Lesson 2: Managing AppLocker and Software Restriction Policies CHAPTER 5 283 FIGURE 5-22 AppLocker path rule Creating Rules Automatically A significant advantage of AppLocker over Software Restriction Policies is the ability to generate rules automatically. To configure rules for AppLocker, you can right-click either the Executable Rules, Windows Installer Rules, or Script Rules node and then click Automatically Generate Rules. You are asked to specify a directory for the wizard to scan. Your options, shown in Figure 5-23, enable you to have Windows automatically generate publisher rules for files that are digitally signed and give you the option of creating a hash rule or a path rule if a file is not signed. Alternatively, you can create a file hash rule for all files of the type you are configuring. The Automatically Generate Rules wizard scans a folder and all folders that it contains when generating rules. Configuring Exceptions Exceptions allow specific applications to be exempt from more general rules. For example, you could create a publisher rule that allows all versions of a Contoso application named Alpha but then use an exemption to block the execution of version 42 of application Alpha. You can use any method to specify an exception, and the method you choose does not depend on the type of rule that you are creating. For example, as Figure 5-24 shows, you can create a publisher rule that allows all applications published by Microsoft to execute on a computer, but you also can configure a file hash exemption for Solitaire.exe. Of course, this example rule would work only if the default path rule for the Program Files folder is not created. You can create exemptions for Block rules as well as Allow rules. 2 8 4 CHAPTER 5 Managing Applications FIGURE 5-23 Creating rules automatically FIGURE 5-24 Configuring an exemption Lesson 2: Managing AppLocker and Software Restriction Policies CHAPTER 5 285 AppLocker Auditing As AppLocker can have a significant impact on the way that applications function in your organization’s environment, it is often prudent to audit the way that AppLocker functions prior to fully enforcing AppLocker policies. This allows you to verify which applications are affected by AppLocker without actually blocking those applications from executing. To configure AppLocker to audit rules rather than enforce them, configure each AppLocker rule type to be audited only, as shown in Figure 5-25. FIGURE 5-25 Configuring AppLocker auditing AppLocker audit events are written to the AppLocker event log, which is found in Event Viewer in the Applications and Service Logs\Microsoft\Windows node. Each event in the AppLocker log contains detailed information about: n The rule name n The SID of the targeted user or group n Which file the rule affects and its path. n Whether the file is allowed or blocked n The rule type (publisher, path or file hash) You will learn more about auditing in Chapter 8, “Branch Cache and Resource Sharing.” 2 8 6 CHAPTER 5 Managing Applications More Info AppLocker AUDITING To learn more about configuring auditing for AppLocker, consult the following Microsoft TechNet article: http://technet.microsoft.com/en-us/library/dd723693.aspx. eXaM tIP Understand why one user might be able to execute an application and another user is unable to execute the same application. Practice Restricting Applications In this practice, you use two different methods to restrict the execution of applications: Software Restriction Policies and AppLocker. Software Restriction Policies are used to restrict the execution of applications on computers running Windows XP, Windows Vista, and Windows 7. AppLocker is a feature that is new to Windows 7 and is available only in the Ultimate and Enterprise editions of the product. exercise 1 Configuring a Software Restriction Policy In this exercise, you create a Software Restriction Policy hash rule to block the execution of the Windows calculator application. To complete this exercise, perform the following steps: 1. Log on to computer Canberra using the Kim_Akers user account. 2. Click Start, type Calculator, and then press Enter. Verify that the Calculator application starts and then close it. 3. Click Start and then type gpedit.msc and press Enter. This opens the Local Group Policy Editor console. 4. Navigate to the Computer Configuration\Windows Settings\Security Settings node. 5. Select and then right-click the Software Restriction Policies node. Choose New Software Restriction Policies. 6. Right-click the Additional Rules node and then choose New Hash Rule. This will open the New Hash Rule dialog box. Click Browse. Navigate to the \Windows\System32 folder. 