AppLocker - Solutions to Common Problems

  • Security
  • Published Aug 22, 2012 Updated Nov 17, 2019

This article is part of my small series about AppLocker, a technology built into Windows that enables administrators to audit and optionally block application execution.

AppLocker and UAC

One of the default rules allows unrestricted application execution for administrators. That is only sensible. After all, someone needs to be able to troubleshoot and perform maintenance. However, if UAC is enabled, that rule is not very useful. Remember: UAC filters the SID for the group Administrators from the access token during normal operation. With the Administrators’ SID gone, AppLocker is active for administrators in the same way it is for all other users. Administrators wishing to bypass AppLocker need to start executables from an elevated command prompt (or right-click and select run as administrator), which is often impractical.

Here is a nice way to shoot yourself in the foot: block an application that requires elevation. As an admin, execution should be allowed, right? Wrong. The only thing you get when you double-click the executable is an error message. If you want to run the application you need to run it elevated, e.g. by right-clicking and selecting run as administrator from the context menu.

Recommendation: add a path rule that allows execution for a special NoAppLocker domain group (use an asterisk (*) for the path). You can then add users to that group as necessary without even having to make them members of the local Administrators.

Lockers at Keukenhof, Holland by Beyond Elements under CC

General

  • Path rule to allow execution from the Windows directory for everyone
  • Path rule to allow execution from the Program files directories for everyone. You can use the (AppLocker, not environment!) variable %PROGRAMFILES% which applies to both program directories on an x64 system (C:\Program Files and C:\Program Files (x86)).
  • Path rule to allow execution from the \\domain\sysvol\domain\policies directory for everyone (to allow the execution of logon scripts)

App-V

  • Path rule to allow execution from the Q: drive for everyone (if App-V 4.x is used; with App-V 5 this is not necessary any more)
  • App-V SCRIPTBODY scripts are executed from batch files created on the fly and stored temporarily on the hard disk. Add a script path rule to allow execution of C:\Users\*\AppData\Local\Softgrid Client\*\*.bat

VPN Client Software

Software like the Aventail VPN client installs in user context from the web browser. This works by downloading to and executing files from the user’s temp directory, which would be blocked by AppLocker without additional configuration.

The temp directories are located inside the user profiles and writeable by the user; adding a path rule for temp is not exactly desirable from a security point of view. Instead of allowing execution of anything from a specific path we can allow execution of anything from a specific vendor: configure a publisher rule that allows execution of all files digitally signed by the VPN client software vendor.

Printer Drivers

The installation of printer drivers for users without administrative rights can be enabled easily by adding the GUID {4d36e979-e325-11ce-bfc1-08002be10318} to the policy Computer Configuration\Policies\Administrative Templates\System\Driver Installation. That, however, is only part of the solution. Most printer drivers are packaged as executables - whose execution is blocked by AppLocker, of course. If end users are to install arbitrary printer drivers on their own publisher rules need to be configured that allow the execution of programs from specific vendors. Please note that:

  • one such rule is required per vendor (Canon, HP, Epson, Lexmark, Kyocera, …)
  • the rule allows the execution of all digitally signed files from that vendor
  • files that are not digitally signed are still blocked

Resources

AppLocker Technical Documentation for Windows 7 and Windows Server 2008 R2

AppLockerPrinter DriverUAC

Comments

Related Posts

Top 10 IT Security Tips for Individual Users

Top 10 IT Security Tips for Individual Users
This is a list of simple things that will protect you from nearly all the real-world IT security issues affecting individuals and SOHO users. 1. Install All the Updates What Should You Do? Enable automatic updates wherever possible Don’t use obsolete software versions Why Is It Important? Older software versions often have known security issues for which exploits are readily available. This means that even script kiddies can easily attack large numbers of users.
Security

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware