Welcome to the next installment of the House of I.T.’s Windows Server 2012 tutorial. This part of the tutorial is a rather simple one, we’ll only cover Software Restriction Policies (SRP) and the other one is the AppLocker, which by the way, are quite similar to each other; except that, one is better than the other.
The general concept for both policies, is that they deny Users from running certain softwares and applications. First is the Software Restriction Policy, which was designed for Legacy Windows, Windows XP, Server 2003 and the earlier version of server 2008. The Software Restriction Policy has a lot of loopholes, which any non-average user can exploit, to bypass these restrictions. Especially, if you’re working with the path rule, which is quite easy to bypass. Although, if you use hash role or the publisher rule to be exact, it’s more difficult bypass, which is probably the strength of the AppLocker.
Here’s how you lock down certain applications. For example, I don’t want some users to use the built in notepad in their windows computer. So first I created the Software Restriction Policy here in the Group Policy Object, then we go to Computer Configuration, Windows Settings, then under security settings there’s Software Restriction Policies. Right click on Software Restriction Policies, then you’ll need to identify what you want to do from there.
So for example, Enforcement, what it does is that it’s going to apply restrictions policies to all software files, except libraries like DLL files, which commonly linked to multiple applications which consists of things you want to restrict and don’t want to restrict, which are applicable to software restriction policies for all user or you can make an exception for Administrators.
There are also software restriction policies for certificates. Enforcing certificate rules would mean that they would have to be signed by a trusted certificate in order to run. And if you choose to ignore that, it just follow the defaults. Also here are the designated file types. Files like, .exe, HTA, scripts and BAT files. You can also add additional file types here. And here, you can identify your trusted publishers.
Now let’s take a look at Security Levels. You might not notice this, but there’s a checkmark on the last item. This means that this is the settings that I’m currently using, which is the unrestricted settings. But if you enable Disallowed, no applications will be allowed to run, except the ones we make exceptions for. And lastly, the Basic User, which allows none Administrators to run basic software applications.
Normally, we just use unrestricted, then just add additional rules here. These registry paths right here, needs to run unrestricted in order for windows to run.
Here you can add:
- Certificate Rules where applications must be signed by trusted certificates in order to run.
- A network zone rule which applies to the source of the application.
- Path Rule which could disallow an application to run if it is saved from a given file path here. You can click on New File Path Rule here, browse for the file location, and then make sure that the security level is disallowed, then click ok and then link it to an Organizational Unit. But users can just bypass this rule by moving the applications to another location like a thumbdrive or somewhere else, then they would be able to run the application.
- We can also use the Hash Rule. Which saves a hash about the application you want not to run, cross check it to the application that is about to run, and if it matches, it won’t allow that application to run. The issue with this one is that, you need to maintain this very often, because the hash includes the version of the application. So if the application updates to a newer version, the hash will no longer hold true. Which means that the users can then again run the application.
The best alternative for these is what we call the AppLocker.
- you can just add a new policy > to computer configuration > policies > windows settings > security settings > then go to Application Control Policies
- then go inside applocker
In the applocker, you can assume that all application are not allowed to run, except for the ones we allow. Let me show you something first. And I strongly recommend you don’t do this, if you right click on AppLocker then choose properties, then choose to configure Executable Rules and Enforce it you might lock down the windows operating system itself and you don’t want that to happen.
So what you need to do first is to right click on Executable Rules, and choose Create Default Rules which allows all the windows applications to run. Another thing you can do is to install all the needed applications to a reference computer, then you can right click on executable rules on the reference computer, then choose Automatically Generate Rules. What it does is that, it scans various files paths like Program Files, applying to everyone, then look at the file hash or path, and then create the rules and exceptions for the applications for you.
Now if you want to specifically disallow a certain application.
- Right click on Executable Rules
- Choose Create New Rule
- Then on to Deny, everyone from an application.
- you can choose from a certain publisher, path or file hash
- In my case, I’m gonna use Publisher
- then browse for the application
- Then you can choose how specific the details of this rule is. As you move further down, the more specific it becomes. You can even specify the range of software versions that you won’t let run in your system. If you click on Use custom values, you can choose from Above, Below or Exactly right here.
- In the next wizard, you can also add an exception.
- And then finish
Another thing that you need to do is to enable the application identity service. It can be found under system services. And you can define it to start automatically and you can also edit its security. Then after a restart or policy refresh, this service should start.
Now, for more flexibility on this service, you can go down to preferences, then Control Panel Settings, and then Services.
- You can right click on services
- choose new
- click on service
Then the service properties should pop up.
- You can set it to automatic
- Browse for the Application Identity service
- Choose start service
- You can also add a “wait timeout”
- You could also choose to “Log on as” but I’m not gonna change the default in this case.
Now before we refresh the policy, let’s first check the services that we have.
- Let’s first go to settings
- Control Panel
- Look for services
And there you’ll notice that application identity is set to manual and is stopped. So if you force run gpupdate /force, then refresh the services, then you’ll see that it’s running. Knowing that you’ve done all those steps, and made sure that the service is already running, you’re probably thinking that notepad won’t be able to run. But that’s not the case, because for some reason, there’s a time delay for it to apply. So, we’ll just need to wait for it to apply and see the result. And now we’re blocked from using notepad. And notepad should only be the only application restricted. So we should be able to run things like paint and calculator. And that’s the end of our video, thank you for watching and I hope you learned much in this video.