 Step 3: Modify rules and the rule collection on the reference computer....................................24 Step 4: Test and update the policy on the reference computer..................................................24 Step 5: Export and import the policy into production..................................................................25 Step 6: Monitor the effect of the policy in production.................................................................25 Determine Which Applications Are Digitally Signed on a Reference Computer............................25 Configure the AppLocker Reference Computer............................................................................26 Additional resources...............................................................................................................27 Maintaining AppLocker Policies....................................................................................................27 Maintaining AppLocker policies by using Group Policy..............................................................28 Step 1: Understand the current behavior of the policy............................................................28 Step 2: Export the AppLocker policy from the GPO................................................................28 Step 3: Update the AppLocker policy by editing the appropriate AppLocker rule...................28 Step 4: Test the AppLocker policy..........................................................................................29 Step 5: Import the AppLocker policy into the GPO.................................................................29
Step 6: Monitor the resulting policy behavior..........................................................................29 Maintaining AppLocker policies by using the Local Security Policy snap-in...............................29 Step 1: Understand the current behavior of the policy............................................................29 Step 2: Update the AppLocker policy by modifying the appropriate AppLocker rule...............29 Step 3: Test the AppLocker policy..........................................................................................30 Step 4: Deploy the policy with the modified rule.....................................................................30 Step 5: Monitor the resulting policy behavior..........................................................................30 Additional resources..................................................................................................................30
Document your application control policy deployment plan by addressing these tasks:
This guide provides steps based on your design and planning investigation for deploying application control policies created and maintained by AppLocker for computers running Windows Server 2008 R2 and Windows 7. It contains the following topics: Understanding the AppLocker Policy Deployment Process Requirements for Deploying AppLocker Policies Using Software Restriction Policies with AppLocker Policies Creating Your AppLocker Policies Deploying the AppLocker Policy into Production Maintaining AppLocker Policies
Additional resources
Using Software Restriction Policies to Protect Against Unauthorized Software (http://go.microsoft.com/fwlink/?LinkID=155634) This TechNet article is about SRP in Windows XP and Windows Server 2003 and is also applicable to Windows Vista and Windows Server 2008. It provides an in-depth look at how software restriction policies can be used to fight viruses, regulate which ActiveX controls can be downloaded, run only digitally signed scripts, and enforce that only approved software is installed on system computers. Software Restriction Policies This collection of Windows Server 2003 product help topics describes the concepts to understand and the steps to implement and maintain SRP. AppLocker This topic lists AppLocker documentation resources for the IT professional.
For information about the AppLocker policy design and planning requirements and process, see the AppLocker Policies Design Guide. For information about the AppLocker policy deployment requirements and process, see the AppLocker Policies Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=160260). For information about AppLocker policy maintenance and monitoring, see the AppLocker Operations Guide (http://go.microsoft.com/fwlink/?LinkId=160259). For information about AppLocker policy architecture, components, and processing, see the AppLocker Technical Reference (http://go.microsoft.com/fwlink/?LinkId=160263).
Bank Tellers
Yes
Teller softwar e
All ow
Tell ers
Web help
Busine ss group
Applicat ions
Installation path
All ow or den y
Create a All path ow exception to the default rule to exclude \ Windows\T emp File is not signed; create a file hash condition All ow
Help desk
Time Sheet Organiz er Human HR-All Resour ces Yes Check Payout
Web help
C:\Program File is Files\Woodgrove\HR\Ch signed; eckcut.exe create a publisher condition C:\Program Files\Internet Explorer\ File is signed; create a publisher condition
All ow
HR
Web help
Internet Explore r7
De ny
Help desk
Help desk
10
Business group
Archival policy
Analyzed?
Security policy
Standard 60 months
Standard Standard
Bank Tellers
Planned: Monthly through business office triage Emergency: request through help desk
General policy: keep past versions for 12 months List policies for each application
Human Resources
General policy: keep past versions for 60 months List policies for each application
Windows Server 2008 R2 Standard Windows Server 2008 R2 Enterprise Windows Server 2008 R2
Operating system/edition
Datacenter Windows Server 2008 R2 for Itanium-Based Systems Windows 7 Professional Windows 7 Ultimate Windows 7 Enterprise Yes Yes Yes Yes Yes No Yes Yes
Software Restriction Policies are supported on versions of Windows beginning with Windows XP and Windows Server 2003 including the above versions. However, the SRP Basic User feature is not supported on the above operating systems.
12
Windows 7
AppLocker policies in the GPO are applied and supersede any local AppLocker policies.
Local AppLocker policies supersede any SRP policies applied through the GPO.
AppLocker policies in the GPO are applied and supersede the SRP policies in the GPO and any local AppLocker policies or SRP policies. SRP policies in the GPO are applied and supersede any local SRP policies. AppLocker policies not applied. SRP policies in the GPO are applied and supersede any local 13
Windows Vista
SRP policies in the GPO are applied and supersede any local SRP policies. AppLocker policies are not applied. SRP policies in the GPO are applied and supersede any local
Windows XP
Operating system
Note For information about supported versions and editions of the operating system, see Supported operating systems.
Testing and validating SRP policies and AppLocker policies that are deployed in the same environment
Because SRP policies and AppLocker policies function differently but can exist in the same GPO or in linked GPOs, testing the result of the policy is critical to successfully controlling application usage in the targeted organization. Configuring a testing and policy distribution system can aid in understanding the result of a policy. The effects of SRP policies and AppLocker policies need to be tested separately and by using different tools even when in the same GPO.
