Wednesday, December 27, 2023

app locker

 



https://msendpointmgr.com/2021/08/13/log-analytics-applocker-better-together/



Use GPO and inheritance of GPO. Create two AD groups:
* dl_AppLocker_Enforced
* dl_AppLocker_Audit

Add the same rules to those, where one group would Enforce and second one does Audit only. Rules:
 - App Locker Rules, Hardening settings
 - Main Switch - this applies to GPO inheritance, see below, the last (nested) GPO (Server, Helpdesk,Test Computers) is a main switch and it decides if all rules are enforced or audited only 

GPO: Contoso.local
 |   Enforcement: Not configured (rules are enforced) X rules
 |   |
 |   GPO: Servers 
 |   Enforcement: Not configured (rules are enforced) Y rules, total X+Y rules are enforced
 |
 |  GPO: Helpdesk
 |   Enforcement: audit only, Z rules, total X +Z rules are audited, but not enforced
 |   
 |  GPO Test computers
    Enforcement:enforce rules, 0 rules, X rules are enforced 




Concept: "AppLocker Hardining" GPO is setup in top level, the only place


GPO name                                         Location         Purpose
AppLocker Default Rules                       Top                 Those are default rules, that allow Windows to                                                                                             start. DO NOT EDIT
AppLocker Hardening                         Top                 only deny rules, add all LOLBins there
"AppLocker Rules Servers
AppLocker Rules PAW Computers" each OU         allow rules, notepad++ for example
AppLocker Enforced                         each OU         This is Main Switch
AppLocker Audit Only                         single OU


To change a mode for a problematic computer, you move it from one OU to another OU (AuditOnly)

Rule types:
* Path rules (examples: C:\test\*, *\lolbin.exe,c:\users\*\appdata\local\adobe\*,\\dc1\SYSVOL\*,\\dc2\SYSVOL\*,\\server\share1,\\server1.contoso.local\share1\*,\\10.0.0.1\share1\*,K:\*)
* Hash rules
* Publisher rules



Publisher rules - best option after path rules
cert must be trusted abd valid, timestamp exists and valid this can be a paid or an internal CA
stick to company-level (publisher) instead of cetrain filename or versions

BTW: Everyone in Windows is everyone except unathenticaged users
BTW2. This blocks 95% of malware from running



hash rules are ONLY used when path or publisher rules cannot be applied, avoid it.

General rules:
* look for folders not files,
* look for publishers instead of hashes
* audit installation with AccessChk
* no admin rights









Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)