Applocker deployment question.
Posted by Green-Wallaby9663@reddit | sysadmin | View on Reddit | 21 comments
I am looking to implement AppLocker but only really to whitelist all and have an explicit Deny list. Here's my question: We don't currently have AppLocker in place so is it safer to modify the default rule to:
- Condition: Path
- Path: * (Everything)
- Target: Everyone
and then just deny any executables I want to deny using their Publisher or Hash?
I can't really see if this will be a security risk or not as AppLocker currently isn't in place. Therefore surely
- Condition: Path
- Path: * (Everything)
- Target: Everyone
already applies.
BrentNewland@reddit
Our organization allows 365 Copilot, but not the built in Windows copilot. Microsoft's recommendation is to disable Windows Copilot with applocker.
I too started off by following best practices and defaults and whatnot. Bricked my damn machine while I was WFH. Took hours to get my computer booting again.
So I set it up again just like you said. Whitelist everything and block just what you want to block. Works fine.
One important thing to note, I set the Applocker policies up via Intune. I added all the AppLocker settings to the same policy, but only configured one of them. Turns out, if you enable one of the AppLocker settings, but don't configure it, it just blocks everything. So don't enable any AppLocker settings/policies unless you are actually going to set them up and use them.
Any-Fly5966@reddit
Start with the default policy and adjust from there. If you are starting with a blank policy, you may miss something crucial like windows directories that should already be read only to standard users.
Green-Wallaby9663@reddit (OP)
But if AppLocker isn't currently in place. What difference does it make by having "Allow all" for everyone?
xendr0me@reddit
It lets apps run from the users AppData folders, which you need to control and get screamtest results from on a specific test group so you can then build your allow lists properly.
RikiWardOG@reddit
jfc these comments... best practices be damned, just test on a VM or something prior to releasing it to prod
Itsquantium@reddit
I thought this was shittysysadmin reddit.
Green-Wallaby9663@reddit (OP)
Here's the obligatory nobhead.
ranhalt@reddit
*knobhead.
The k is silent, not invisible.
Itsquantium@reddit
Best practice is deny all permit by exception. Sorry bro.
Green-Wallaby9663@reddit (OP)
I know that's best practice but I don't want all that admin. I have 4 maybe 5 exes I want to block. No users have any Admin rights and devices are already locked down. I have just found that certain apps (In this case Mobi Office) slip into the user's profile.
Itsquantium@reddit
All exes should be blocked. And you should whitelist the .exes you want to run.
Green-Wallaby9663@reddit (OP)
I understand that this is the best practice but that's not my question. I already don't use AppLocker so I'm not exactly losing out. I just want to use AppLocker as a Deny list rather than an Allow list. And whilst I suspect all is OK, I wanted to ask other SysAdmins, if the knew if having Applocker in Allow all for everyone was worse than having no AppLocker at all.
Green-Wallaby9663@reddit (OP)
Here's the obligatory nobhead.
ranhalt@reddit
Stop now. Applocker is a time sink. Get Threatlocker.
Green-Wallaby9663@reddit (OP)
I've used ThreatLocker and it was hardly free of its own faults.
This isn't about ThreatLocker though, but thanks.
raip@reddit
A lot of people here don't seem to understand that perfect is the enemy of good.
AppLocker is effectively designed to work off of an allowlist mentality - but explicit denies will override an allow.
So your understanding is correct, if you have your wildcard path for your allow and then block by publisher, then that will be the behavior you'd want. I wouldn't block by hash as hashes change on update.
I would, at some point in the near future, at least change your allow from absolutely everywhere to just the standard defaults. ProgramFiles + System32 + Standard Publishers. That way when the next super secure Brave browser alternative comes out, it's blocked by default.
Green-Wallaby9663@reddit (OP)
Thanks for the reply.
I want to narrow it down eventually but I have many clients who all use locked down RDSH so I already know theyre secure. I just would rather have an easy to deploy block list for an "Trash" apps that pop up. And because pretty much everything we deploy is by GPO, it seems like it could fit nicely into that strategy.
I do understand the related risk with regards to Hash. I would like to possibly look at blocking by Publixher and then specifying the odd path (I'm lookin at you OneDrive).
plump-lamp@reddit
You aren't really protecting anything by only having explicit deny lists
Green-Wallaby9663@reddit (OP)
I\^m aware of this. That was the point of my question. I just want to deny certain pieces of crap software from ever running. There's only one or two.
Any-Fly5966@reddit
And what about all of the other potential crap and malware you aren’t accounting for?
Green-Wallaby9663@reddit (OP)
I'm already not accounting for those with AppLocker. It isn't currently in place.
That's why the question. I am trying to find out if Having a fully open AppLocker (Default Allow All) is the same as no AppLocker at all.