0

I'm working on implementing AppLocker, but I'm running into some issues with turning it on. I have a single OU with a single server and single GPO linked. This GPO has only the following AppLocker Settings enabled:

  • All rules set to AUDIT ONLY
  • Default executable rules
  • Single custom rule that allows the EVERYONE group to run anything anywhere (path rule, *)

I do a gpupdate on my test workstation followed by a gpresult /H C:\file.html. I check the file and see that my test GPO was applied and drill into the groups to find my rules applied (I see no other rules for Application Control from other GPOs). I turn on the Application Identity service and find that I cannot launch anything from anywhere, even if I right-click and Run as Administrator.

What am I missing here? The four rules (three default, single custom) should allow anything to be run by anyone from anywhere on the system. The fact that AUDIT ONLY is set should only log this stuff in the event log instead of actually restricting use. Neither of these are happening.

EDIT: I'm at a loss. I ran the following command...

Get-ChildItem 'C:\' -Recurse | ? {$_.Name -like '*.exe'} | ForEach-Object{ Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path $_.FullName -User (domain\admin | domain\user | visitor) | Format-List -Property FilePath,PolicyDecision}

...with slightly tweaked default rules (targeted group; Everyone > Authenticated Users) in place (AuthenticatedUsers:%PROGRAMFILES%*, AuthenticatedUsers:%/WINDOWS%*,BUILTIN\Administrators:*)...

...and the results show that

  • As myself (domain admin), the policy decision on each executable is ALLOWED.
  • As visitor (our renamed guest account), the policy decision on each executable is DENIED BY DEFAULT.
  • As a domain user (local group: RDP Users), the policy decision on each executable varies based on location; Program Files: Allowed, C:\WinDirStat\WinDirStat.exe: Denied by Default, Windows: Allowed.

However when I enable the Application Identity service, I'm able to run files anywhere in the OS as the normal domain user when I should only be able to run exe files from Program Files and Windows. I can't use our guest account to test functionality, but I would imagine it's seeing the same outcome as the regular domain user. Domain admin seems to be working as it should (execute anything, anywhere on the system).

Josh Waclawski
  • 101
  • 3
  • it seems like you are trying to learn how applocker functions. Audit mode does not block anything, therefore somehow you are not in audit mode. I would examine some of the step by step guides (https://technet.microsoft.com/en-us/library/dd723686(v=ws.10).aspx , https://technet.microsoft.com/en-us/virtuallabs/bb467605.aspx - search for applocker on that page. – Jim B Jun 07 '16 at 13:26
  • I get that, which is what I don't understand. If I have everything set to AUDIT mode, it should simply log instead of actually block. That's not what's happening. As soon as I turn on the required client service after a gpupdate, things are blocked and audited instead of just audited. – Josh Waclawski Jun 07 '16 at 13:32
  • What does the local security policy shows? Could it be that your GPO rules are (for some reason) not being applied correctly? – curropar Jun 07 '16 at 14:11
  • The LSP has no Application Control settings applied. I just attempted to build all rules and settings locally (same as GP) and I'm still being told that applications within my Program Files directory can't be run after I turn on Application Identiy. WTF is wrong with this POS module? – Josh Waclawski Jun 07 '16 at 14:16
  • Just Program Files now? Can you run programs from the Windows folder? (by default, any user should be able). – curropar Jun 07 '16 at 14:24
  • Nope, I've tried launching the Event Viewer or cmd prompt after enabling the Application Identity service, but it wouldn't let me. I tried moving into Windows and running a couple EXE's with no luck. – Josh Waclawski Jun 07 '16 at 14:29
  • try the steps in the lab in the VM provided and compare to what you are doing in your environment to the steps in the lab. – Jim B Jun 07 '16 at 15:39
  • Just tried that. The lab I was presented with does not match the instructions it came with. Not only did I have to change the password of one of the users (wasn't in documentation), but I can't even tell if the app I configured to be denied is being denied because I receive some kind of activation error every time I try to launch it. I don't even think it's making it to AppLocker yet as it isn't being logged in the AppLocker log as an allow or as a denial. – Josh Waclawski Jun 07 '16 at 17:29

1 Answers1

0

It only creates an event log entry if something would be blocked. You created a rule that allows everything, which defeats the purpose of even using AppLocker, unless you are going to use it for blacklisting.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • Those aren't what my production rules were going to be. What I'm trying to test with the above ruleset is basic functionality of AppLocker, which doesn't seem to be working. The rules above should allow anyone to run anything anywhere in the system when the Application Identity Service is enabled, but they're not. Not only are my applications being blocked when they shouldn't be due to the defined rules, but the fact that i have AUDIT ONLY turned on and they're STILL being blocked also makes no sense. Is there some basic operation I'm missing? – Josh Waclawski Jun 07 '16 at 13:20
  • Is the Task Scheduler service running? – Greg Askew Jun 07 '16 at 13:33
  • Yeah, it's running. – Josh Waclawski Jun 07 '16 at 13:36