How To Secure Windows From Malware and Unwanted Executables With Applocker?
Windows ecosystem generally works with 3 party applications easily while installing and running them. This creates some risk especially for the novice users. Windows administrators generally want to restrict users applications and executables to make their operating system more secure.
Windows recently launched a feature named
AppLocker . As its name suggests it simply restricts the executables and applications those can run on the system or user account.
Applocker provides different restrictions according to following situations.
- Which user have access to the application?
- Which users can install new application?
- Which application versions can be installed?
- How to audit licensed application?
White Listing Application
In security world there is very popular technique named
While Listing . A list of software that is secure and approved is created and only this list or inventory includes applications can be installed in to the systems. Other applications are prohibited from installed unless not excepted.
Create A Rule
Now action starts. We will create a rule to give permission to an application to run on the windows system.
Open Local Group Policy Editor
The new rules will be created with Local Group Application Editor. So we will open this editor easily by running following command in Windows run.
Open Create New Rule Form
We will navigate to the Applocker section with
Computer Configuration ->
Windows Settings ->
Security Settings ->
Application Control Policies
Nothing else matters 😉
We should decide the behaviour of the executable in this page. We simply allow application. Also we can select the users the rules will be applied. In this situations by default
Provide Executable Rule Condition
One of the most important part is this step. We will define and identify the application we want to rule. There is 3 type of identification technique.
Publisherinformation is gathered from executable verified Published meta data.
Pathinformation is simply from which location the executable resides.
File hashis a unique value describes the application
We will use file hash in this example.
Specify Executable File
In this step we will select executable files one by one or by specifying the directory the executables located. As an example we have selected
7z application. These files hashes will be calculated automatically and stored in the created rule.
Provide Rule Name and Description
As the rule vault grows and become bigger management of these rules become a nightmare. So we should select a name which is identifiable. Also we can put some description about rule.
And click to
Create button on the left bottom side.
Create Default Rules
After click create we will get a warning stating that in order to prevent unexpected problems we should add default rules which are used to give required permissions to the Everyone and builtin administrators.
Yes following rule list will appear
Enable Applocker Rules With Enforcement
We have created our rule but is it enabled and works as we expect? Not because we should enable the AppLocker rules from its properties.
Open Applocker Properties
We can open Applocker properties window like below.
We will just enable
Configured checkbox of
Executable rules like below and then select
Enforce rules and click
I suggest you that for the first time for a little time select
Audit only. This will not enforce rules but create logs about the rules and give hints how it works and prevent accidents and lockdown.