How To Secure Windows From Malware and Unwanted Executables With Applocker?

RSS
EMAIL
FACEBOOK
FACEBOOK
GOOGLE
GOOGLE
https://www.poftut.com/secure-windows-malware-unwanted-executables-applocker/
PINTEREST
PINTEREST
INSTAGRAM

Windows ecosystem generally works with 3 party applications easily while installing and running them. This creates some risk especially for the novice users. Windows administrators generally want to restrict users applications and executables to make their operating system more secure.

Windows recently launched a feature named AppLocker . As its name suggests it simply restricts the executables and applications those can run on the system or user account.

Features

Applocker provides different restrictions according to following situations.

  • Which user have access to the application?
  • Which users can install new application?
  • Which application versions can be installed?
  • How to audit licensed application?

White Listing Application

In security world there is very popular technique named While Listing . A list of software that is secure and approved is created and only this list or inventory includes applications can be installed in to the systems. Other applications are prohibited from installed unless not excepted.

Create A Rule

Now action starts. We will create a rule to give permission to an application to run on the windows system.

Open Local Group Policy Editor

The new rules will be created with Local Group Application Editor. So we will open this editor easily by running following command in Windows run.

Open Create New Rule Form

We will navigate to the Applocker section with Computer Configuration -> Windows Settings -> Security Settings -> Application Control Policies

Open Create New Rule Form
Open Create New Rule Form

Click Next

Nothing else matters 😉

Click Next
Click Next

Decide Behaviour

We should decide the behaviour of the executable in this page. We simply allow application. Also we can select the users the rules will be applied. In this situations by  default Everyone

Decide Behaviour
Decide Behaviour

Provide Executable Rule Condition

One of the most important part is this step. We will define and identify the application we want to rule. There is 3 type of identification technique.

  • Publisher information is gathered from executable verified Published meta data.
  • Path information is simply from which location the executable resides.
  • File hash is a unique value describes the application
LEARN MORE  How To Start Applications From Command Line In Windows Different Ways

We will use file hash in this example.

Provide Executable Rule Condition
Provide Executable Rule Condition

Specify Executable File

In this step we will select executable files one by one or by specifying the directory the executables located. As an example we have selected 7z application. These files hashes will be calculated automatically and stored in the created rule.

Specify Executable File
Specify Executable File

Provide Rule Name and Description

As the rule vault grows and become bigger management of these rules become a nightmare. So we should select a name which is identifiable. Also we can put some description about rule.

Provide Rule Name and Description
Provide Rule Name and Description

And click to Create button on the left bottom side.

Create Default Rules

After click create we will get a warning stating that in order to prevent unexpected problems we should add default rules which are used to give required permissions to the Everyone and builtin administrators.

Create Default Rules
Create Default Rules

After clicking Yes following rule list will appear

Rule List
Rule List

Enable Applocker Rules With Enforcement

We have created our rule but is it enabled and works as we expect? Not because we should enable the AppLocker rules from its properties.

Open Applocker Properties

We can open Applocker properties window like below.

Enable Rules

We will just enable Configured checkbox of Executable rules like below and then select Enforce rules and click Apply .

I suggest you that for the first time for a little time select Audit only. This will not enforce rules but create logs about the rules and give hints how it works and prevent accidents and lockdown.

RSS
EMAIL
FACEBOOK
FACEBOOK
GOOGLE
GOOGLE
https://www.poftut.com/secure-windows-malware-unwanted-executables-applocker/
PINTEREST
PINTEREST
INSTAGRAM

Leave a Reply

Your email address will not be published.