I'm working on implementing AppLocker, but I'm running into some issues with turning it on. I have a single OU with a single server and single GPO linked. This GPO has only the following AppLocker Settings enabled:
- All rules set to AUDIT ONLY
- Default executable rules
- Single custom rule that allows the EVERYONE group to run anything anywhere (path rule, *)
I do a gpupdate on my test workstation followed by a gpresult /H C:\file.html. I check the file and see that my test GPO was applied and drill into the groups to find my rules applied (I see no other rules for Application Control from other GPOs). I turn on the Application Identity service and find that I cannot launch anything from anywhere, even if I right-click and Run as Administrator.
What am I missing here? The four rules (three default, single custom) should allow anything to be run by anyone from anywhere on the system. The fact that AUDIT ONLY is set should only log this stuff in the event log instead of actually restricting use. Neither of these are happening.
EDIT: I'm at a loss. I ran the following command...
Get-ChildItem 'C:\' -Recurse | ? {$_.Name -like '*.exe'} | ForEach-Object{ Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path $_.FullName -User (domain\admin | domain\user | visitor) | Format-List -Property FilePath,PolicyDecision}
...with slightly tweaked default rules (targeted group; Everyone > Authenticated Users) in place (AuthenticatedUsers:%PROGRAMFILES%*, AuthenticatedUsers:%/WINDOWS%*,BUILTIN\Administrators:*)...
...and the results show that
- As myself (domain admin), the policy decision on each executable is ALLOWED.
- As visitor (our renamed guest account), the policy decision on each executable is DENIED BY DEFAULT.
- As a domain user (local group: RDP Users), the policy decision on each executable varies based on location; Program Files: Allowed, C:\WinDirStat\WinDirStat.exe: Denied by Default, Windows: Allowed.
However when I enable the Application Identity service, I'm able to run files anywhere in the OS as the normal domain user when I should only be able to run exe files from Program Files and Windows. I can't use our guest account to test functionality, but I would imagine it's seeing the same outcome as the regular domain user. Domain admin seems to be working as it should (execute anything, anywhere on the system).