Hi all,
For this post, lets go through a very simple step on how to configure a very basic Applocker in Windows Server 2012 R2...
So, what is AppLocker?
AppLocker, which was introduced in the Windows 7 operating system and Windows Server 2008 R2, is a security setting feature that controls which applications users are allowed to run.
AppLocker provides administrators a variety of methods for determining quickly and concisely the identity of applications that they may want to restrict, or to which they may want to permit access.
You apply AppLocker through Group Policy to computer objects within an OU. You can also apply Individual AppLocker rules to individual AD DS users or groups.
That's just a plain explanation about AppLocker, now let try do the basic configuration...
For this demo as usual, I used my existing Domain Server which is DC01.comsys.local and my Windows 8 Client (Surface01.comsys.local), what I going to do is very simple step where as I want implement AppLocker to restrict non-standard applications from running such as .bat file....
Lets get started.....
1 - 1st, just make sure you transfer any PC / Client to specific Computer OU, so that we know only PC / Client listed in the OU is effected to AppLocker policy, in my Demo, I already transferred my Surface01.comsys.local into ComSystem Laptop OU...
2 - Next, on the Domain Server, open Group Policy Management...
3 - In the GPMC, double click Forests: Comsys.local, expend until you get Group Policy Objects then right click and then click New...
4 - In New GPO box, type ComSystem Software Control GPO, and then click OK...
5 - Next, right click ComSystem Software Control GPO, and then click Edit...
6 - Once the Group Policy Management Editor open, double click Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Application Control Policies, and then expand AppLocker...
7 - Under AppLocker, right-click Executable Rules, and then click Create Default Rules, you can repeat the previous step for Windows Installer Rules, Script Rules, and Packaged app Rules...
8 - once you completed Create Default Rules, click AppLocker, and then in the right pane, click Configure rule enforcement..
9 - Next, In the AppLocker Properties box, under Executable rules, select the Configured check box, and then from the drop-down menu, select Audit only, for this demo, I also check Windows Installer Rules, Script Rules and Packaged app Rules and then click OK...
10 - Next, In the Group Policy Management Editor, go to System Services, and then double-click Application Identity, click Define this policy setting, under Select service startup mode, click Automatic, and then click OK...
11 - Next, In the GPMC, right-click ComSystem Laptop OU, and then click Link an Existing GPO...
12 - In the Select GPO window, in Group Policy Objects list, click ComSystem Software Control GPO, and then click OK...
13 - Next, log in to your Windows 8 client, mine will be Surface01.comsys.local, open Command Prompt and type gpupdate /boot /force then Enter... then type gpresult /r to check the result of the command and ensure that Comsystem Software Control GPO is displayed under Computer Settings, Applied Group Policy Objects...
14 - Next, still on the Windows 8 client, on my Windows 8 desktop, I had 1 batch file call Comsystem, this is actually a .bat script and the function is to clear all event viewer log files.. lets try if we can run the this batch file by execute the file...
15 - Look like my batch file can run and now open your Windows 8 Event Viewer and lets see what is the information available in Event Viewer...
** In the Event Viewer window, under MSI and Scripts, you will see there are few event log 8005 that contains the following text: %OSDRIVE%\USERS\ADMINISTRATOR\DESKTOP\COMSYSTEM.BAT was allowed to run... meaning we still can execute the batch file but with Event Information.. so now lets block this batch file so that it cannot be run anymore...
16 - On the Domain Server, open ComSystem Software Control GPO and browse to Computer Configuration/Policies/Windows Settings /Security Settings/Application Control Policies/AppLocker, click Script Rules and then on the right pane, double click Allow, on the Allow Properties box, click Deny and click OK to proceed, repeat the step again for the next Allow...
17 - Next, on the Window 8 client, in the command prompt, type gpupdate /boot /force and press Enter...
18 - Next, still in the command prompt, access to where you keep the batch file, in my case I put in on my desktop, so I type cd desktop, and then type the batch file filename (compsystem) and press Enter, you should get and error stated "This program is blocked by group policy."
19 - our last step, open Event Viewer on the Windows 8 client, and you should see Event ID 8007 which error stated %OSDRIVE%\USERS\ADMINISTRATOR\DESKTOP\COMSYSTEM.BAT was prevented from running...