Inf258x: Implementing Applocker on Domain-Joined Windows 10 Clients

INF258x: Implementing AppLocker on Domain-joined Windows 10 Clients

Estimated Time: 30 minutes

You have a domain-joined Windows 10 client computer. You plan to take advantage of the AppLocker to prevent running unauthorized apps on the local computer.

Objectives After completing this lab, students will be able to: • Implement AppLocker by using Group Policy

AppLocker complements application control policies provided in Windows 10 by such mechanisms as Device Guard. It also allows for implementing code integrity in scenarios where Device Guard is not available. Implementing AppLocker involves:

• Defining AppLocker rules – in an Active Directory environment, this is accomplished by using Group Policy • Auditing app usage based on defined AppLocker rules – this is an optional, typically intermediate implementation stage that allows for evaluating whether the rules will accomplish intended objectives. • Enforcing app usage based on defined AppLocker rules

Lab environment The lab consists of the following computers: • LON-DC1 – a Windows Server 2016 domain controller in the adatum.com single-domain forest. • LON-CL1 – a Windows 10 Enterprise version 1607 (or newer) domain member computer with Remote Server Administration Tools for Windows 10.

In order to be able to manage AppLocker via Group Policy, the target computers must run Windows 10 Enterprise or Windows 10 Education. You can also use Group Policy-based management to control apps running on Windows Server 2016 computers. In order to apply AppLocker to other editions of Windows 10, you have to use AppLocker configuration service provider (CSP). For more information regarding AppLocker CSP, refer to https://docs.microsoft.com/en-us/windows/client-management/mdm/applocker-csp

All computers have Windows PowerShell Remoting enabled and have Internet connectivity

Exercise 1: Implement AppLocker on a domain-joined Windows 10 client In this exercise, you will implement AppLocker to prevent running unauthorized apps on domain-joined Windows 10 clients. The main tasks for this exercise are as follows: 1. Create an AppLocker policy with default rules for audit only and assign it to a Windows 10 computer 2. Generate the AppLocker policy auditing events 3. Review the AppLocker policy events 4. Implement custom AppLocker policy rules

 Task 1: Create an AppLocker policy with default rules for audit only and assign it to a Windows 10 computer 1. Sign in to the LON-CL1 Windows 10 lab virtual machine with the following credentials: • USERNAME: ADATUM\Administrator • PASSWORD: Pa55w.rd 2. While signed in to LON-CL1 as ADATUM\Administrator, click Start, in the Start menu, expand the Windows Administrative Tools folder, right-click Active Directory Administrative Center, click More, and then click Run as administrator. 3. In the Active Directory Administrative Center console, ensure that Adatum (local) entry is selected, click IT, in the Tasks pane, click New and then click Group. 4. In the Create Group window, specify the following: • Group name: AppLocker Computers • Group (SamAccountName): AppLocker Computers • Group type: Security • Group scope: Global 5. Click Members and click Add. 6. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object Types. 7. In the Object Types dialog box, select the Computers checkbox and click OK. 8. In the Enter the object names to select text box, type LON-CL1 and click OK. 9. Back in the Create Group: AppLocker Computers window, click OK 10. While signed in to LON-CL1 as ADATUM\Administrator, click Start, in the Start menu, expand the Windows Administrative Tools folder and click Group Policy Management. 11. In the Group Policy Management console, expand the Forest: Adatum.com and Domains nodes, right click Adatum.com, and click the Create a GPO in this domain, and Link it here entry in the right-click menu. 12. In the New GPO dialog box, in the Name text box, type AppLocker Policy and click OK. 13. Back in the Group Policy Management console, expand the Adatum.com node and click the AppLocker Policy GPO. If prompted with the message box stating You have selected a link to a Group Policy Object (GPO). Except for changes to link properties, changes you make here are global to the GPO, and will impact all other locations where this GPO is linked, enable the checkbox Do not show this message again and click OK. 14. On the Scope tab of the AppLocker Policy GPO, click Authenticated Users, click Remove and, when prompted to confirm, click OK. 15. Click Add, in the Select User, Computer, or Group dialog box, type AppLocker Computers and click OK 16. Right-click the AppLocker Computers GPO and, in the right-click menu click Edit. This will open Group Policy Management Editor. 17. In the Group Policy Management Editor window, expand Computer Configuration, Policies, Windows Settings, Security Settings, Application Control Policies, and AppLocker. 18. In the tree pane, under the AppLocker node, right-click Executable Rules and click Create Default Rules. Review the set of default rules. 19. In the tree pane, under the AppLocker node, right-click Windows Installer Rules and click Create Default Rules. Review the set of default rules. 20. In the tree pane, under the AppLocker node, right-click Script Rules and click Create Default Rules. Review the set of default rules. 21. In the tree pane, under the AppLocker node, right-click Packaged app Rules and click Create Default Rules. Review the set of default rules. 22. In the tree pane, click AppLocker. 23. In the details pane, click Configure rule enforcement. 24. In the AppLocker properties window, specify the following settings and click OK: • Executable rules: enable the Configured checkbox and, in the drop down list, click Audit only • Windows Installer rules: enable the Configured checkbox and, in the drop down list, click Audit only • Script rules: enable the Configured checkbox and, in the drop down list, click Audit only • Packaged app Rules: enable the Configured checkbox and, in the drop down list, click Audit only

