Upload
shettydam
View
129
Download
0
Tags:
Embed Size (px)
Citation preview
AppLocker Policies Deployment Guide
Microsoft Corporation
Published: April 2011
Abstract This guide provides steps based on your design and planning investigation for deploying
application control policies by using AppLocker for Windows Server 2008 R2 and Windows 7. It is
intended for security architects, security administrators, and system administrators. Through a
sequential and iterative deployment process, you can create application control policies, test and
adjust the policies, and implement a method for maintaining those policies as the needs in your
organization change.
Copyright information
This document is provided “as-is”. Information and views expressed in this document, including
URL and other Internet Web site references, may change without notice. You bear the risk of
using it.
This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. You may copy and use this document for your internal, reference purposes.
© 2011 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, AppLocker, Active Directory, Internet Explorer, RemoteApp,
PowerShell, Windows, Windows Vista, and Windows Server are trademarks of the Microsoft
group of companies.
All other trademarks are property of their respective owners.
Contents
AppLocker Policies Deployment Guide...........................................................................................6
Purpose of this guide................................................................................................................... 6
Prerequisites to deploying AppLocker policies............................................................................6
Contents of this guide.................................................................................................................. 6
Additional resources.................................................................................................................... 7
Understanding the AppLocker Policy Deployment Process............................................................7
Resources in support of the deployment process........................................................................9
Requirements for Deploying AppLocker Policies............................................................................9
Your deployment plan...............................................................................................................9
Supported operating systems.................................................................................................11
Your policy distribution mechanism........................................................................................12
Your event collection and analysis system.............................................................................12
Using Software Restriction Policies with AppLocker Policies........................................................13
Understanding the difference between SRP and AppLocker.....................................................13
Using SRP and AppLocker together..........................................................................................13
Testing and validating SRP policies and AppLocker policies that are deployed in the same
environment........................................................................................................................... 14
Step 1: Test the effect of SRP policies...................................................................................14
Step 2: Test the effect of AppLocker policies..........................................................................15
Creating Your AppLocker Policies.................................................................................................15
AppLocker policy deployment steps..........................................................................................15
Step 1: Use your plan.............................................................................................................15
Step 2: Create your rules and rule collections........................................................................16
Step 3: Configure the enforcement setting.............................................................................16
Step 4: Update the GPO........................................................................................................16
Step 5: Test the effect of the policy.........................................................................................16
Step 6: Implement the policy..................................................................................................16
Step 7: Test the effect of the policy and adjust.......................................................................16
Next steps................................................................................................................................. 16
Creating Your AppLocker Rules....................................................................................................17
Creating AppLocker rules..........................................................................................................17
Automatically generate your rules..........................................................................................17
Create your rules individually.................................................................................................17
About selecting rules.................................................................................................................18
Next steps................................................................................................................................. 18
Testing and Updating an AppLocker Policy...................................................................................18
Step 1: Enable the Audit only enforcement setting....................................................................19
Step 2: Configure the Application Identity service to start automatically....................................19
Step 3: Test the policy...............................................................................................................19
Step 4: Analyze AppLocker events............................................................................................19
Step 5: Modify the AppLocker policy..........................................................................................20
Step 6: Repeat policy testing, analysis, and policy modification................................................20
Deploying the AppLocker Policy into Production...........................................................................20
Understanding your design decisions....................................................................................21
AppLocker deployment methods............................................................................................21
Deploying AppLocker Policies by Using the Enforce Rules Setting..............................................21
Background and prerequisites...................................................................................................21
Step 1: Retrieve the AppLocker policy.......................................................................................22
Step 2: Alter the enforcement setting.........................................................................................22
Step 3: Update the policy..........................................................................................................22
Step 4: Monitor the effect of the policy......................................................................................23
Using a Reference Computer to Create and Maintain AppLocker Policies...................................23
Background and prerequisites...................................................................................................23
Step 1: Automatically generate rules on the reference computer..............................................23
Step 2: Create the default rules on the reference computer......................................................24
Step 3: Modify rules and the rule collection on the reference computer....................................24
Step 4: Test and update the policy on the reference computer..................................................24
Step 5: Export and import the policy into production.................................................................25
Step 6: Monitor the effect of the policy in production.................................................................25
Determine Which Applications Are Digitally Signed on a Reference Computer............................26
Configure the AppLocker Reference Computer............................................................................26
Additional resources...............................................................................................................27
Maintaining AppLocker Policies....................................................................................................27
Maintaining AppLocker policies by using Group Policy..............................................................28
Step 1: Understand the current behavior of the policy...........................................................28
Step 2: Export the AppLocker policy from the GPO...............................................................29
Step 3: Update the AppLocker policy by editing the appropriate AppLocker rule...................29
Step 4: Test the AppLocker policy..........................................................................................29
Step 5: Import the AppLocker policy into the GPO.................................................................29
Step 6: Monitor the resulting policy behavior..........................................................................29
Maintaining AppLocker policies by using the Local Security Policy snap-in..............................29
Step 1: Understand the current behavior of the policy...........................................................30
Step 2: Update the AppLocker policy by modifying the appropriate AppLocker rule..............30
Step 3: Test the AppLocker policy..........................................................................................30
Step 4: Deploy the policy with the modified rule.....................................................................30
Step 5: Monitor the resulting policy behavior..........................................................................30
Additional resources..................................................................................................................30
AppLocker Policies Deployment Guide
This topic for the IT professional introduces the concepts and describes the steps required to
deploy AppLocker™ policies in Windows Server® 2008 R2 and Windows® 7.