7. In the Open dialog box, type calc.exe in the File Name text box and then click Open. Ensure that the Security Level is set to Disallowed, as shown in Figure 5-26, and then click OK. 8. Close the Local Group Policy Editor and then reboot the computer. Log back on using the Kim_Akers user account. Lesson 2: Managing AppLocker and Software Restriction Policies CHAPTER 5 287 FIGURE 5-26 Creating a hash rule 9. Click Start, type Calculator, and then press Enter. You should get the message shown in Figure 5-27. FIGURE 5-27 Calculator application blocked by policy 10. Click Start, type gpedit.msc, and then press Enter. This opens the Local Group Policy Editor console. Navigate to the Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules node and then delete the policy for Calc.exe. 11. Close the Local Group Policy Editor console and then reboot the computer. Log on as Kim_Akers and verify that you can again open the Calculator application. exercise 2 Configuring AppLocker In this exercise, you configure an AppLocker policy to block the Solitaire application. To complete the exercise, perform the following steps: 1. If you are not already logged on to computer Canberra, log on as Kim_Akers. 2. Click Start, type Solitaire, and then press Enter. Verify that the Solitaire application opens. Close Solitaire. 2 8 8 CHAPTER 5 Managing Applications 3. Click Start, type services.msc, and then press Enter. This opens the Services console. 4. Double-click the Application Identity service. Set the Startup Type to Automatic, as shown in Figure 5-28, click Start, and then click OK. Close the Services console. FIGURE 5-28 Configuring the startup properties of the Application Identity service 5. Click Start, type gpedit.msc, and press Enter. This opens the Local Group Policy Editor console. 6. Navigate to the Computer Configuration\Windows Settings\Security Settings\ Application Control Policies node and then select the AppLocker item. 7. Right-click Executable Rules and then choose Create New Rule. On the Before You Begin page of the Create Executable Rules wizard, click Next. 8. On the Permissions page, select Deny and then click Next. 9. On the Conditions page, select Publisher and then click Next. 10. On the Publisher page, click Browse. Navigate to the \Program Files\Microsoft Games\ Solitaire folder and then double-click Solitaire.exe. 11. On the Publisher page, select the Use Custom Values check box, and then verify that the settings match those shown in Figure 5-29. Click Create. 12. When prompted to create the default rules, click Yes. 13. Close the Local Group Policy Editor console, turn off the computer, and then restart it. Lesson 2: Managing AppLocker and Software Restriction Policies CHAPTER 5 289 FIGURE 5-29 A rule blocking the Solitaire application 14. Log on with the Kim_Akers user account and attempt to access the Solitaire application. You should receive a message informing you that it has been blocked by policy, as shown in Figure 5-30. FIGURE 5-30 Solitaire blocked by policy 15. Click Start, type services.msc, and then press Enter. This opens the Services console. 16. Double-click the Application Identity service. Set the Startup Type to Disabled. Close the Services console. 2 9 0 CHAPTER 5 Managing Applications Lesson Summary n Software Restriction Policies can be used on computers running Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 7. n You can choose a Software Restriction Policy default rule that blocks all applications that are not allowed or choose a default rule that allows all applications that are not subject to any other rules. n Software Restriction Policy rules that are more specific override rules that are less specific. A hash rule that sets an application to unrestricted overrides a path rule that sets the same application to Disallowed. n Hash rules are analogous to digital fingerprints of specific files. You must create a new hash rule if you apply a software update to a file. n AppLocker policies are a type of application control policy. n AppLocker policies can be used only on computers running Windows 7 Enterprise and Ultimate editions. n AppLocker path and hash rules work in the same way that Software Restriction Policy path and hash rules work. n AppLocker publisher rules allow you to create rules based on which vendor digitally signed an application. You can allow all applications from that vendor, all versions of a specific application, or just a specific version of a specific application using publisher rules. n Some AppLocker rule types allow exceptions. Exceptions allow you to exempt a specific application from the scope of a general AppLocker rule. n An AppLocker block rule always overrides an AppLocker allow rule. The fallback rule for AppLocker blocks the execution of any application not explicitly allowed by another rule. n