Make sure that you do NOT enforce the rules at this point.

25. In the tree pane, click System Services sub-node under the Security Settings node. 26. In the list of services, double-click the Application Identity entry. 27. In the Application Identity Properties window, enable the checkbox Define this policy settings and click the Automatic option under the Select service startup mode label.

AppLocker is dependent on the Application Identity service running.

28. While signed in to LON-CL1 as ADATUM\Administrator, right-click Start and then click Windows PowerShell (Admin). 29. From the Administrator: Windows PowerShell window, type the following and press Enter:

Restart-Computer –ComputerName ‘LON-CL1’ -Force

The restart is necessary in order for the group membership change of LON-CL1 to take effect. While you could potentially force the refresh of the Kerberos token of a computer account without the restart (by running klist –li 0x3e7 purge), this would not suffice to facilitate processing of the GPO that created.

 Task 2: Generate the AppLocker policy auditing events

In order to generate audit logs, you will perform a number of standard administrative tasks while signed on as ADATUM\Administrator, including creating an Active Directory user (ADATUM\Student1) that you will subsequently sign-in as to the same Windows 10 computer in order to perform tasks that clearly qualify as unauthorized. Note that ADATUM\Student1 will be able to perform these unauthorized tasks primarily because of having have local Administrator privileges to the Windows 10 computer being used by ADATUM\Administrator. In general, you should avoid granting such privileges to users. In scenarios where this is not possible, you should use other control mechanisms (such as AppLocker, as illustrated in this lab) in order to mitigate potential exploits. Another factor that facilitates the exploit illustrated in this lab is using a privileged account (ADATUM\Administrator) to sign in to a client computer. To remediate this, you should consider restricting the usage of NTLM protocol and limiting number of computers where domain-level privileged accounts can sign in. This can be accomplished by implementing such security mechanisms as Protected Accounts, Authentication Policies, and Authentication Policy Silos. For more information regarding these topics, refer to https://docs.microsoft.com/en-us/windows- server/identity/ad-ds/manage/how-to-configure-protected-accounts

1. Sign in to the LON-CL1 Windows 10 lab virtual machine with the following credentials: • USERNAME: ADATUM\Administrator • PASSWORD: Pa55w.rd 2. While signed in to LON-CL1 as ADATUM\Administrator, click Start, in the Start menu, expand the Windows Administrative Tools folder, right-click Active Directory Administrative Center, click More, and then click Run as administrator. 3. In the Active Directory Administrative Center console, ensure that adatum (local) entry is selected, click IT in the details pane, in the Tasks pane, click New and then click User. 4. In the Create User window, specify the following and click OK. • Full name: Student1 • User UPN logon: [email protected] • User SamAccountName logon: Adatum\Student1 • Password: Pa55w.rd • Confirm password: Pa55w.rd • Password options: Other password options – Password never expires – enable the check box. 5. Click OK. 6. Right-click Start and then click Windows PowerShell (Admin). 7. From the Administrator: Windows PowerShell window, type the following and press Enter:

Add-LocalGroupMember –Group ‘Administrators’ –Member ‘ADATUM\Student1’ You will use the ADATUM\Student1 account during this and subsequent tasks to test the functionality of Remote Credential Guard and the Restricted Admin Mode.

8. Remain signed-in to LON-CL1 as ADATUM\Administrator. Click Start, click the icon representing signed-in user, and click Switch account. 9. Sign in to the LON-CL1 Windows 10 lab virtual machine with the following credentials: • USERNAME: ADATUM\Student1 • PASSWORD: Pa55w.rd 10. While signed in to LON-CL1 as ADATUM\Student1, click Start, in the Start menu, click Windows System, and click Command Prompt. 11. In the Command Prompt, type regedit.exe and press Enter. 12. When prompted, in the User Account Control dialog box, click Yes. 13. Verify that Registry Editor opened successfully.

