Chapter 13 – AppLocker (Application Control)
Windows Server Group Policy (GPO) Master Handbook
Chapter 13 – AppLocker (Application Control)
Learning Objectives
Understand AppLocker architecture, rule collections, deployment through Group Policy, audit mode, enforcement mode, and enterprise application control.
1. What is AppLocker?
AppLocker is Microsoft's application control technology that allows administrators to define which applications, scripts, installers, packaged apps, and DLLs users can run. It helps prevent unauthorized software execution and reduces malware risk.
2. Group Policy Path
Computer Configuration → Windows Settings → Security Settings → Application Control Policies → AppLocker
3. Rule Collections
Executable Rules (.exe, .com), Windows Installer Rules (.msi, .msp, .mst), Script Rules (.ps1, .bat, .cmd, .vbs, .js), DLL Rules, and Packaged App Rules.
4. Rule Types
Publisher Rules (recommended for signed applications), Path Rules, and File Hash Rules.
5. Enforcement Modes
Audit Only logs events without blocking applications. Enforce Rules actively blocks applications that do not match an allow rule. Always begin with Audit mode before production deployment.
6. Default Rules
Create the default rules before adding custom rules to ensure Windows and administrative tools continue to function correctly.
7. Enterprise Deployment
Create AppLocker policies in a test OU, monitor audit events, refine allow rules, and deploy gradually to production departments.
8. PowerShell Commands
Get-AppLockerPolicy -Effective
Get-AppLockerFileInformation
Test-AppLockerPolicy
Set-AppLockerPolicy
9. Event Logs
Applications and Services Logs → Microsoft → Windows → AppLocker. Review EXE and DLL, MSI and Script, and Packaged App logs for audit and enforcement events.
10. Troubleshooting
Verify the Application Identity service is running, confirm the GPO is applied, check AppLocker event logs, test with Test-AppLockerPolicy, and review effective policy using Get-AppLockerPolicy.
11. Best Practices
Use Publisher rules whenever possible, avoid broad path rules, begin with Audit mode, review logs before enforcement, document exceptions, and regularly review policies.
12. Interview Questions
What is AppLocker? Difference between Path, Publisher, and Hash rules? What is Audit mode? Why is the Application Identity service required?
13. Practical Lab
Create default AppLocker rules, create a Publisher rule for Microsoft Office, enable Audit mode, review logs, then switch to Enforce mode after validation.
AppLocker Rule Reference
Rule Collection | Recommended | Purpose |
Executable Rules | Enabled | Control EXE and COM files |
Windows Installer Rules | Enabled | Control MSI/MSP/MST |
Script Rules | Enabled | Control PowerShell and scripts |
DLL Rules | Enable only after testing | Control dynamic libraries |
Packaged App Rules | Enabled | Control Microsoft Store apps |
Publisher Rules | Preferred | Easy maintenance |
Path Rules | Use carefully | Folder-based control |
Hash Rules | Use for unsigned apps | Specific file control |
Microsoft Learn References
Comments
Post a Comment