AppLocker - Security Problems

Security
Published Aug 7, 2012 Updated Aug 6, 2012

This article is part of my small series about AppLocker, a technology built into Windows that enables administrators to audit and optionally block application execution.

AppLocker Security

There is no perfect security, every product has its vulnerabilities and AppLocker is no exception. These are the problems I am aware of.

Windows\Temp

AppLocker’s default rules allow the execution of all code from the Windows directory. This is generally considered safe, since standard users do not have permissions to write to C:\Windows and its subdirectories. However, there is one exception: users have write and execute permissions in C:\Windows\Temp by default as the following screenshot from SetACL Studio shows:

Permissions on C-Windows-Temp

To close this loophole modify the default AppLocker rule so that it contains an exception for C:\Windows\Temp.

VBA and SANDBOX_INERT

A non-blocked process can start arbitrary executables circumventing AppLocker’s rules by calling the API function CreateRestrictedToken with the parameter SANDBOX_INERT. This is a problem because Microsoft Office will not be blocked in most if not all enterprises, and Office’s scripting language Visual Basic for Applications is well capable of calling API functions.

More information and a test program is available in Didier Steven’s blog.

Comments

Comments are powered by Giscus. Please enable JavaScript to view them, or view discussions directly on GitHub.

Related Posts

Checking Windows Hello Key Storage: TPM or Software?

Checking Windows Hello Key Storage: TPM or Software?

Windows Hello for Business (WHfB) stores a cryptographic key on the device. The preferred storage location is a hardware TPM module. However, if a TPM is not available, the key may be stored in the filesystem instead. It’s surprisingly hard to determine the storage location for existing Windows Hello for Business keys. This article presents a simple solution.

Windows OS, Services & Apps: Network Connection Target Hosts

Windows OS, Services & Apps: Network Connection Target Hosts

This post lists the internet communication targets of the Microsoft Windows operating system, including its various services and UWP apps. This post is a part of my application network connection monitoring series, a group of articles that explain how to analyze the network traffic of any Windows or macOS app.

AppLocker - Fact Sheet

AppLocker - Fact Sheet

This is the first in a small series of articles about AppLocker, a technology built into Windows that enables administrators to audit and optionally block application execution. Requirements AppLocker works on:

How to Check the TPM Status & Enable the CPU's fTPM/PTT

How to Check the TPM Status & Enable the CPU's fTPM/PTT

The recent Windows 11 announcement has created a lot of confusion due to the requirement for a trusted platform module (TPM). This article explains why your machine almost certainly has a TPM, how to check the TPM status and how to enable the TPM that comes with your CPU.

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.

Scripted WordPress to Hugo Migration

Scripted WordPress to Hugo Migration

After having published in WordPress for almost 20 years, it was time for a change. This site is now rendered by Hugo, a static website generator built for Markdown content hosted in a Git repository. The migration from WordPress (HTML) to Hugo (Markdown) was far from trivial. Since I couldn’t find any tool for the job, I developed my own set of migration scripts that fully automate the migration process. You can find them on GitHub along with extensive documentation.

Mitsubishi Heat Pump Data in Home Assistant via Modbus

Mitsubishi Heat Pump Data in Home Assistant via Modbus

This article shows how to get detailed information about your Mitsubishi heat pump’s status and operations into Home Assistant. Prerequisites You’ll need a Mitsubishi Modbus interface, either the older A1M (serial Modbus/RTU via RS-485 only) or the newer A1M+ (Modbus/TCP via Ethernet in addition to Modbux/RTU). I’m using the Ethernet variant.

Home Automation, Networking & Self-Hosting