I asked this question over at SuperUser to no avail a while ago, before realizing that serverfault may be a better option.
I'm configuring execution control on a computer running Windows 7 SP1 Ultimate with one hard drive with a single partition. With AppLocker comes the option to create "default rules". In the case of the Executable Rules group, those are as follows:
- Allow Everyone Path %PROGRAMFILES%*
- Allow Everyone Path %WINDIR%*
- Allow BUILTIN\Administrators Path *
(No exceptions.)
With all these in place, "everything works as expected". However, if the first two rules applied to "Everyone" are removed, things go awry.
Now, logging in using an account from the BUILTIN\Administrators security group is no longer possible. (If the account was previously already logged in, you may need to restart the computer to see this fail. Also, this does not apply to the BUILTIN\Administrator account, which still works). What happens when you try is this:
There is a delay, and when the desktop should be presented the screen turns blank. Then, nothing more. The computer does not become unresponsive, e.g. Ctrl + Alt + Delete still works.
(If I reconfigure AppLocker to explicitly allow BUILTIN\Administrators execution privileges for %WINDIR%*, or restore that rule for "Everyone" these accounts can log in again.)
According to MSDN:
The asterisk (*) wildcard character can be used within Path field. The asterisk (*) character used by itself represents any path. When combined with any string value, the rule is limited to the path of the file and all the files under that path. For example, %ProgramFiles%\Internet Explorer* indicates that all files and subfolders within the Internet Explorer folder will be affected by the rule.
This to me implies that the default rule for BUILTIN\Administrators should completely overlap the default rules created for "Everyone", rendering them redundant in the case of accounts belonging to the BUILTIN\Administrators group. As you can see, this appears not to be the case.
So, I have two questions on this:
- Why is the default rule for BUILTIN\Administrators in itself not enough to get accounts belonging to this group working (i.e. what's wrong with it, and what is it that is failing because of it), and;
- What is really the least-privilige configuration for a working administrative account (not BUILTIN\Administrator) with regard to AppLocker configuration?