Purpose of this guideThis guide provides steps based on your design and planning investigation for deploying
application control policies by using AppLocker. It is intended for security architects, security
administrators, and system administrators. Through a sequential and iterative deployment
process, you can create application control policies, test and adjust the policies, and implement a
method for maintaining those policies as the needs in your organization change.
This guide covers the use of Software Restriction Policies (SRP) in conjunction with AppLocker
policies to control application usage. For a comparison of SRP and AppLocker, see Using
Software Restriction Policies with AppLocker Policies in this guide. To understand if AppLocker is
the correct application control solution for you, see Understanding AppLocker Policy Design
Decisions.
For a web version of this document, see AppLocker Policies Deployment Guide in the Windows
Server Technical Library.
Prerequisites to deploying AppLocker policiesThe following are prerequisites or recommendations to deploying policies:
Understand the capabilities of AppLocker:
AppLocker Technical Overview
AppLocker Step-by-Step Guide
Document your application control policy deployment plan by addressing these tasks:
Understanding the AppLocker Policy Deployment Process
Understanding AppLocker Policy Design Decisions
Determining Your Application Control Objectives
Creating the List of Applications Deployed to Each Business Group
Selecting the Types of Rules to Create
Determining Group Policy Structure and Rule Enforcement
Planning for AppLocker Policy Management
Creating Your AppLocker Planning Document
6
Contents of this guideThis guide provides steps based on your design and planning investigation for deploying
application control policies created and maintained by AppLocker for computers running Windows
Server 2008 R2 and Windows 7. It contains the following topics:
Understanding the AppLocker Policy Deployment Process
Requirements for Deploying AppLocker Policies
Using Software Restriction Policies with AppLocker Policies
Creating Your AppLocker Policies
Deploying the AppLocker Policy into Production
Maintaining AppLocker Policies
Additional resourcesUsing Software Restriction Policies to Protect Against Unauthorized Software
(http://go.microsoft.com/fwlink/?LinkID=155634)
This TechNet article is about SRP in Windows XP and Windows Server 2003 and is also
applicable to Windows Vista® and Windows Server 2008. It provides an in-depth look at how
software restriction policies can be used to fight viruses, regulate which ActiveX controls can
be downloaded, run only digitally signed scripts, and enforce that only approved software is
installed on system computers.
Software Restriction Policies
This collection of Windows Server 2003 product help topics describes the concepts to
understand and the steps to implement and maintain SRP.
AppLocker
This topic lists AppLocker documentation resources for the IT professional.
Understanding the AppLocker Policy Deployment Process
This planning and deployment topic describes the process to use AppLocker when deploying
application control policies in Windows Server 2008 R2 and Windows 7.
To successfully deploy AppLocker policies, you need to identify your application control objectives
and construct the policies for those objectives. The key to the process is the accurate inventory of
your organization's applications, which requires investigation with all the targeted business
groups. With an accurate inventory, you can create rules and set enforcement criteria that will
allow the organization to use the required applications and allow the IT department to manage a
controlled set of applications.
7
The following diagram shows the main points in the design, planning, and deployment process for
AppLocker.
8
Resources in support of the deployment processThe following documentation contains information about designing, planning, deploying, and
maintaining AppLocker policies:
For information about the AppLocker policy design and planning requirements and process, see the AppLocker Policies Design Guide.
For information about the AppLocker policy deployment requirements and process, see the AppLocker Policies Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=160260).
For information about AppLocker policy maintenance and monitoring, see the AppLocker Operations Guide (http://go.microsoft.com/fwlink/?LinkId=160259).
For information about AppLocker policy architecture, components, and processing, see the AppLocker Technical Reference (http://go.microsoft.com/fwlink/?LinkId=160263).
Requirements for Deploying AppLocker Policies
This deployment topic lists the requirements you need to meet before deploying AppLocker
policies.
The following requirements must be met or addressed before deploying your AppLocker policies:
Your deployment plan
The supported operating systems
Your policy distribution mechanism
Your event collection and analysis system
Your deployment planAn AppLocker policy deployment plan is the result of investigating what applications are required
and necessary in your organization, what applications are optional, and what applications are
forbidden. To develop this plan, see Planning Application Control Policies by Using
AppLocker. The following table is an example of the data you need to collect and the decisions
you need to make in order to successfully deploy AppLocker policies on computers running
Windows Server 2008 R2 or Windows 7.
Busine
ss
group
Organizat
ional unit
Implem
ent
AppLoc
ker?
Applicat
ions
Installation path Use
default
rule or
define new
rule
condition
All
ow
or
den
y
GPO
nam
e
Supp
ort
polic
y
Bank Teller- Yes Teller C:\Program Files\ File is All Tell Web
9
Busine
ss
group
Organizat
ional unit
Implem
ent
AppLoc
ker?
