Deploying App Locking using Intune

Microsoft 365

Introduction

Deploying App locker with Microsoft Intune

AppLocker is a security feature in Microsoft Windows operating systems designed to enhance system security by allowing administrators to control and restrict the execution of applications and scripts on a computer or network. Here is a summary of what AppLocker does:

  1. Application Control: AppLocker enables administrators to specify which applications are allowed to run on a system or within a network. This control can help prevent unauthorized or potentially harmful software from executing.
  2. Rule-Based Access: AppLocker uses a rule-based approach, where administrators create rules that define which applications are permitted or denied. These rules can be based on file attributes such as file path, publisher, file hash, or digital signature.
  3. Executable File Types: AppLocker can enforce rules on various types of executable files, including .exe, .dll, .msi, and scripts like .ps1 (PowerShell) or .bat (batch files). This allows administrators to regulate a wide range of application types.
  4. Granular Control: Administrators can create rules that target specific users, groups, or computer objects. This allows for fine-grained control over application execution based on user roles and responsibilities.
  5. Audit and Reporting: AppLocker provides auditing capabilities, allowing administrators to track and review application usage. This feature is valuable for compliance monitoring and security incident investigations.
  6. Whitelisting and Blacklisting: AppLocker can be used to create whitelists (allow rules) and blacklists (deny rules). Whitelists specify which applications are allowed to run, while blacklists identify applications that are explicitly blocked.
  7. Ease of Management: AppLocker can be managed through Group Policy settings in Active Directory, making it easier for administrators to apply consistent application control policies across an organization.
  8. Enhanced Security: By preventing the execution of unauthorized or potentially malicious software, AppLocker helps enhance the overall security posture of Windows-based systems and networks.

In summary, AppLocker is a security feature in Microsoft Windows that allows administrators to define rules governing which applications and scripts can run on a system, thereby enhancing security by preventing the execution of unauthorized or harmful software. It offers granular control, auditing, and ease of management to help organizations enforce application control policies effectively.

Create App Locker Policy

Microsoft 365

Creating an application control policy using the Local Security Policy Editor (secpol.msc) in Windows can help you restrict or allow the execution of applications on your computer. Here are the steps to create an application control policy using secpol.msc:

Note: These steps apply to Windows Pro, Enterprise, or Education editions. The Local Security Policy Editor is not available on Windows Home editions.

  1. Open the Local Security Policy Editor:
    • Press Win + R to open the Run dialog box.
    • Type “secpol.msc” and press Enter. This will open the Local Security Policy Editor.
  2. Navigate to the Application Control Policies:
    • In the left-hand pane, expand “Security Settings” to reveal a list of policy categories.
    • Scroll down and select “Application Control Policies.”
  3. Create or Edit a Policy:
    • Under “Application Control Policies,” you’ll typically find three subcategories: AppLocker, Software Restriction Policies, and Windows Defender SmartScreen.
    • To create or edit an application control policy, you’ll generally use either AppLocker or Software Restriction Policies. AppLocker is more advanced and is available on Windows 7 and later versions.
  4. Using AppLocker:a. If you’re using AppLocker:
    • Right-click on “AppLocker” and select “Configure rule enforcement.”
    • Choose the type of rules you want to create (Executable, Windows Installer, Script, or Packaged app), and configure rules based on file paths, publisher information, or file hash values.
    • To create a new rule, right-click the appropriate rule type (e.g., Executable Rules) under “AppLocker” and select “Create New Rule.”
    • Follow the wizard to specify which applications or scripts to allow or deny, and under what conditions (e.g., user or group-specific rules).
    • Review and apply the policy changes.
  5. Using Software Restriction Policies:a. If you’re using Software Restriction Policies:
    • Right-click on “Software Restriction Policies” and select “New Software Restriction Policies.”
    • In the right-hand pane, you can configure rules based on file paths, certificate rules, or hash rules.
    • Right-click on the rule type you want to create (e.g., Additional Rules) and select “New Path Rule” or another rule type as needed.
    • Specify the path or other criteria for the rule, and choose whether to allow or disallow the execution of files matching this rule.
    • Right click and select “create new rule”
    • Select “Next”
    • Select the group that the policy will be assigned to, otherwise select next
    • Select the relevant option for the program you are wanting to whitelist, eg select Publisher.
    • Select “browse” and then select the .exe file.
    • Adjust the slider based on the level of security you are needing to enforce.  eg adjust slider to publisher
    • Select “next”
    • Select “create”
    • Right click on “App Locker”
    • Select “Export Policy”
    • save the .xml file where appropriate
  6. Test the Policy:
    • After creating the application control policy, it’s essential to test it to ensure it behaves as expected. Attempt to run applications or scripts that should be affected by the policy to verify its effectiveness.
  7. Review and Monitor:
    • Continuously review and monitor the application control policy to make necessary adjustments and ensure it aligns with your security requirements.

Remember that creating application control policies can significantly impact the behavior of your system, so exercise caution and thoroughly test your policies before implementing them in a production environment.

Testing the app locker policy

Microsoft 365

Testing an AppLocker policy is a crucial step to ensure that it behaves as expected and doesn’t inadvertently block or allow applications that you didn’t intend. Here’s a step-by-step guide on how to test an AppLocker policy:

Note: AppLocker is available on Windows editions such as Windows 7, Windows 8, Windows 8.1, and Windows 10. You need administrative privileges to create and modify AppLocker policies.

