Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AppLocker rule in a corporate environment


  • Please log in to reply
10 replies to this topic

#1 TinoNgombo

TinoNgombo

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luanda, Angola
  • Local time:11:16 AM

Posted 12 August 2016 - 07:56 AM

Hello, IT pros.

I work in an environment that has over 60 computers and most of them run Windows 10. They're managed by a Domain Controller.

My task is to block certain apps on a specific group of users, but I would prefer to do it in a way that requires less administrative effort, which is implementing the rule through the server (Windows Server 2012 R2, to be precise). 

Which is the most efficient way to do so?

I would highly appreciate any help.



BC AdBot (Login to Remove)

 


#2 technonymous

technonymous

  • Members
  • 2,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 13 August 2016 - 09:40 PM

The idea is to have mainly groups in your AD as it is easier to manage groups of users. You setup SRP Software Restriction Policies. Applocker can also be used or you can use them both together to get a more robust enforcement. As an example, applocker can enforce a policy to not allow installation of programs that have not been signed.

 

Link to SRP https://technet.microsoft.com/en-us/library/hh994606(v=ws.11).aspx#BKMK_Create_SRP

 

Link to Applocker https://technet.microsoft.com/en-us/library/dd759117(v=ws.11).aspx



#3 sflatechguy

sflatechguy

  • BC Advisor
  • 2,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 AM

Posted 14 August 2016 - 02:24 PM

You will want to be careful about using both, however, as software restriction polices won't be applied on certain computers if AppLocker is present. Microsoft recommends setting them up with separate GPOs, and using WMI filters or security groups to target SRPs to Vista and earlier computers, and AppLocker to Win7 and above.

 

https://technet.microsoft.com/en-us/library/hh994614(v=ws.11).aspx



#4 TinoNgombo

TinoNgombo
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luanda, Angola
  • Local time:11:16 AM

Posted 15 August 2016 - 04:47 AM

Thank you, gentlemen. I shall have a look at those and give some feedback.



#5 TinoNgombo

TinoNgombo
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luanda, Angola
  • Local time:11:16 AM

Posted 15 August 2016 - 05:47 AM

Update:

Through the Technet links above provided, I've learned that the Application Identity service must be set to ''Automatic'' start, in order for the AppLocker policy to work properly.

Now, must I only set it to start automatically on the server? (the idea is to implement this with less administrative effort possible).



#6 technonymous

technonymous

  • Members
  • 2,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 15 August 2016 - 06:48 AM

Well if it needs to run then yes the service should be set to automatic.



#7 TinoNgombo

TinoNgombo
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luanda, Angola
  • Local time:11:16 AM

Posted 17 August 2016 - 03:41 AM

I had no success so far. I actually want to avoid the administrative effort of going on each client computer and set the Application Identity service to start automatically (these are all running Windows 10).

Isn't there a way to make it start automatically on all the intended client computers, at once?

Thanks in advance.



#8 technonymous

technonymous

  • Members
  • 2,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 23 August 2016 - 05:30 PM

Once you create a custom policy rule you can create a policy for services too. Have you done that?

 

There's a ton tutorials on youtube on GPO policies..https://www.youtube.com/watch?v=Z2-Sjw9UYdU

 

And...

 

MSFT info on gpupdate refresh..https://technet.microsoft.com/en-us/library/jj134201(v=ws.11).aspx

 

As a side note: Changing the services policies you can dive deeper into customizing security settings further using the security button.



#9 TinoNgombo

TinoNgombo
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luanda, Angola
  • Local time:11:16 AM

Posted 24 August 2016 - 08:39 AM

Wow... Thanks for the info, sir.

I'll try those :)



#10 technonymous

technonymous

  • Members
  • 2,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 24 August 2016 - 06:36 PM

Another built in tool is the security configuration wizard. https://www.youtube.com/watch?v=nQMsfNfNXV



#11 Ramsarode

Ramsarode

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 30 August 2016 - 01:08 AM

Yes the service should be set to automatic.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users