Applicat
ions
Installation path Use
default
rule or
define new
rule
condition
All
ow
or
den
y
GPO
nam
e
Supp
ort
polic
y
Tellers East and
Teller-
West
softwar
e
Woodgrove\Teller.exe signed;
create a
publisher
condition
ow ers help
Window
s files
C:\Windows Create a
path
exception
to the
default
rule to
exclude \
Windows\
Temp
All
ow
Help
desk
Time
Sheet
Organiz
er
C:\Program Files\
Woodgrove\HR\
Timesheet.exe
File is not
signed;
create a
file hash
condition
All
ow
Web
help
Human
Resour
ces
HR-All Yes Check
Payout
C:\Program Files\
Woodgrove\HR\
Checkcut.exe
File is
signed;
create a
publisher
condition
All
ow
HR Web
help
Internet
Explore
r 7
C:\Program Files\
Internet Explorer\
File is
signed;
create a
publisher
condition
De
ny
Help
desk
Window
s files
C:\Windows Use the
default
rule for the
Windows
path
All
ow
Help
desk
10
Event processing policy
Business group AppLocker event
collection location
Archival policy Analyzed? Security policy
Bank Tellers Forwarded to:
srvBT093
Standard None Standard
Human
Resources
DO NOT
FORWARD
60 months Yes; summary
reports monthly
to managers
Standard
Policy maintenance policy
Business group Rule update
policy
Application
decommission
policy
Application
version policy
Application
deployment policy
Bank Tellers Planned: Monthly
through business
office triage
Emergency:
request through
help desk
Through business
office triage; 30-
day notice required
General policy:
keep past
versions for 12
months
List policies for
each application
Coordinated
through business
office; 30-day
notice required
Human
Resources
Planned: through
HR triage
Emergency:
request through
help desk
Through HR triage;
30-day notice
required
General policy:
keep past
versions for 60
months
List policies for
each application
Coordinated
through HR; 30-
day notice
required
Supported operating systemsAppLocker is supported only on the following editions of these operating systems:
Operating system/edition AppLocker policies created
and maintained
AppLocker policies deployed
Windows Server 2008 R2
Standard
Yes Yes
11
Operating system/edition AppLocker policies created
and maintained
AppLocker policies deployed
Windows Server 2008 R2
Enterprise
Yes Yes
Windows Server 2008 R2
Datacenter
Yes Yes
Windows Server 2008 R2 for
Itanium-Based Systems
Yes Yes
Windows 7 Professional Yes No
Windows 7 Ultimate Yes Yes
Windows 7 Enterprise Yes Yes
Software Restriction Policies are supported on versions of Windows beginning with Windows XP
and Windows Server 2003 including the above versions. However, the SRP Basic User feature is
not supported on the above operating systems.
Your policy distribution mechanismAppLocker uses Group Policy management architecture to effectively distribute application
control policies. AppLocker policies can also be configured on individual computers by using the
Local Security Policy snap-in. You will need a way to distribute the AppLocker policies throughout
the targeted business group.
Your event collection and analysis systemEvent processing is important to understand application usage. You must have a process in place
to collect and analyze AppLocker events so that application usage is appropriately restricted and
understood. For procedures to monitor AppLocker events, see:
Configure an AppLocker Policy for Audit Only
Configure an AppLocker Policy for Enforce Rules
View the AppLocker Log in Event Viewer
Review AppLocker Events with Get-AppLockerFileInformation
12
Using Software Restriction Policies with AppLocker Policies
This topic describes how to use Software Restriction Policies (SRP) and AppLocker policies in the
same deployment for Windows operating systems beginning with Windows XP and Windows
Server 2003 and including Windows Server 2008 R2 and Windows 7.
Understanding the difference between SRP and AppLockerYou might want to deploy application control policies onto Windows operating systems earlier
than Windows Server 2008 R2 or Windows 7. You can use AppLocker policies only on the
supported editions of Windows Server 2008 R2 and Windows 7, but you can use SRP on
supported editions of Windows beginning with Windows Server 2003 and Windows XP. To
compare features and functions in SRP and AppLocker so that you can determine when to use
each technology to meet your application control objectives, see Determine Your Application
Control Objectives.
Using SRP and AppLocker togetherBoth SRP and AppLocker use Group Policy for domain management. However, when both SRP
policies and AppLocker policies exist in the same Group Policy object (GPO), AppLocker policies
will take precedence over SRP policies on computers running Windows Server 2008 R2 or
Windows 7. For information about how inheritance in Group Policy applies to AppLocker policies
and SRP policies, see Understanding AppLocker Rules and Enforcement Setting
Inheritance in Group Policy.
As an example of how both types of policy would affect the bank's "Teller software" application,
consider the following scenario where the application is deployed on different Windows desktop
operating systems and managed by the Tellers GPO.
Operating system Tellers GPO with
AppLocker policy
Tellers GPO with SRP
policy
Tellers GPO with both
AppLocker policy and
SRP policy
Windows 7 AppLocker policies in
the GPO are applied
and supersede any
local AppLocker
policies.
Local AppLocker
policies supersede
any SRP policies
applied through the
GPO.
AppLocker policies in
the GPO are applied
and supersede the
SRP policies in the
GPO and any local
AppLocker policies or
SRP policies.
13
Operating system Tellers GPO with
AppLocker policy
Tellers GPO with SRP
policy
Tellers GPO with both
AppLocker policy and
SRP policy
Windows Vista AppLocker policies
are not applied.
SRP policies in the
GPO are applied and
supersede any local
SRP policies.
AppLocker policies
are not applied.
SRP policies in the
GPO are applied and
supersede any local
SRP policies.
AppLocker policies
not applied.
Windows XP AppLocker policies
are not applied.
SRP policies in the
GPO are applied and
supersede any local
SRP policies.
AppLocker policies
are not applied.
SRP policies in the
GPO are applied and
supersede any local
SRP policies.
AppLocker policies
not applied.
For information about supported versions and editions of the operating system, see
Supported operating systems.
Testing and validating SRP policies and AppLocker policies that are deployed in the same environmentBecause SRP policies and AppLocker policies function differently but can exist in the same GPO
or in linked GPOs, testing the result of the policy is critical to successfully controlling application
usage in the targeted organization. Configuring a testing and policy distribution system can aid in
understanding the result of a policy. The effects of SRP policies and AppLocker policies need to
be tested separately and by using different tools even when in the same GPO.