  1. Access the Local Security Policy Editor:
    • Press Win + R to open the Run dialog box.
    • Type “secpol.msc” and press Enter. This opens the Local Security Policy Editor.
  2. Configure and Create the AppLocker Policy:
    • In the Local Security Policy Editor, navigate to “Security Settings” > “Application Control Policies” > “AppLocker.”
    • Right-click on “AppLocker” and select “Configure rule enforcement.”
    • Configure your AppLocker rules based on your desired criteria (e.g., file path, publisher, or file hash). You can create executable, Windows Installer, script, or packaged app rules.
    • Make sure you have both “Executable Rules” and “Script Rules” if you’re testing with different types of files.
  3. Create a Test User or Group:
    • It’s a good practice to create a test user or group specifically for testing AppLocker policies. This way, you can apply policies to the test user or group without affecting other users.
  4. Apply the Policy to the Test User or Group:
    • Assign the AppLocker policy to the test user or group you’ve created. You can do this through Group Policy or Local Security Policy settings, depending on your environment.
  5. Test Application Execution:
    • Log in as the test user or add your regular user account to the test group.
    • Try running applications or scripts that are subject to your AppLocker policy. Test both allowed and denied applications.
    • Take note of any errors, warnings, or blocked executions.
  6. Review AppLocker Events:
    • To monitor the policy’s effectiveness and gather insights into which applications were allowed or denied, open the Event Viewer.
    • Navigate to “Windows Logs” > “Security” and look for events with the source “AppLocker.”
  7. Analyze Results:
    • Analyze the results of your tests. Ensure that the policy is allowing or denying applications as intended.
    • Verify that exceptions, if any, are correctly configured.
  8. Adjust the Policy:
    • Based on your testing results, make necessary adjustments to the AppLocker policy. This may involve adding or removing rules, modifying rule conditions, or changing the rule type (executable, script, etc.).
  9. Retest:
    • After making adjustments, repeat the testing process to ensure that your updated policy behaves as expected.
  10. Document Your Policy:
    • Document your AppLocker policy, including the rules, rule types, and conditions. This documentation is essential for maintaining and auditing your policy in the future.
  11. Implement in Production:
    • Once you are confident that the AppLocker policy is correctly configured and thoroughly tested, you can implement it in your production environment.
  12. Continuously Monitor and Maintain:
    • Regularly monitor and review the AppLocker policy to adapt it to changing needs and ensure ongoing security.

Testing an AppLocker policy is a crucial step in maintaining a secure environment while avoiding unintended disruptions to users and applications. Regularly reviewing and updating the policy based on evolving requirements and threat landscapes is also essential for maintaining security.

Setting up application whitelisting using Windows Defender Application Control (WDAC) involves configuring policies that allow only approved applications to run on Windows devices. Here’s how you can set up application whitelisting using WDAC:

Please note that the steps and interfaces might have evolved since . Always refer to the latest official Microsoft documentation for the most accurate and up-to-date information.

1. Prepare Your Environment:
– Ensure that you have administrative access to your Windows devices and access to Group Policy settings.
– Verify that your devices are running a version of Windows that supports WDAC. WDAC is available in Windows 10 Enterprise and Windows Server editions.

2. Create a Code Integrity Policy:
– On a device with the WDAC feature installed, create a Code Integrity policy. This policy will define which applications are allowed to run.
– You can use tools like the Windows Defender Application Control policy wizard, PowerShell cmdlets, or manually create the policy XML.

3. Configure Allow Rules:
– Define rules in the Code Integrity policy that specify which applications are allowed to run based on their file paths, publisher information, file hashes, or other attributes.
– You can specify rules that allow specific files, folders, or even entire applications.

4. Deploy Code Integrity Policy:
– You can deploy the Code Integrity policy using Group Policy, Mobile Device Management (MDM) solutions, or other deployment mechanisms.
– Use Group Policy to configure the “Code Integrity” settings under “Computer Configuration” > “Policies” > “Windows Settings” > “Security Settings” > “Application Control Policies.”

5. Test and Monitor:
– Before deploying the policy organization-wide, test it on a smaller scale to ensure that it doesn’t disrupt essential applications or workflows.
– Regularly monitor logs and reports to identify any issues or unauthorized application attempts.

6. Maintain and Update:
– As your environment changes and new applications are introduced, update your Code Integrity policy to accommodate these changes.
– Regularly review and refine your policy to align with your organization’s security requirements.

7. Troubleshooting and Fine-Tuning:
– If legitimate applications are being blocked, review the policy rules and adjust them as necessary.
– Use the logs provided by WDAC to troubleshoot and identify any issues.

Remember that implementing application whitelisting using WDAC can be a complex process and requires careful planning to avoid disruptions. Always refer to the most recent Microsoft documentation for detailed instructions and consider involving your organization’s IT security professionals to ensure proper configuration and security.

PHONE
(02) 6061 4222

EMAIL
[email protected]

ADDRESS
2/601 Dean Street
Albury NSW 2640 Australia

Microsoft 365 – How to restrict access to Office 365 through Microsoft’s...Microsoft 365 – Two Factor Authentication