FIgUre 5-22 AppLocker path ruleCreating Rules Automatically A significant advantage of AppLocker over Software Restriction Policies is the ability to generate rules automatically.. Your
Trang 1FIgUre 5-22 AppLocker path rule
Creating Rules Automatically
A significant advantage of AppLocker over Software Restriction Policies is the ability to
generate rules automatically To configure rules for AppLocker, you can right-click either the
Executable Rules, Windows Installer Rules, or Script Rules node and then click Automatically
Generate Rules You are asked to specify a directory for the wizard to scan Your options,
shown in Figure 5-23, enable you to have Windows automatically generate publisher rules
for files that are digitally signed and give you the option of creating a hash rule or a path rule
if a file is not signed Alternatively, you can create a file hash rule for all files of the type you
are configuring The Automatically Generate Rules wizard scans a folder and all folders that it
contains when generating rules
Configuring Exceptions
Exceptions allow specific applications to be exempt from more general rules For example,
you could create a publisher rule that allows all versions of a Contoso application named
Alpha but then use an exemption to block the execution of version 42 of application Alpha
You can use any method to specify an exception, and the method you choose does not
depend on the type of rule that you are creating For example, as Figure 5-24 shows, you
can create a publisher rule that allows all applications published by Microsoft to execute on
a computer, but you also can configure a file hash exemption for Solitaire exe Of course,
this example rule would work only if the default path rule for the Program Files folder is not
Trang 2FIgUre 5-23 Creating rules automatically
Trang 3AppLocker Auditing
As AppLocker can have a significant impact on the way that applications function in your
organization’s environment, it is often prudent to audit the way that AppLocker functions
prior to fully enforcing AppLocker policies This allows you to verify which applications are
affected by AppLocker without actually blocking those applications from executing To
configure AppLocker to audit rules rather than enforce them, configure each AppLocker rule
type to be audited only, as shown in Figure 5-25
FIgUre 5-25 Configuring AppLocker auditing
AppLocker audit events are written to the AppLocker event log, which is found in Event
Viewer in the Applications and Service Logs\Microsoft\Windows node Each event in the
AppLocker log contains detailed information about:
n The rule name
n The SID of the targeted user or group
n Which file the rule affects and its path
n Whether the file is allowed or blocked
n The rule type (publisher, path or file hash)
You will learn more about auditing in Chapter 8, “Branch Cache and Resource Sharing ”
Trang 4More Info appLocker aUDItINg
To learn more about configuring auditing for AppLocker, consult the following Microsoft
TechNet article: http://technet.microsoft.com/en-us/library/dd723693.aspx.
eXaM tIP
Understand why one user might be able to execute an application and another user is unable to execute the same application.
Practice restricting applications
In this practice, you use two different methods to restrict the execution of applications: Software Restriction Policies and AppLocker Software Restriction Policies are used to
restrict the execution of applications on computers running Windows XP, Windows Vista, and Windows 7 AppLocker is a feature that is new to Windows 7 and is available only in the Ultimate and Enterprise editions of the product
exercise 1 Configuring a Software Restriction Policy
In this exercise, you create a Software Restriction Policy hash rule to block the execution
of the Windows calculator application To complete this exercise, perform the following steps:
1 Log on to computer Canberra using the Kim_Akers user account
2. Click Start, type Calculator, and then press Enter Verify that the Calculator application
starts and then close it
3. Click Start and then type gpedit.msc and press Enter This opens the Local Group
Policy Editor console
4 Navigate to the Computer Configuration\Windows Settings\Security Settings node
5 Select and then right-click the Software Restriction Policies node Choose New Software Restriction Policies
6 Right-click the Additional Rules node and then choose New Hash Rule This will open the New Hash Rule dialog box Click Browse Navigate to the \Windows\System32 folder
7. In the Open dialog box, type calc.exe in the File Name text box and then click Open
Ensure that the Security Level is set to Disallowed, as shown in Figure 5-26, and then click OK
8 Close the Local Group Policy Editor and then reboot the computer Log back on using the Kim_Akers user account
Trang 5FIgUre 5-26 Creating a hash rule
9. Click Start, type Calculator, and then press Enter You should get the message shown
in Figure 5-27
FIgUre 5-27 Calculator application blocked by policy
10. Click Start, type gpedit.msc, and then press Enter This opens the Local Group Policy
Editor console Navigate to the Computer Configuration\Windows Settings\Security
Settings\Software Restriction Policies\Additional Rules node and then delete the policy
for Calc exe
11 Close the Local Group Policy Editor console and then reboot the computer Log on as
Kim_Akers and verify that you can again open the Calculator application
exercise 2 Configuring AppLocker
In this exercise, you configure an AppLocker policy to block the Solitaire application
To complete the exercise, perform the following steps:
1 If you are not already logged on to computer Canberra, log on as Kim_Akers
2. Click Start, type Solitaire, and then press Enter Verify that the Solitaire application
opens Close Solitaire
Trang 63. Click Start, type services.msc, and then press Enter This opens the Services console
4 Double-click the Application Identity service Set the Startup Type to Automatic, as shown in Figure 5-28, click Start, and then click OK Close the Services console
FIgUre 5-28 Configuring the startup properties of the Application Identity service
5. Click Start, type gpedit.msc, and press Enter This opens the Local Group Policy Editor
console
6 Navigate to the Computer Configuration\Windows Settings\Security Settings\
Application Control Policies node and then select the AppLocker item
7 Right-click Executable Rules and then choose Create New Rule On the Before You Begin page of the Create Executable Rules wizard, click Next
8 On the Permissions page, select Deny and then click Next