Step 1: Test the effect of SRP policiesYou can use the Group Policy Management Console (GPMC) or the Resultant Set of Policy
(RSoP) snap-in to determine the effect of applying SRP policies by using GPOs. For information
about using RSoP, see Resultant Set of Policy. For information about using the GPMC, see
Group Policy Management Console.
Step 2: Test the effect of AppLocker policiesYou can test AppLocker policies by using Windows PowerShell cmdlets. For information about
investigating the result of a policy, see Test an AppLocker Policy with Test-AppLockerPolicy
and Review AppLocker Events with Get-AppLockerFileInformation.
Note
14
Another method to use when determining the result of a policy is to set the enforcement mode to
audit-only. When the policy is deployed, events will be written to the AppLocker logs as if the
policy was enforced. For information about using the audit-only mode, see Understanding
AppLocker Enforcement Settings and Configure an AppLocker Policy for Audit Only.
Creating Your AppLocker Policies
This overview topic describes the steps to create an AppLocker policy and prepare it for
deployment.
AppLocker policy deployment stepsCreating effective application control policies with AppLocker starts by creating the rules for each
application. Rules are grouped into one of four rule collections. The rule collection then can be
configured to be enforced or to run in an audit-only mode. An AppLocker policy includes the rules
in the four rule collections and the enforcement settings for each rule collection.
Step 1: Use your planYou can develop an application control policy plan to guide you in making successful deployment
decisions. For more information about how to do this and what you should consider, see the
AppLocker Policies Design Guide. The guide is intended for security architects, security
administrators, and system administrators. It contains the following topics to help you create an
AppLocker policy deployment plan for your organization that will address your specific application
control requirements by department, organizational unit, or business group:
1. Understanding the AppLocker Policy Deployment Process
2. Understanding AppLocker Policy Design Decisions
3. Determining Your Application Control Objectives
4. Creating the List of Deployed Applications Deployed to Each Business Group
5. Selecting the Types of Rules to Create
6. Determining Group Policy Structure and Rule Enforcement
7. Planning for AppLocker Policy Management
8. Creating Your AppLocker Policy Deployment Design Document
Step 2: Create your rules and rule collectionsEach rule applies to one or more applications and imposes a specific rule condition upon them.
Rules can be created individually or can be generated by the Automatically Generate Rules
wizard. For steps to create the rules, see Creating Your AppLocker Rules.
15
Step 3: Configure the enforcement settingAn AppLocker policy is a set of rule collections that are configured with a rule enforcement
setting. The enforcement setting can be Enforce rules, Audit only, or Not configured. If an
AppLocker policy has at least one rule and is set to Not configured, all the rules in that policy will
be enforced. For information about configuring this setting, see Configure an AppLocker Policy
for Audit Only and Configure an AppLocker Policy for Enforce Rules.
Step 4: Update the GPOAppLocker policies can be defined locally on a computer or applied through Group Policy. To use
Group Policy to apply AppLocker policies, you must either create a new Group Policy object
(GPO) or you must update an existing GPO. You can create or modify AppLocker policies using
the Group Policy Management Console (GPMC) or you can import an AppLocker policy into a
GPO. For the procedure to do this, see Import an AppLocker Policy into a GPO.
Step 5: Test the effect of the policyEither in a test environment, or with the enforcement setting set at Audit only, verify that the
results of the policy are what you intended. For information about testing a policy, see Testing and
Updating an AppLocker Policy.
Step 6: Implement the policyDepending upon your deployment method, either import the AppLocker policy to the GPO in your
production environment or, if the policy is already deployed, change the enforcement setting to
your production environment value, either Enforce rules or Audit only.
Step 7: Test the effect of the policy and adjustValidate the effect of the policy by analyzing the AppLocker logs for application usage, and modify
the policy as necessary. To do this, see Discovering the Effect of an AppLocker Policy.
Next stepsFollow the steps described in the topics below to continue the deployment process:
1. Creating Your AppLocker Rules
2. Testing and Updating an AppLocker Policy
3. Deploying the AppLocker Policy into Production
Creating Your AppLocker Rules
This topic describes what you need to know about AppLocker rules and the different methods to
create rules.
16
Creating AppLocker rulesAppLocker rules apply to the targeted application and are the components that make up the
AppLocker policy. Depending on your IT environment and the business group requiring
application control policies, setting these access rules for each application can be time-
consuming and prone to error. With AppLocker, you can create rules by using either of the
following methods. However, creating rules derived from your planning document can help you
avoid unintended results. For information about this planning document and other planning
activities, see AppLocker Policies Design Guide.
Automatically generate your rulesWith a reference computer, you can automatically create a set of default rules for each of the
installed applications, test and modify each rule as necessary, and deploy the policies. Creating
most of the rules for all the installed applications gives you a starting point to build and test your
policies. For information about performing this task, see the following:
Configure the AppLocker Reference Computer
Run the Automatically Generate Rules Wizard
Create AppLocker Default Rules
Edit AppLocker Rules
Configure Exceptions for an AppLocker Rule
Create your rules individuallyYou can create rules and set the mode to audit only for each of the installed applications, test and
update each rule as necessary, and then deploy the policies. Creating rules individually might be
best when you are targeting a small number of applications within a business group.
AppLocker includes default rules for each rule collection. These rules are intended to
help ensure that the files that are required for Windows to operate properly are allowed in
an AppLocker rule collection. For information about creating the default rules for the
Windows operating system, see Create AppLocker Default Rules. You can edit the
default rules.
For information about performing this task, see the following:
Create a Rule that Uses a Publisher Condition
Create a Rule That Uses a Path Condition
Create a Rule That Uses a File Hash Condition
Edit AppLocker Rules
Enforce AppLocker Rules
Configure an AppLocker Policy for Audit Only
Note
17
About selecting rulesAppLocker policies are composed of distinct rules for specific applications. These rules are
grouped by collection and implemented through an AppLocker policy definition. AppLocker
policies are managed either by using Group Policy or by using the Local Security Policy snap-in
for a single computer.
When determining what types of rules to create for each of your business groups or
organizational units (OUs), you should also determine what enforcement setting to use for each
group. Different rule types are more applicable for some applications, depending on the way that
the applications are deployed in a specific business group.
For information about how to determine and document your AppLocker rules, see AppLocker
Policies Design Guide.
For information about AppLocker rules and AppLocker policies, see the following topics:
Understanding AppLocker Rule Behavior
Understanding AppLocker Rule Exceptions
Understanding AppLocker Rule Collections
Understanding AppLocker Allow and Deny Actions on Rules
Understanding AppLocker Rule Condition Types
Understanding AppLocker Default Rules
Next steps1. Import an AppLocker Policy into a GPO or Import an AppLocker Policy from Another
Computer
2. Testing and Updating an AppLocker Policy
3. Deploying the AppLocker Policy into Production
Testing and Updating an AppLocker Policy
This topic discusses the steps required to test an AppLocker policy prior to deployment.
You should test each set of rules to ensure that the rules perform as intended. If you use Group
Policy to manage AppLocker policies, complete the following steps for each Group Policy object
(GPO) where you have created AppLocker rules. Because AppLocker rules are inherited from
linked GPOs, you should deploy all of the rules for simultaneous testing in all of your test GPOs.
Step 1: Enable the Audit only enforcement settingBy using the Audit only enforcement setting, you can ensure that the AppLocker rules that you
have created are properly configured for your organization. This setting can be enabled on the
Enforcement tab of the AppLocker Properties dialog box. For the procedure to do this, see
Configure an AppLocker Policy for Audit Only.
18
Step 2: Configure the Application Identity service to start automaticallyBecause AppLocker uses the Application Identity service to verify the attributes of a file, you must
configure it to start automatically in any one GPO that applies AppLocker rules. For the procedure
to do this, see Start the Application Identity Service. For AppLocker policies that are not
managed by a GPO, you must ensure that the service is running on each computer in order for
the policies to be applied.
Step 3: Test the policyTest the AppLocker policy to determine if your rule collection needs to be modified. Because you
have created AppLocker rules, enabled the Application Identity service, and enabled the Audit
only enforcement setting, the AppLocker policy should be present on all client computers that are
configured to receive your AppLocker policy.
The Test-AppLockerPolicy Windows PowerShell cmdlet can be used to determine whether any
of the rules in your rule collection will be blocked on your reference computers. For the procedure
to do this, see Test an AppLocker Policy with Test-AppLockerPolicy.
Step 4: Analyze AppLocker eventsYou can either manually analyze AppLocker events or use the Get-AppLockerFileInformation
Windows PowerShell cmdlet to automate the analysis.
To manually analyze AppLocker events
You can view the events either in Event Viewer or a text editor and then sort those events to
perform an analysis, such as looking for patterns in application usage events, access
frequencies, or access by user groups. If you have not configured an event subscription, then you
will have to review the logs on a sampling of computers in your organization. For more
information about using Event Viewer, see View the AppLocker Log in Event Viewer.
To analyze AppLocker events by using Get-AppLockerFileInformation
You can use the Get-AppLockerFileInformation Windows PowerShell cmdlet to analyze
AppLocker events from a remote computer. If an application is being blocked and should be
allowed, you can use the AppLocker cmdlets to help troubleshoot the problem.
For both event subscriptions and local events, you can use the Get-AppLockerFileInformation
cmdlet to determine which files have been blocked or would have been blocked (if you are using
the Audit only enforcement mode) and how many times the event has occurred for each file. For
the procedure to do this, see Review AppLocker Events with Get-AppLockerFileInformation.
After using Get-AppLockerFileInformation to determine how many times that a file would have
been blocked from running, you should review your rule list to determine whether a new rule
should be created for the blocked file or whether an existing rule is too strictly defined. Ensure
that you check which GPO is currently preventing the file from running. To determine this, you can
use the Group Policy Results Wizard to view rule names.
19
Step 5: Modify the AppLocker policyAfter you have identified which rules need to be edited or added to the policy, you can use the
Group Policy Management Console to modify the AppLocker rules in the relevant GPOs. For
AppLocker policies that are not managed by a GPO, you can use the Local Security Policy snap-
in. For information how to modify an AppLocker policy, see, Editing an AppLocker Policy.
Step 6: Repeat policy testing, analysis, and policy modificationRepeat the previous steps 3–5 until all the rules perform as intended before applying
enforcement.
Deploying the AppLocker Policy into Production
This topic describes the tasks that should be completed before deploying AppLocker application
control settings.
After successfully testing and modifying the AppLocker policy for each Group Policy object
(GPO), you are ready to deploy the enforcement settings into production. For most organizations,
this means switching the AppLocker enforcement setting from Audit only to Enforce rules.
However, it is important to follow the deployment plan that you created earlier. For more
information, see the AppLocker Policies Design Guide. Depending upon the needs of different
business groups in your organization, you might be deploying different enforcement settings for
linked GPOs.
Understanding your design decisionsBefore deploying an AppLocker policy, you should have determined:
For each business group, which applications will be controlled and in what manner. For more information, see Create the List of Applications Deployed to Each Business Group.