Next, you will download and use the mimikatz utility, with the purpose of capturing password hash of the ADATUM\Administrator account, currently signed in to the same computer. Mimikatz is automatically detected by Windows Defender as malware and deleted. In order to avoid it, you will have to create a Windows Defender folder exclusion. Without it, the downloaded file will be automatically deleted since it is detected as malware. In general, you obviously should avoid downloading such files or creating exclusions to facilitate their download

14. Click Start and click the Settings app (gear wheel) icon. 15. In the Settings app, click Update and security. 16. Click Windows Defender. 17. Click Open Windows Defender Security Center. 18. In the Windows Defender Security Center window, click Virus & threat protection. 19. Click Virus & threat protection settings. 20. Scroll down to the Exclusions section and click Add or remove exclusions. 21. Click + next to the Add an exclusion label and, in the drop-down menu, click Folder. 22. In the Select folder dialog box, navigate to the root of the C: drive, create a new folder named Exclusions, select it, and click Select Folder. 23. When prompted, in the User Account Control dialog box, click Yes. 24. Start Microsoft Edge by clicking on its taskbar icon. 25. In Microsoft Edge, browse to https://github.com/gentilkiwi/mimikatz/releases 26. Download the most recent version of mimikatz_trunk.zip into the C:\Exclusions folder. 27. Start File Explorer, navigate to the C:\Exclusions folder, double-click mimikatz_trunk.zip, navigate to the x64 subfolder, and copy mimikatz to the C:\Exclusions folder. 28. Click Start, in the Start menu, click Windows System, right-click Command Prompt, click More and then click Run as administrator. 29. When prompted, in the User Account Control dialog box, click Yes. 30. In the Administrator: Command Prompt window, change the current directory to C:\Exclusions. 31. From the command prompt, run the following:

mimikatz privilege::debug sekurlsa::logonPasswords

32. Examine the output. It should include an entry representing the interactive logon of the ADATUM Administrator account. Copy the value of the NTLM entry of that session to Clipboard. 33. From the command prompt, run the following:

sekurlsa::pth /user:Administrator /domain:Adatum.com /ntlm:

where represents the value you copied to Clipboard. This should automatically open a new Command Prompt window. 34. In the new Command Prompt window, run the following:

dir \\LON-DC1.adatum.com\c$

Verify that the output lists the content of the C$ administrative share on the domain controller LON-DC1. This confirms that you are have the privileges associated with the ADATUM\Administrator account. 35. Close the new Command Prompt window. 36. Back in the first Command Prompt window, at the mimikatz # prompt, type exit. 37. In Microsoft Edge, browse to https://docs.microsoft.com/en-us/sysinternals/downloads/psexec and download PsTools.zip to the C:\Exclusions folder. 38. In File Explorer, extract PsExec64.exe from the PsTools.zip to the C:\Exclusions folder. 39. Switch to the Command Prompt window, type C:\Exclusions\PsExec64.exe and press Enter. 40. When prompted to accept the licensing agreement, click Agree. Verify that PsExec64.exe executed successfully. 41. Remain signed-in to LON-CL1 as ADATUM\Student1. Click Start, click the icon representing signed- in user, and click ADATUM\Administrator Signed in.

 Task 3: Review the AppLocker policy events 1. Sign in to the LON-CL1 Windows 10 lab virtual machine with the following credentials: • USERNAME: ADATUM\Administrator • PASSWORD: Pa55w.rd 2. While signed in to LON-CL1 as ADATUM\Administrator, click Start, in the Start menu, expand the Windows Administrative Tools folder, and click Event Viewer 3. In Event Viewer, navigate to Applications and Services, Microsoft, Windows, AppLocker. 4. Review entries appearing in the following operational logs: • EXE and DLL • MSI and Script • Packaged app-Deployment • Packaged app-Execution 5. Switch to the Administrator: Windows PowerShell window, and run the following:

Get-AppLockerFileInformation –EventLog | Format-List

Examine the output and identify the executable you run in the previous task. Note that all of the executables (including mimikatz.exe and PsExec64.exe) would be allowed with the default rules in place. Also note that mimikatz.exe is the only one that is not digitally signed, since the value of its Publisher property is null (you can also verify this by running Get-AppLockerFileInformation with the –Path parameter). You will take advantage of this by replacing the existing default rules with a new, Publisher-based rule with Publisher-based exceptions.