9 On the Conditions page, select Publisher and then click Next
10 On the Publisher page, click Browse Navigate to the \Program Files\Microsoft Games\ Solitaire folder and then double-click Solitaire exe
11 On the Publisher page, select the Use Custom Values check box, and then verify that the settings match those shown in Figure 5-29 Click Create
12 When prompted to create the default rules, click Yes
13 Close the Local Group Policy Editor console, turn off the computer, and then restart it
Trang 7FIgUre 5-29 A rule blocking the Solitaire application
14 Log on with the Kim_Akers user account and attempt to access the Solitaire
application You should receive a message informing you that it has been blocked by
policy, as shown in Figure 5-30
FIgUre 5-30 Solitaire blocked by policy
15. Click Start, type services.msc, and then press Enter This opens the Services console
16 Double-click the Application Identity service Set the Startup Type to Disabled Close
the Services console
Trang 8Lesson Summary
n Software Restriction Policies can be used on computers running Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 7
n You can choose a Software Restriction Policy default rule that blocks all applications that are not allowed or choose a default rule that allows all applications that are not subject to any other rules
n Software Restriction Policy rules that are more specific override rules that are less specific A hash rule that sets an application to unrestricted overrides a path rule that sets the same application to Disallowed
n Hash rules are analogous to digital fingerprints of specific files You must create a new hash rule if you apply a software update to a file
n AppLocker policies are a type of application control policy
n AppLocker policies can be used only on computers running Windows 7 Enterprise and Ultimate editions
n AppLocker path and hash rules work in the same way that Software Restriction Policy path and hash rules work
n AppLocker publisher rules allow you to create rules based on which vendor digitally signed an application You can allow all applications from that vendor, all versions of
a specific application, or just a specific version of a specific application using publisher rules
n Some AppLocker rule types allow exceptions Exceptions allow you to exempt a specific application from the scope of a general AppLocker rule
n An AppLocker block rule always overrides an AppLocker allow rule The fallback rule for AppLocker blocks the execution of any application not explicitly allowed by another rule
n AppLocker overrides Software Restriction Policies when both are applied to the same computer
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 2,
“Managing AppLocker and Software Restriction Policies ” The questions are also available on the companion DVD if you prefer to review them in electronic form
note aNSWerS
Answers to these questions and explanations of why each answer choice is correct or
incorrect are located in the “Answers” section at the end of the book
Trang 91 Your organization has 50 computers running Windows Vista Enterprise and 40
computers running Windows 7 Professional You want to stop users from accessing
the Solitaire game application Which of the following strategies should you pursue to
accomplish this goal?
a Use AppLocker to create a publisher rule to block Solitaire exe
B Use AppLocker to create a hash rule to block Solitaire exe
c Use AppLocker to create a path rule to block Solitaire exe
D Use Software Restriction Policies to create a path rule to block Solitarie exe
2 What type of AppLocker rule should you create to block all applications that are
created by a specific software vendor?
a Publisher rules
B Path rules
c. Hash rules
3 You want to configure a set of AppLocker rules to block the execution of application
software that is not digitally signed by the software vendor You want to test that
these rules work before enforcing them Which of the following settings should you
configure to accomplish this goal? (Choose all that apply; each answer forms part of
a complete solution )
a Create AppLocker publisher rules
B Create AppLocker hash rules
c Configure AppLocker enforcement to audit executable rules
D Configure AppLocker enforcement to audit Windows Installer rules
4 Your organization has a mix of computers running Windows 7 Ultimate and Windows 7
Professional Each group of computers is located in a separate organizational unit (OU)
in your Windows Server 2008 R2 Active Directory Domain Services environment You
have configured AppLocker policies to block application execution to the OU hosting
the Windows 7 Ultimate computer accounts You have configured Software Restriction
Policy rules and applied them to the OU hosting the Windows 7 Professional accounts
The Software Restriction Policy rules block the required applications The applications
blocked by the AppLocker policies function normally—that is, they are not blocked
Which of the following steps should you take to ensure that the AppLocker policies
function properly?
a Configure Group Policy to set the Application Management service to start
automatically Apply this policy to the OU hosting the computer accounts of the
computers running Windows 7 Ultimate
B Configure Group Policy to set the Application Management service to start
automatically Apply this policy to the OU hosting the computer accounts of the
computers running Windows 7 Professional
Trang 10C Configure Group Policy to set the Application Identity service to start
automatically Apply this policy to the OU hosting the computer accounts of the computers running Windows 7 Ultimate
D Configure Group Policy to set the Application Identity service to start
automatically Apply this policy to the OU hosting the computer accounts of the
computers running Windows 7 Professional
5 You have configured AppLocker policies to allow the execution of specific applications only If an AppLocker policy hasn’t been created for it, an application cannot execute After a recent software update, users are unable to execute one of the applications for which you have configured a rule Other applications function normally This applica-tion is not signed digitally by the software vendor Which of the following strategies should you pursue to ensure that the application is able to execute on the computers running Windows 7?
a Create a new hash rule for the application
B Create a new publishing rule for the application
c Ensure that you enable the Application Identity service on the computers running Windows 7
D Ensure that you enable the Application Management service on the computers running Windows 7