Users installing apps in AppData bypassing restrictions — how are you handling this? + Wazuh SIEM question

Posted by boyrok@reddit | sysadmin | View on Reddit | 38 comments

English is not my native language, I used AI to help translate this post.

Hi all,

I’m a sysadmin managing around ~200 Windows endpoints, and I’m looking for some advice on two topics:

1. Controlling software installation (without breaking everything)

Right now, standard users can’t install software in Program Files, but they can still install apps in their user profile (AppData, etc.), which obviously bypasses most restrictions.

I’d like to properly control what users can execute and install (ideally allowlisting), but without going full enterprise $$$.

What are you guys using in this scenario?

AppLocker?
Windows Defender Application Control (WDAC)?
Third-party tools (preferably affordable)?
Any GPO-based approach that actually works well at scale?

I’m especially interested in something manageable for ~200 devices without a huge overhead.

2. SIEM / Endpoint monitoring

I’ve been looking into Wazuh as a SIEM/XDR option.

My goal is to generate alerts for things like:

A user launching PowerShell or CMD
Suspicious command execution
Basic visibility into endpoint activity

From what I understand, this requires:

PowerShell logging enabled
Possibly Sysmon + custom rules

Does anyone here run this in production for this kind of use case?

Is it worth the effort?
How noisy is it?
Any must-have configs or pitfalls?

Also, I’ve heard about ManageEngine tools as a more affordable option — are they reliable and worth it in real-world environments?

Wazuh looks powerful, but honestly it also seems like a bit of a headache to deploy and maintain. Has that been your experience?

Is it worth the effort compared to other alternatives?

Appreciate any real-world experiences or recommendations

[-]

Josh_Fabsoft@reddit

Full disclosure: I work at FabSoft, which makes AI File Pro.

For your AppData bypass issue, you're dealing with a classic endpoint security challenge. Here are a few approaches that work well:

Application Control Solutions: - Windows Defender Application Control (WDAC) can block executables regardless of location, including AppData - AppLocker with path rules + publisher rules (though it has some bypass methods) - Third-party solutions like CrowdStrike, SentinelOne, or Carbon Black offer more granular control

Group Policy approach: - Software Restriction Policies with hash rules for known-bad apps - Block execution from temp folders and user profiles (though this can break legitimate apps)

Monitoring/Detection: - PowerShell execution policy restrictions - File system auditing on AppData folders - Process monitoring tools to catch unauthorized installs

The tricky part is balancing security with usability - too restrictive and users find workarounds or productivity suffers.

For your Wazuh question, it's solid for log aggregation and correlation, especially for the price point. The learning curve is steep but worth it. Make sure you have adequate storage for retention and consider tuning rules to reduce false positives.

AI File Pro actually helps with the compliance side by providing audit trails of document access/modifications, but it's more focused on document management than endpoint security.

What's your current endpoint protection stack? That might influence which application control method works best for your environment.

CyberWhizKid@reddit

WDAC.

boyrok@reddit (OP)

I'm looking at this repository. I know WDAC is the way to go, but setting it up correctly is going to be a nightmare. I have a long road ahead. https://github.com/HotCakeX/Harden-Windows-Security

I won’t lie, it was a pain at first ! If you have a PKI, use it, it will help you so much.

There is an audit mode, create three GPOs, one to audit, one to test, one for production. And you can use it for your servers as well ! Store your p7b with versioning, use documentation.

But like you said… this is a long road !

We do have chocolatey (totally custom builds from ci pipeline) this helped me as well.

evilmuffin99@reddit

Also note even in audit mode it will sometimes block drivers. Found this out the hard way.

VaderJim@reddit

Set it up on a device and install all mission critical apps to it. See what works, create certificate rules where you can.

If you are using intune it works even better because any apps installed via intune can be automatically trusted. (These files get marked as installed from a trusted installer)

Once all setup the flow of users installing software becomes them putting in a ticket for it to be added to intune/marked available to them on company portal, anything else they get a warning that the file is blocked.

InstructionDirect773@reddit

Yeah this is a constant headache - honestly your best bet is combining application whitelisting on the technical side with actually talking to your users about *why* restrictions exist, because people will always find workarounds if they feel like the rules are just arbitrary IT gatekeeping. The AppData stuff is basically impossible to fully lock down without making Windows unusable.

Existing-Eye-6220@reddit

This is interesting — slightly different angle, but related to the same problem of things getting access they shouldn’t.

I’ve been looking at the “inheritance” side of this rather than installs — like how processes inherit environment variables (including secrets) from their parent.

It feels similar in that once something runs, it often has access to more than intended by default.

I came across an approach where instead of inheriting everything, a process only gets explicitly declared access — nothing else leaks through.

Curious if you think that same “deny by default” model is where things are heading, or if that’s overkill in practice?

chickibumbum_byomde@reddit

For AppData installs, AppLocker or WDAC is the almost the usual way of allowlisting is the only thing that really stops that properly. best advice i got, is always start simple or you’ll spend weeks tuning and or figuring stuff that you have just built. for SIEM Wazuh works, but expect noise and maintenance (Sysmon plus some rules is not “set and forget”). It’s good if you want to learn, less fun if you just want results. i eventually ended up using checkmk to monitor the whole construction, didnt really want the hassle to find out things broke, kept me asleep, cant really complain.

For \~200 endpoints, I’d keep it pragmatic basic hardening + something that gives you clear alerts and visibility without turning into its own fulltime job.

DiabolicalDong@reddit

You should take a look at Endpoint Privilege Manager. They come with allowlisting built in. It also allows app elevation for users who might need to run few apps with admin rights. Why pay for two different solutions when you can get by with one.

LuckyLuke364@reddit

I would probably stay away from ManageEngine - it's not exactly the most reliable of options out there. And you hit the nail on the head with Wazuh - lots of people find it overly complicated and tedious to deploy & operate.

Sysmon and PowerShell logging are a must-have in my opinion.

CluelessPentester@reddit

If you are a full windows shop I would recommend using Sentinel as a SIEM. Will be a lot easier to integrate and maintain, as it neatly integrates in the ecosystem. Atleast if you can afford it

SimpleSysadmin@reddit

If you want to keep things simple and block this behaviour for installers just find the policy that blocks execution from appdata.

If you care about security, Threatlocker.

If you care about security and have a lot of spare time, WDAC

SolidKnight@reddit

I use WDAC. Make a base policy that runs most normal software. Add some exclusions for things in directories that only admins can put files in. Then make supplemental policies for specific apps that need to run out of the user's profile or have executables running out of random folders (usually temporary executables during installs or upgrades).

WDAC has a steeper learning curve but it's not too hard to throw some custom policies together with the App Control Wizard. Test thoroughly though.

N805DN@reddit

AppLocker or Airlock

BronnOP@reddit

HR issue. If the policy is you do not install software without IT approval and they’ve circumvented other mechanisms, warning then straight to HR. They’re putting the company at risk.

GroundbreakingCrow80@reddit

A complete control includes both administrative and technical controls.

DobermanCavalry@reddit

Its an HR Issue and an IT Issue. Its an IT Issue because your environment can get fucked badly if you let users have unfettered access to install whatever they want to appdata.

If there was no risk to the company by allowing it, you would be right and it would be solely an HR issue.

ITaggie@reddit

Sure, but if the policy can be reasonably enforced using already-available tools then that would be even better.

Jaaames_Baxterrr@reddit

I'll throw in my vote for AppLocker. Just disable all locations except for approved ones. You may have some whitelisting to do initially, but once dialed in, this shouldn't need a lot of maintenance.

KidanAnubix@reddit

Threatlocker keeps executables from running, this includes their installers.

Kuipyr@reddit

Learning mode and ringfencing are really useful as well. Can be a pain when they block legitimate Microsoft applications though.

The biggest issue I've ever faced with ThreatLocker is how it interacts with developers.

A developer's entire job is basically building unknown applications, and it took a while to get the whitelisting properly.

It was fun testing an application, where we had to request access to our recently compiled app, every time we wanted to run it from the IDE....

StateOfAmerica@reddit

Applocker is built into Windows and does the same.

WDAC is that but on steroids.

Applocker is easy to deploy on smaller orgs. If we assume they shouldn't run any non-org apps outside of program files it's incredibly easy to get a good base down.

WDAC is a pain in the butt to manage unless you just create a lot of path rules/general cert rules.

Wolfram_And_Hart@reddit

Auto elevate works pretty well

unccvince@reddit

For question #1, Software Restriction Policies or whatever is the marketing name of the moment + WAPT to deploy apps only in Program Files, + Self Service to allow users to install themselves approved programs.

You can use Applocker but I really didnt find it easy or quick to manage.

We implemented threatlocker and its very easy to wrap your head around plus has other modules you can add as needed and has built in methods for users to request apps being added to the allowlist, etc. I think its leagues better than Applocker but also its an added expense so ymmv.

Twist_and_pull@reddit

GPO/Intune.

Why do users have admin rights to install anything? Kinda goes to the PS question too, normal user access to PS is fine since PS is not only for IT/admin people.

WD40ContactCleaner@reddit

He's talking about user level installs, like vscode had a user installer and a system installer, user installer doesn't need admin. It just installs in appdata

Oh ok, sounds messy in the long run. Why allow the other only.

Any install --> contact IT.

FartInTheLocker@reddit

Well unless you have some level of restrictions in place (what OP is asking for), native Windows just will let users install into appdata as it's all within the users context.

It's less of allowing it to happen, more it will happen unless you have a solution in place to block it.

Agreeable-Chef3964@reddit

Surprising how many comments on this post seem to not realize this.

bingblangblong@reddit

Whitelist.

Applocker works and resolves this perfectly when working in an approved software only mindset, stops all the appdata junk. Personally though while it will be harder to initally rollout, I'd say go for WDAC instead better future proof with native Intune support.

If you wanted a non MS solution, I think ThreatLocker would cover your needs and might also help with the Powershell/CMD aspect.

PhilosophyBitter7875@reddit

Just set up group policies to prevent this.

DiscipleOfYeshua@reddit

Or intune.

At least one of those is necessary managing even 15 laptops — definitely for 200!

ComeSwirlWithMe@reddit

I'd also want to know what the typical APPs being installed are for? Are they social media/messaging? You could block at the firewall and render them useless since they can't communicate out/in defeating the basis of the APP.

You could take a multi-prong approach.

This approach wouldn't fix the overall issue of not wanting APPs installed, but it could help reduce installations of certain APPs if they'e the main offenders, since people would find it pointless to do.