Task 4: Implement custom AppLocker policy rules

In order to prevent running the executables listed above, you will implement a Publisher-based rule with Publisher-based exceptions. It is important to realize that such approach is intended strictly to illustrate its effectiveness in remediating this particular issue. In real-life scenarios, you would obviously need to take into account variety of applications that are being used across your environment, some of which might not be digitally signed.

1. While signed in to LON-CL1 as ADATUM\Administrator, click Start, in the Start menu, expand the Windows Administrative Tools folder, right-click Active Directory Administrative Center, click More, and then click Run as administrator. 2. In the Group Policy Management console, expand the Forest: Adatum.com, Domains, and Adatum.com nodes, right-click AppLocker Policy and click Edit. This will open Group Policy Management Editor. 3. In the Group Policy Management Editor window, expand Computer Configuration, Policies, Windows Settings, Security Settings, Application Control Policies, and AppLocker. 4. In the tree pane, under the AppLocker node, click Executable Rules. 5. Right-click Executable rules and, in the right-click menu, click Create New Rule. This will start the Create Executable Rules wizard. 6. On the Before You Begin page, click Next. 7. On the Permissions page, ensure that Action is set to Allow and User or Group is set to Everyone and click Next. 8. On the Conditions page, ensure that the Publisher option is selected and click Next. 9. On the Publisher page, click Browse next to the Reference file label. 10. In the Open dialog box, browse to the C:\Windows\System32\dllhost.exe file, select it and click Open.

You can actually select any other digitally signed file in this case. 11. Back on the Publisher page, scroll the sliding bar all the way to the top until it reaches the Any publisher level and click Next. 12. On the Exceptions page, click Add. 13. In the Publisher Exception dialog box, browse to the C:\Windows\regedit.exe file, select it and click Open. 14. In the Publisher Exception dialog box, click Use custom values, replace the value of the File version entry with 0.0.0.0, and click OK. 15. On the Exceptions page, click Add. 16. In the Publisher Exception dialog box, browse to the C:\Exclusions\PsExec64.exe file, select it and click Open. 17. In the Publisher Exception dialog box, click Use custom values, replace the value of the File version entry with 0.0.0.0, and click OK. 18. Back on the Exceptions page, click Next. 19. On the Name and Description page, change the name to Allow All Signed Executables (with Publisher Exceptions) and click Create. 20. Select all three default rules, right-click the selection and click Delete. When prompted whether to permanently delete the selected rules, click Yes. 21. Back in the Group Policy Management Editor window, right-click the newly created rule and, in the right-click menu, click Properties. 22. In the Allow Properties dialog box, click the Publisher tab. 23. On the Publisher tab, replace the value of the File version entry with 0.0.0.0 and click OK. 24. From the Administrator: Windows PowerShell window, type the following and press Enter:

gpupdate /force

25. Remain signed-in to LON-CL1 as ADATUM\Administrator. Click Start, click the icon representing signed-in user, and click ADATUM\Student1 Signed in. 26. Sign in to the LON-CL1 Windows 10 lab virtual machine with the following credentials: • USERNAME: ADATUM\Student1 • PASSWORD: Pa55w.rd 27. While signed in to LON-CL1 as ADATUM\Student1, in the Administrator: Command Prompt window, type regedit.exe and press Enter. 28. If necessary, in the Administrator: Command Prompt window, change the current directory to C:\Exclusions and, from the command prompt, run the following:

mimikatz exit

29. Switch to the Command Prompt window, type C:\Exclusions\PsExec64.exe and press Enter. 30. Click Start, click the icon representing signed-in user, and click ADATUM\Administrator Signed in. 31. Sign back in as ADATUM\Administrator. 32. In Event Viewer, refresh the view of events in the Applications and Services, Microsoft, Windows, AppLocker. 33. Review entries appearing in the EXE and DLL operational log.

Note that this time, the event log contains warnings, indicating that regedit, mimikatz.exe, and PsExec64 would have been prevented from running if the AppLocker policies were enforced. To enforce the policies at this point, you would simply change the AppLocker Properties in the Group Policy Management Editor from Audit only to Enforce rules. Do not take this extra step since this has a potential of affecting the validation scripts.

Results: After completing this exercise, you will have implemented AppLocker policies that prevent running unsigned executables, including exceptions that prevent running specific signed executables.