I am only running this in audit mode and I am already
finding benefits of using it. AppLocker
allows you to white list applications.
If you were to use this on workstations that did not grant administrator
access, you could probably stop all malware without any other protection. It turns out to be a lot easier than I
thought.
The idea of white listing every application felt like a
daunting task. There are a set of rules
you can use to make this easier. Running the default rules in audit mode can
give you a good idea of how much work it will take. If you use a consistent
image for every workstation deployment and install everything in Program Files,
then this gets very easy.
First we needs to enable the Application Identity Service. I
enabled it in the same policy that I plan on configuring the rules in.
This should start on the next reboot. The next step is to
configure auditing mode.
Now we need to create some rules. Right click on Executable Rules and create
default rules. This will create 3 important rules for you to prevent you from
locking users of the computers. The first
is the Administrator rule allowing admins the ability to run anything. The other two cover the Windows and Program
Files folder. Any file in those
locations are allowed to run.
If your users are not local administrator on the workstations,
then the only things that can be in those folders were programs installed as an
administrator. This is a very important point that highlights why this works so
well. The only rules you need to add are ones for non-standard programs that don’t
run from Program Files. Hopefully this is a short list.
There are three types of rules you will deal with. Path rules, publisher rules, and checksum
rules. The built in wizard does most of the work for this. Just point it at your installed application
and it will do the rest. You have the
option to make adjustments by hand if needed.
Now apply this policy to computers in Active Directory. Give
your computer plenty of time to get a reboot and a few days of activity.
No comments:
Post a Comment