AppLocker overrides Software Restriction Policies when both are applied to the same computer. Lesson Review You can use the following questions to test your knowledge of the information in Lesson 2, “Managing AppLocker and Software Restriction Policies.” The questions are also available on the companion DVD if you prefer to review them in electronic form. note ANSWERS Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book. Lesson 2: Managing AppLocker and Software Restriction Policies CHAPTER 5 291 1. Your organization has 50 computers running Windows Vista Enterprise and 40 computers running Windows 7 Professional. You want to stop users from accessing the Solitaire game application. Which of the following strategies should you pursue to accomplish this goal? a. Use AppLocker to create a publisher rule to block Solitaire.exe. B. Use AppLocker to create a hash rule to block Solitaire.exe. c. Use AppLocker to create a path rule to block Solitaire.exe. D. Use Software Restriction Policies to create a path rule to block Solitarie.exe. 2. What type of AppLocker rule should you create to block all applications that are created by a specific software vendor? a. Publisher rules B. Path rules c. Hash rules 3. You want to configure a set of AppLocker rules to block the execution of application software that is not digitally signed by the software vendor. You want to test that these rules work before enforcing them. Which of the following settings should you configure to accomplish this goal? (Choose all that apply; each answer forms part of a complete solution.) a. Create AppLocker publisher rules. B. Create AppLocker hash rules. c. Configure AppLocker enforcement to audit executable rules. D. Configure AppLocker enforcement to audit Windows Installer rules. 4. Your organization has a mix of computers running Windows 7 Ultimate and Windows 7 Professional. Each group of computers is located in a separate organizational unit (OU) in your Windows Server 2008 R2 Active Directory Domain Services environment. You have configured AppLocker policies to block application execution to the OU hosting the Windows 7 Ultimate computer accounts. You have configured Software Restriction Policy rules and applied them to the OU hosting the Windows 7 Professional accounts. The Software Restriction Policy rules block the required applications. The applications blocked by the AppLocker policies function normally—that is, they are not blocked. Which of the following steps should you take to ensure that the AppLocker policies function properly? A. Configure Group Policy to set the Application Management service to start automatically. Apply this policy to the OU hosting the computer accounts of the computers running Windows 7 Ultimate. B. Configure Group Policy to set the Application Management service to start automatically. Apply this policy to the OU hosting the computer accounts of the computers running Windows 7 Professional. 2 9 2 CHAPTER 5 Managing Applications C. Configure Group Policy to set the Application Identity service to start automatically. Apply this policy to the OU hosting the computer accounts of the computers running Windows 7 Ultimate. D. Configure Group Policy to set the Application Identity service to start automatically. Apply this policy to the OU hosting the computer accounts of the computers running Windows 7 Professional. 5. You have configured AppLocker policies to allow the execution of specific applications only. If an AppLocker policy hasn’t been created for it, an application cannot execute. After a recent software update, users are unable to execute one of the applications for which you have configured a rule. Other applications function normally. This applica- tion is not signed digitally by the software vendor. Which of the following strategies should you pursue to ensure that the application is able to execute on the computers running Windows 7? a. Create a new hash rule for the application. B. Create a new publishing rule for the application. c. Ensure that you enable the Application Identity service on the computers running Windows 7. D. Ensure that you enable the Application Management service on the computers running Windows 7. . the execution of applications on computers running Windows XP, Windows Vista, and Windows 7. AppLocker is a feature that is new to Windows 7 and is available only in the Ultimate and Enterprise. Policies CHAPTER 5 2 87 FIGURE 5-2 6 Creating a hash rule 9. Click Start, type Calculator, and then press Enter. You should get the message shown in Figure 5- 27. FIGURE 5- 27 Calculator application. Restriction Policies can be used on computers running Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 7. n You can choose a Software Restriction Policy default