How to handle requests for application access. For information about what to consider when developing your support policies, see Planning for AppLocker Policy Management.
How to manage events, including forwarding events. For information about event management in AppLocker, see Monitoring Application Usage with AppLocker.
Your GPO structure, including how to include both Software Restriction Policies (SRP) policies and AppLocker policies. For more information, see Determine Group Policy structure and rule enforcement.
For information about how AppLocker deployment is dependent upon design decisions, see
Understanding AppLocker Policy Design Decisions.
20
AppLocker deployment methodsIf you have configured a reference computer, you can create and update your AppLocker policies
on this computer, test the policies, and then export the policies to the appropriate GPO for
distribution. The other method is to create the policies with the enforcement setting set at Audit
only and observe the events generated.
Using a Reference Computer to Create and Maintain AppLocker Policies
This topic describes the steps to use an AppLocker reference computer to prepare application
control policies for deployment by using Group Policy or other means.
Deploying AppLocker Policies by Using the Enforce Rules Setting
This topic describes the steps to deploy the AppLocker policy by changing the enforcement
setting to either Audit only or Enforce rules.
Deploying AppLocker Policies by Using the Enforce Rules Setting
This topic describes the steps to deploy AppLocker policies by using the enforcement setting
method.
Background and prerequisitesThese procedures assume that you have already deployed AppLocker policies with the
enforcement set to Audit only, and you have been collecting data through the AppLocker event
logs and other channels to determine what effect these policies have on your environment and
the policy's adherence to your application control design.
For information about the AppLocker policy enforcement setting, see Understanding AppLocker
Enforcement Settings.
For information about how to plan an AppLocker policy deployment, see AppLocker Policies
Design Guide.
Step 1: Retrieve the AppLocker policyUpdating an AppLocker policy that is currently enforced in your production environment can have
unintended results. Using Group Policy, you can export the policy from the Group Policy object
(GPO) and then update the rule or rules by using AppLocker on your AppLocker reference or test
computer. For the procedure to do this, see Export an AppLocker Policy from a GPO and
Import an AppLocker Policy into a GPO. For local AppLocker policies, you can update the rule
or rules by using the Local Security policy snap-in on your AppLocker reference or test computer.
For the procedures to do this, see Export an AppLocker Policy to an XML File and Import an
AppLocker Policy from Another Computer.
21
Step 2: Alter the enforcement settingRule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides
the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. By
default, if enforcement is not configured and rules are present in a rule collection, those rules are
enforced. For information about the enforcement setting, see Understanding AppLocker
Enforcement Settings. For the procedure to alter the enforcement setting, see Configure an
AppLocker Policy for Audit Only.
Step 3: Update the policyYou can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot
specify a version for the AppLocker policy by importing additional rules. To ensure version control
when modifying an AppLocker policy, use Group Policy management software that allows you to
create versions of GPOs. An example of this type of software is the Advanced Group Policy
Management feature from the Microsoft Desktop Optimization Pack. For more information about
Advanced Group Policy Management, see Advanced Group Policy Management Overview
(http://go.microsoft.com/fwlink/?LinkId=145013).
You should not edit an AppLocker rule collection while it is being enforced in Group
Policy. Because AppLocker controls what files are allowed to run, making changes to a
live policy can create unexpected behavior.
For the procedure to update the GPO, see Import an AppLocker Policy into a GPO.
For the procedures to distribute policies for local computers by using the Local Security Policy
snap-in, see Export an AppLocker Policy to an XML FIle and Import an AppLocker Policy
from Another Computer.
Step 4: Monitor the effect of the policyWhen a policy is deployed, it is important to monitor the actual implementation of that policy. You
can do this by monitoring your support organization's application access request activity and
reviewing the AppLocker event logs. To monitor the effect of the policy, see View the AppLocker
Log in Event Viewer and Review AppLocker Events with Get-AppLockerFileInformation.
Using a Reference Computer to Create and Maintain AppLocker Policies
This topic describes the steps to create and maintain AppLocker policies by using a reference
computer.
Caution
22
Background and prerequisitesAn AppLocker reference computer must be configured before it can be used to create and
maintain AppLocker policies. For the procedure to do this, see Configure the AppLocker
Reference Computer.
An AppLocker reference computer used for AppLocker policy creation and maintenance should
contain the corresponding applications for each organizational unit (OU) to mimic your production
environment.
The reference computer must be running one of the supported editions of Windows 7.
For information about operating system requirements for AppLocker, see Requirements
to Use AppLocker.
You can perform AppLocker policy testing on the reference computer, either by using the Audit
only enforcement setting or Windows PowerShell cmdlets. You can also use the reference
computer as part of a testing configuration that might include policies created by using Software
Restriction Policies.
Step 1: Automatically generate rules on the reference computerAppLocker allows you to automatically generate rules for all files within a folder. AppLocker scans
the specified folder and creates the condition types that you choose for each file in that folder. For
the procedure to do this, see Run the Automatically Generate Rules Wizard.
If you are running the wizard to create your first rules for a Group Policy object (GPO),
you will be prompted to create the default rules, which allow critical system files to run,
after completing the wizard. You may edit the default rules at any time. If your
organization has decided to edit the default rules or create custom rules to allow the
Windows system files to run, ensure that you delete the default rules after replacing them
with your custom rules.
Step 2: Create the default rules on the reference computerAppLocker includes default rules for each rule collection. These rules are intended to help ensure
that the files that are required for Windows to operate properly are allowed in an AppLocker rule
collection. You must run the default rules for each rule collection. For information about default
rules and considerations when using them, see Understanding AppLocker Default Rules. For
the procedure to create default rules, see Create AppLocker Default Rules.