14
15
Next steps
Follow the steps described in the topics below to continue the deployment process: 1. Creating Your AppLocker Rules 2. Testing and Updating an AppLocker Policy 3. Deploying the AppLocker Policy into Production
avoid unintended results. For information about this planning document and other planning activities, see AppLocker Policies Design Guide.
17
When determining what types of rules to create for each of your business groups or organizational units (OUs), you should also determine what enforcement setting to use for each group. Different rule types are more applicable for some applications, depending on the way that the applications are deployed in a specific business group. For information about how to determine and document your AppLocker rules, see AppLocker Policies Design Guide. For information about AppLocker rules and AppLocker policies, see the following topics: Understanding AppLocker Rule Behavior Understanding AppLocker Rule Exceptions Understanding AppLocker Rule Collections Understanding AppLocker Allow and Deny Actions on Rules Understanding AppLocker Rule Condition Types Understanding AppLocker Default Rules
Next steps
1. Import an AppLocker Policy into a GPO or Import an AppLocker Policy from Another Computer 2. Testing and Updating an AppLocker Policy 3. Deploying the AppLocker Policy into Production
to do this, see Start the Application Identity Service. For AppLocker policies that are not managed by a GPO, you must ensure that the service is running on each computer in order for the policies to be applied.
AppLocker policies that are not managed by a GPO, you can use the Local Security Policy snapin. For information how to modify an AppLocker policy, see, Editing an AppLocker Policy.
distribution. The other method is to create the policies with the enforcement setting set at Audit only and observe the events generated. Using a Reference Computer to Create and Maintain AppLocker Policies This topic describes the steps to use an AppLocker reference computer to prepare application control policies for deployment by using Group Policy or other means. Deploying AppLocker Policies by Using the Enforce Rules Setting This topic describes the steps to deploy the AppLocker policy by changing the enforcement setting to either Audit only or Enforce rules.
default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced. For information about the enforcement setting, see Understanding AppLocker Enforcement Settings. For the procedure to alter the enforcement setting, see Configure an AppLocker Policy for Audit Only.
22
23
Important You can use the default rules as a template when creating your own rules to allow files within the Windows directory to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules.
Step 3: Modify rules and the rule collection on the reference computer
If AppLocker policies are currently in your production environment, export the policy from the corresponding GPO and save it to the reference computer. For the procedure to do this, see Export an AppLocker Policy from a GPO. If no AppLocker policies have been deployed, then create the rules and develop the policies by using the following procedures: Create a Rule that Uses a Publisher Condition Create a Rule that Uses a File Hash Condition Create a Rule that Uses a Path Condition Edit AppLocker Rules Configure Exceptions for an AppLocker Rule Delete an AppLocker Rule Enable the DLL Rule Collection Enforce AppLocker Rules
Caution If you have set the enforcement setting on the rule collection to Enforce rules or have not configured the rule collection, the policy will be implemented when the GPO is updated in the next step. If you have set the enforcement setting on the rule collection to
24
Audit only, then application access events are written to the AppLocker log and the policy will not take effect.
25
To determine which applications are digitally signed on a reference computer 1. From the command line on the reference computer, run GetAppLockerFileInformation with the appropriate parameters. The Get-AppLockerFileInformation cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information. 2. Analyze the publisher's name and digital signature status from the output of the command. For command parameters, syntax, and examples, see Get-AppLockerFileInformation.
2. Configure the administrator account. To update local policies, you must be a member of the local Administrators group. To update domain policies, you must be a member of the Domain Admins group or have delegated privileges to use Group Policy to update a Group Policy object (GPO). 3. Install all applications that run in the targeted business group or OU by using the same directory structure. The reference computer should be configured to mimic the structure of your production environment. It is dependent upon the same applications in the same directories as they are in production in order to accurately create the rules. 4. Import the AppLocker Windows PowerShell cmdlet module. To use the AppLocker cmdlets, you must first import the AppLocker module by using the following command at the Windows PowerShell command prompt: C:\PS> Import-Module AppLocker. Scripting must be enabled on the computer. For information about Windows PowerShell, see the Windows PowerShell Help file (WindowsPowerShellHelp.chm). For information about using the cmdlets, see Using the AppLocker Windows PowerShell Cmdlets.
Additional resources
After you configure the reference computer, you can now create the AppLocker rule collections. You can build, import, or automatically generate the rules. For procedures to do this, see AppLocker Rule Procedures.
There are two methods you can use to maintain AppLocker policies:
As new applications are deployed or existing applications are removed by your organization or updated by the software publisher, you might need to make revisions to your rules and update the Group Policy object (GPO) to ensure that your policy is current. 27
You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs, such as Microsoft Advanced Group Policy Management (AGPM). For more information about AGPM, see Advanced Group Policy Management Overview (http://go.microsoft.com/fwlink/?LinkId=145013). Caution You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
Step 3: Update the AppLocker policy by editing the appropriate AppLocker rule
After the AppLocker policy has been exported from the GPO into the AppLocker reference or test computer, or has been accessed on the local computer, the specific rules can be modified as required. To modify AppLocker rules, see the following: Edit AppLocker Rules 28
Merge AppLocker Policies by Using Set-ApplockerPolicy or Merge AppLocker Policies Manually Delete an AppLocker Rule Enforce AppLocker Rules
Step 2: Update the AppLocker policy by modifying the appropriate AppLocker rule
Rules are grouped into a collection, which can have the policy enforcement setting applied to it. By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. To modify AppLocker rules, see the appropriate topic in the AppLocker Rule Procedures collection.
29
Additional resources
For steps to perform other AppLocker policy tasks, see Administering AppLocker.
30