AppLocker on Windows 10 is an often-underrated security layer that addresses what is now coming to the forefront of enterprise security – threats from ransomware and other malware. First introduced with Windows 7/Server 2008 R2 as an update from the Software Restriction Policies feature (XP/2003), it allows non-admins to be restricted to a certain set of applications.
Import the AppLocker PoSh module with the below command: import-module AppLocker. And execute the Set-App Locker Policy command to clean everything up. Set-AppLockerPolicy -XMLPolicy. Reboot the machine. Afterwards let’s say in 90% of the scenarios the machine will work as before AppLocker was enabled.
How Can AppLocker Protect Networks from Ransomware Attacks?
AppLocker can be used to predefine what types of apps can be run by which users. Specifically, it controls apps such as executable .exe and .com files, .js, .ps1, .vbs, .cmd, and .bat scripts, .msi and .msp Windows Installer files and DLL files like .dll and .ocx.
When the threat of unwanted software is high, AppLocker can be used to reduce that threat to a great degree.
- Windows 10 AppLocker is based on a series of rules. The easiest way to create the rules you need is to set up a clean Windows deployment and then install the applications you want to authorize. Next, open AppLocker and right click on the Executable Rules container and select the option to create default rules.
- Replacing AppLocker with Microsoft Defender Application Control in Windows 10 1903 and later, by Andreas Stenhall. Application whitelisting: Software Restriction Policies vs. Windows Defender Application Control, by Wolfgang Sommergut. Stop malware with Software Restriction Policies alias SAFER, by Stefan Kanthak.
- Applocker in Windows 10 Education Pro I want to turn of AppLocker. 10 year Windows MVP, and Guardian Moderator here to help you. See ways to adjust App Locker here.
Specific to ransomware, the job of AppLocker is to prevent software from a non-admin’s writable workspace from being executed. And the reason that’s required is that the Windows file system, NTFS, grants read/write permission to all non-admin users, and some “authenticated users” (also non-admins) even get read/write permissions to %WinDir%/Temp.
While AppLocker doesn’t change NTFS permissions; what it does is to prevent non-admins from saving files to an executable location. In doing this, AppLocker reduces the surface area for potential malware attacks, including ransomware.
Earlier this month, the United States Computer Emergency Readiness Team, or US-CERT, issued Alert (TA17-163A), which recommends application whitelisting (AWL) in order to “detect and prevent attempted execution of malware uploaded by adversaries.”
The alert specifically mentions AWL tools such as AppLocker to implement application or application directory whitelisting.
One important thing to remember is that the default rules in AppLocker are only the starting point. To be truly effective, admins need to know which folders non-admins have both execute and write permissions on.
This is why the initial planning stage for rolling out AppLocker delivery is critical. New applications will naturally create new folders and files, and admins have to be on top of these changes.
One way to do this is by creating scripts to read non-admin system folders to identify which locations they have execution capabilities in. The rule set in AppLocker should necessarily depend on on where these writable and executable folders are. There are also other tools created by independent security researchers that you can use, such as AppLocker Bypass Checker. You can also use accesschk from Windows Sysinternals to find user-writable folders.
The point is, the tools are there, but they need to be used effectively.
AppLocker is merely one layer in a series that protects your systems, but it is a critical one that needs to be addressed sooner rather than later. Too many admins merely use the default rules and assume that everything is taken care of, and that’s where the real danger lies.
Windows 10 may be far more resilient to attacks from ransomware and malware, but assuming that Microsoft is going to do all the work is possibly the biggest mistake a SysAdmin can make.
Note: Windows 10 is not the only version where AppLocker can be configured and enforced, but other versions may have some restrictions. Please see the table below, and the additional resource link below that:
| Version | Can be configured | Can be enforced | Available rules | Notes |
|---|---|---|---|---|
| Windows 10 | Yes | Yes | Packaged apps Executable Windows Installer Script DLL | You can use the AppLocker CSP to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. |
| Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 | Yes | Yes | Packaged apps Executable Windows Installer Script DLL | |
| Windows 8.1 | Yes | Yes | Packaged apps Executable Windows Installer Script DLL | Only the Enterprise edition supports AppLocker |
| Windows RT 8.1 | No | No | N/A | |
| Windows 8 Pro | No | No | N/A | |
| Windows 8 Enterprise | Yes | Yes | Packaged apps Executable Windows Installer Script DLL | |
| Windows RT | No | No | N/A | |
| Windows Server 2008 R2 Standard | Yes | Yes | Executable Windows Installer Script DLL | Packaged app rules will not be enforced. |
| Windows Server 2008 R2 Enterprise | Yes | Yes | Executable Windows Installer Script DLL | Packaged app rules will not be enforced. |
| Windows Server 2008 R2 Datacenter | Yes | Yes | Executable Windows Installer Script DLL | Packaged app rules will not be enforced. |
| Windows Server 2008 R2 for Itanium-Based Systems | Yes | Yes | Executable Windows Installer Script DLL | Packaged app rules will not be enforced. |
| Windows 7 Ultimate | Yes | Yes | Executable Windows Installer Script DLL | Packaged app rules will not be enforced. |
| Windows 7 Enterprise | Yes | Yes | Executable Windows Installer Script DLL | Packaged app rules will not be enforced. |
| Windows 7 Professional | Yes | No | Executable Windows Installer Script DLL | No AppLocker rules are enforced. |
Additional Resource: Requirements to Use AppLocker
Applocker Windows 10 Pro Installer
Thanks for visiting! Would you do us a favor? If you think it’s worth a few seconds, please like ourFacebook pageand follow us onTwitter. It would mean a lot to us. Thank you.