You can use the default rules as a template when creating your own rules to allow files
within the Windows directory to run. However, these rules are only meant to function as a
starter policy when you are first testing AppLocker rules.
Important Note Important
23
Step 3: Modify rules and the rule collection on the reference computerIf AppLocker policies are currently in your production environment, export the policy from the
corresponding GPO and save it to the reference computer. For the procedure to do this, see
Export an AppLocker Policy from a GPO. If no AppLocker policies have been deployed, then
create the rules and develop the policies by using the following procedures:
Create a Rule that Uses a Publisher Condition
Create a Rule that Uses a File Hash Condition
Create a Rule that Uses a Path Condition
Edit AppLocker Rules
Configure Exceptions for an AppLocker Rule
Delete an AppLocker Rule
Enable the DLL Rule Collection
Enforce AppLocker Rules
Step 4: Test and update the policy on the reference computerYou should test each set of rules to ensure that they perform as intended. The Test-
AppLockerPolicy Windows PowerShell cmdlet can be used to determine whether any of the
rules in your rule collection will be blocked on your reference computer. Perform the steps on
each reference computer that you used to define the AppLocker policy. Ensure that the reference
computer is joined to the domain and is receiving the AppLocker policy from the appropriate
GPO. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the
rules for simultaneous testing in all of your test GPOs. Use the following procedures to complete
this step:
Test an AppLocker Policy with Test-AppLockerPolicy
Discover the Effect of an AppLocker Policy
If you have set the enforcement setting on the rule collection to Enforce rules or have
not configured the rule collection, the policy will be implemented when the GPO is
updated in the next step. If you have set the enforcement setting on the rule collection to
Audit only, then application access events are written to the AppLocker log and the
policy will not take effect.
Step 5: Export and import the policy into productionWhen the AppLocker policy has been tested successfully, it can be imported into the GPO (or
imported into individual computers that are not managed by Group Policy) and once again
checked for its intended effectiveness. To do this, perform the following procedures:
Caution
24
Export an AppLocker Policy to an XML FIle
Import an AppLocker Policy into a GPO or Import an AppLocker Policy onto Another Computer
Discover the Effect of an AppLocker Policy
If the AppLocker policy enforcement setting is Audit only and you are satisfied that the policy is
fulfilling your intent, you can change it to Enforce rules. For information about how to change the
enforcement setting, see Configure an AppLocker Policy for Enforce Rules.
Step 6: Monitor the effect of the policy in productionIf additional refinements or updates are necessary after a policy is deployed, use the appropriate
procedures below to monitor and update the policy:
Discover the Effect of an AppLocker Policy
Review AppLocker Events with Get-AppLockerFileInformation
Editing an AppLocker Policy
Refresh an AppLocker Policy
Determine Which Applications Are Digitally Signed on a Reference Computer
This topic describes how to use AppLocker logs and tools to determine which applications are
digitally signed.
The Windows PowerShell cmdlet Get-AppLockerFileInformation can be used to determine
which applications installed on your reference computers are digitally signed. Perform the
following steps on each reference computer that you used to define the AppLocker policy. The
computer does not need to be joined to the domain.
Membership in the local Administrators group, or equivalent, is the minimum required to
complete this procedure.
1. From the command line on the reference computer, run Get-AppLockerFileInformation with the appropriate parameters.
The Get-AppLockerFileInformation cmdlet retrieves the AppLocker file information from
a list of files or from an event log. File information that is retrieved can include publisher
information, file hash information, and file path information. File information from an event
log may not contain all of these fields. Files that are not signed do not have any publisher
information.
2. Analyze the publisher's name and digital signature status from the output of the command.
To determine which applications are digitally signed on a reference computer
25
For command parameters, syntax, and examples, see Get-AppLockerFileInformation.
Configure the AppLocker Reference Computer
This topic describes steps to create an AppLocker policy platform structure on a reference
computer running Windows 7.
An AppLocker reference computer used for the development and deployment of AppLocker
policies should mimic the directory structure and corresponding applications in the organizational
unit (OU) or business group for the production environment. On a reference computer, you can:
Maintain an application list for each business group.
Develop AppLocker policies by either creating individual rules or creating a policy by automatically generating rules.
Create the default rules to allow the Windows system files to run properly.
Run tests and analyze the event logs to determine the affect of the policies you intend to deploy.
The reference computer does not need to be joined to a domain but must be able to import and
export AppLocker policies in XML format. The reference computer must be running one of the
supported editions of Windows 7. For information about the supported editions, see
Requirements to Use AppLocker.
1. If the operating system is not already installed, install one of the supported editions of Windows 7 on the computer.
Note
If you use another computer to test your implementation of AppLocker policies by
using Group Policy, you can export the policies to the other computer on which
the Group Policy Management Console (GPMC) is installed.
2. Configure the administrator account.
To update local policies, you must be a member of the local Administrators group. To
update domain policies, you must be a member of the Domain Admins group or have
delegated privileges to use Group Policy to update a Group Policy object (GPO).
3. Install all applications that run in the targeted business group or OU by using the same directory structure.
The reference computer should be configured to mimic the structure of your production
environment. It is dependent upon the same applications in the same directories as they
are in production in order to accurately create the rules.
4. Import the AppLocker Windows PowerShell cmdlet module.
To use the AppLocker cmdlets, you must first import the AppLocker module by using the
To configure a reference computer
26
following command at the Windows PowerShell command prompt: C:\PS> Import-Module
AppLocker. Scripting must be enabled on the computer. For information about Windows
PowerShell, see the Windows PowerShell Help file (WindowsPowerShellHelp.chm). For
information about using the cmdlets, see Using the AppLocker Windows PowerShell
Cmdlets.
Additional resources After you configure the reference computer, you can now create the AppLocker rule
collections. You can build, import, or automatically generate the rules. For procedures to do this, see AppLocker Rule Procedures.
Maintaining AppLocker Policies
This topic describes how to maintain rules within AppLocker policies.
Common AppLocker maintenance scenarios include:
A new application is deployed, and you need to update an AppLocker policy.
A new version of an application is deployed, and you need to either update an AppLocker policy or create a new rule to update the policy.
An application is no longer supported by your organization, so you need to prevent it from being used.
An application appears to be blocked but should be allowed.
An application appears to be allowed but should be blocked.
A single user or small subset of users needs to use a specific application that is blocked.
There are two methods you can use to maintain AppLocker policies:
Maintaining AppLocker policies by using Group Policy
Maintaining AppLocker policies by using the Local Security Policy snap-in
As new applications are deployed or existing applications are removed by your organization or
updated by the software publisher, you might need to make revisions to your rules and update the
Group Policy object (GPO) to ensure that your policy is current.
You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot
specify a version for the AppLocker policy by importing additional rules. To ensure version control
when modifying an AppLocker policy, use Group Policy management software that allows you to
create versions of GPOs, such as Microsoft Advanced Group Policy Management (AGPM). For
more information about AGPM, see Advanced Group Policy Management Overview
(http://go.microsoft.com/fwlink/?LinkId=145013).
You should not edit an AppLocker rule collection while it is being enforced in Group
Policy. Because AppLocker controls what files are allowed to run, making changes to a
live policy can create unexpected behavior.
Caution
27
Maintaining AppLocker policies by using Group PolicyFor every scenario, the steps to maintain an AppLocker policy distributed by Group Policy include
the following tasks.
Step 1: Understand the current behavior of the policyBefore modifying a policy, evaluate how the policy is currently implemented. For example, if a
new version of the application is deployed, you can use Test-AppLockerPolicy to verify the
effectiveness of your current policy for that application. To read the procedures necessary to
understand the current behavior of the policy, see Discovering the Effect of an AppLocker
Policy. Updating your AppLocker planning document will help you track your findings. For
information about creating this document, see Creating Your AppLocker Planning Document.
For information about Test-AppLockerPolicy and examples of how to use it, see Test-
AppLockerPolicy (http://go.microsoft.com/fwlink/?LinkId=169000).
Step 2: Export the AppLocker policy from the GPOUpdating an AppLocker policy that is currently enforced in your production environment can have
unintended results. Therefore, export the policy from the GPO and update the rule or rules by
using AppLocker on your AppLocker reference or test computer. To prepare an AppLocker policy
for modification, see Export an AppLocker Policy from a GPO.
Step 3: Update the AppLocker policy by editing the appropriate AppLocker ruleAfter the AppLocker policy has been exported from the GPO into the AppLocker reference or test
computer, or has been accessed on the local computer, the specific rules can be modified as
required.
To modify AppLocker rules, see the following:
Edit AppLocker Rules
Merge AppLocker Policies by Using Set-ApplockerPolicy or Merge AppLocker Policies Manually
Delete an AppLocker Rule
Enforce AppLocker Rules
Step 4: Test the AppLocker policyYou should test each collection of rules to ensure that the rules perform as intended. (Because
AppLocker rules are inherited from linked GPOs, you should deploy all rules for simultaneous
testing in all test GPOs.) For steps to perform this testing, see Testing and Updating an
AppLocker Policy.
28
Step 5: Import the AppLocker policy into the GPOAfter testing, import the AppLocker policy back into the GPO for implementation. To update the
GPO with a modified AppLocker policy, see Import an AppLocker Policy into a GPO.
Step 6: Monitor the resulting policy behaviorAfter deploying a policy, evaluate the policy's effectiveness. For steps to understand the new
behavior of the policy, see Discovering the Effect of an AppLocker Policy.
Maintaining AppLocker policies by using the Local Security Policy snap-inFor every scenario, the steps to maintain an AppLocker policy distributed by using the Local
Security Policy snap-in include the following tasks.
Step 1: Understand the current behavior of the policyBefore modifying a policy, evaluate how the policy is currently implemented. To read the
procedures necessary to understand the current behavior of the policy, see Discovering the
Effect of an AppLocker Policy. Updating your AppLocker planning document will help you track
your findings. For information about creating this document, see Creating Your AppLocker
Planning Document.
Step 2: Update the AppLocker policy by modifying the appropriate AppLocker ruleRules are grouped into a collection, which can have the policy enforcement setting applied to it.
By default, AppLocker rules do not allow users to open or run any files that are not specifically
allowed.
To modify AppLocker rules, see the appropriate topic in the AppLocker Rule Procedures
collection.
Step 3: Test the AppLocker policyYou should test each collection of rules to ensure that the rules perform as intended. For steps to
perform this testing, see Testing and Updating an AppLocker Policy.
Step 4: Deploy the policy with the modified ruleYou can export and then import AppLocker policies to deploy the policy to other computers
running Windows 7 or Windows Server 2008 R2. To perform this task, see Export an AppLocker
Policy to an XML File and Import an AppLocker Policy from Another Computer.
29
Step 5: Monitor the resulting policy behaviorAfter deploying a policy, evaluate the policy's effectiveness. For steps to understand the new
behavior of the policy, see Discovering the Effect of an AppLocker Policy.
Additional resourcesFor steps to perform other AppLocker policy tasks, see Administering AppLocker.
30