Sources: 1 | 2 | 3
Update 01.12.2012: clarified Applocker support on server core installations.
Hello folks! Today I want to share some personal opinions about one Windows whitelisting technology — Applocker, especially about the future.
Not all know that this is not something new (as Microsoft promotes), but a next generation of Software Restriction Policies (SRP). SRP is original Microsoft whitelisting technology which was introduced in 2001 (with Windows XP release). Due to various reasons, SRP didn’t become a popular technology that was used by systems administrators (not talking about home users). Microsoft attempted to make SRP more flexible, user-friendly and simple in configuration and usage. As the result, we got SRPv2 called Applocker, which was introduced in Windows 7 and Windows Server 2008 R2.
From the first look it was a nice replacement for SRP with some useful additions. For example, we can export and import rules in XML format, create rule collections, added new useful variables, nice rule creation wizard and built-in security filtering. I successfully used Applocker on my personal computers when I got an access to Windows 7 (previously I used SRP) as a free and powerful malware protection mechanism.
Even though, Microsoft actively promoted Applocker between IT Pros, the technology remained behind the scene, because it was available only in Windows 7 Ultimate and Enterprise editions. This was a bad move, because small business market not always can purchase Enterprise editions and commonly uses Professional edition (a replacement for Vista Business). Windows 7 Pro has Applocker console where you can create rules and export them, you cannot enforce them. There are no business decisions to limit Applocker to top desktop editions (Ultimate and Enterprise). In small business (SMB) it is easier to keep similar operating systems (say, Windows 7 Pro clients and SBS servers) than for large enterprises. Thus, it is almost impossible for companies to use Applocker as a unified whitelisting technology, because there are systems which do not support Applocker. And companies have to maintain both technologies — Applocker for modern systems and SRP for other systems. Theoretically. In practice, SRP has better support and sometimes is better than Applocker. Here is a full list of operating systems that supports Applocker:
Applocker Windows 10 Pro 64
- Windows 7 Ultimate, Enterprise
- Windows 8 Enterprise
- Windows Server 2008 R2 (all editions)
- Windows Server 2012 (all editions, except server core installation)
and SRP support:
- Windows XP Professional, MediaCenter
- Windows Vista Business, Ultimate, Enterprise
- Windows 7 Professional, Ultimate, Enterprise
- Windows 8 RT, Professional, Ultimate, Enterprise
- Windows Server 2003 (all editions)
- Windows Server 2008 (all editions)
- Windows Server 2008 R2 (all editions)
- Windows Server 2012 (all editions)
feel the difference. Also Applocker has a serious (in certain cases — blocking) bug: you cannot create path rules for network locations (or mapped drives). On the other hand, SRP lacks in built-in security filtering, as the result we have to maintain multiple group policy objects (GPO) to allow various software usage scenarios depending on a user permissions. Also I would like to show you a quick table that displays feature support in Applocker and SRP:
| SRP | AppLocker | |
| Rules applies to (in a single GPO): | All users | Specified users and groups |
| Default action level | Unrestricted | Deny |
| Has explicit “Allow” action | ||
| Has explicit “Deny” actions | ||
| Has special action | ||
| Certificate rules | ||
| Publisher rules | ||
| Hash rules | ||
| Network zone rules | ||
| Path rules | ||
| System environment variables | ||
| Special environment variables | ||
| Can read paths from registry | ||
| Audit mode | ||
| Rule collections | ||
| Rule creation wizrd | ||
| Policy export/import | ||
| PowerShell support | ||
| Error messages when application is blocked | ||
| Configurable extension list | ||
| Can control Metro apps |
Applocker Windows 10 Pro 64 Bit
The table displays the most important features that we may want to see in any whitelisting technology.
Recently I bought a new notebook and installed Windows 8 Pro. I was really disappointed when I noticed, that Applocker is partially supported there (cannot enforce rules). I spend some time to move Applocker rules to SRP.
Applocker Windows 10 Pro Download
Windows 8 is second Windows OS generation where we can use Applocker, however technology support is limited again. Even though, SRP has few disadvantages (comparing with Applocker), better OS support makes more sense and is more decisional than anything else. I don’t see any chances for Applocker to become a popular whitelisting technology in near future. If you have something to tell about the subject — you are welcome in comments.