AppLocker Design Guide AppLocker Guide for IT Implementers (a.k.a. Application Whitelisting)| 1 AppLocker Design Guide (c) 2013 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Some examples are for illustration only and are fictitious. No real association is intended or inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. Microsoft uses the term “application control” to describe the approach of explicitly allowing the code that will run on a Windows host. This concept is widely referred to as “application whitelisting”1 across the IT industry, so this latter term will be used throughout this document to avoid any potential confusion. 1 Examples include http://www.dsd.gov.au/publications/csocprotect/top_4_mitigations.htm, http://www.sans.org/critical-security- controls/guidelines.php, and http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf 2 | AppLocker Design Guide Contents 1 Introduction .................................................................................................................................................................... 7 2 An AppLocker Primer .................................................................................................................................................. 9 2.1 What is AppLocker? .............................................................................................................................. 9 2.2 AppLocker Policy ................................................................................................................................ 10 2.3 AppLocker Rule Types ...................................................................................................................... 10 2.3.1 Rule Types and Associated File Associations.................................................................. 10 2.3.2 Applications that Cannot be Controlled by AppLocker .............................................. 13 2.3.3 Operating Modes ...................................................................................................................... 13 2.4 AppLocker Rules ................................................................................................................................. 14 2.4.1 Rule Name, ID and Description ........................................................................................... 15 2.4.2 Rule Subjects ............................................................................................................................... 15 2.4.3 Rule Actions ................................................................................................................................ 16 2.4.4 Rule Objects ................................................................................................................................ 17 2.4.5 Default Rules ............................................................................................................................... 23 3 Process Overview for Deploying AppLocker ................................................................................................... 26 4 Phase 1 – Envision ..................................................................................................................................................... 28 4.1.1 Overview of the Envision Phase ........................................................................................... 28 4.1.2 Application Control Objectives ............................................................................................ 28 4.1.3 Application Control Scope ..................................................................................................... 29 4.1.4 Computer Roles ......................................................................................................................... 29 4.1.5 User Roles .................................................................................................................................... 30 4.1.6 Global and Role-specific Application Control Objectives .......................................... 30 4.1.7 Assumptions ................................................................................................................................ 31 4.1.8 Risks................................................................................................................................................ 32 5 Phase 2 – Plan ............................................................................................................................................................. 33 5.1 Overview of the Plan Phase ............................................................................................................ 33 5.2 Build Inventory of Computer Roles ............................................................................................. 33 AppLocker Design Guide | 3 5.3 Build Inventory of User Roles ......................................................................................................... 34 5.4 Build Inventory of Applications ..................................................................................................... 34 5.4.1 Inventory Installed Applications ........................................................................................... 35 5.4.2 Inventory Optional Applications .......................................................................................... 36 5.4.3 Code Signing of Custom Applications and Installers ................................................... 36 5.5 Align AppLocker Policy with Software Deployment Strategy ............................................ 37 5.5.1 Design AppLocker Policy Strategy ...................................................................................... 38 5.5.2 Design AppLocker Policy Deployment Method ............................................................. 40 5.6 Design the Ongoing Monitoring and Reporting Strategy .................................................. 43 5.6.1 AppLocker Events to Collect .................................................................................................. 43 5.6.2 Collecting and Storing AppLocker Events ........................................................................ 43 5.6.3 Monitoring and Reporting on AppLocker Events ......................................................... 44 5.7 Design the AppLocker Support Process ..................................................................................... 46 5.8 Design the AppLocker Policy Maintenance Process .............................................................. 47 5.9 Determine the AppLocker Deployment Plan ........................................................................... 48 5.9.1 Communication Plan ................................................................................................................ 48 5.10 Plan for Deployment of AppLocker Hotfixes ............................................................................ 49 5.10.1 KB2532445 ................................................................................................................................... 49 5.10.2 KB977542 ...................................................................................................................................... 49 6 Phase 3 – Develop ..................................................................................................................................................... 50 6.1 Overview of the Develop Phase .................................................................................................... 50 6.2 Configure Reference Computers for AppLocker “Audit only” Mode .............................. 50 6.3 Create AppLocker Rules for Base Build ...................................................................................... 51 6.3.1 Auto-generate AppLocker Rules for “Everyone”............................................................ 51 6.3.2 Create AppLocker Rules for Unsigned Files..................................................................... 56 6.3.3 Create AppLocker Rules for Named Users or Groups ................................................. 57 6.4 Validate AppLocker Rules for Base Build ................................................................................... 58 6.4.1 Verify AppLocker Rules using the Test-AppLockerPolicy Cmdlet ........................... 58 6.4.2 Perform Usage Cases and Review Audit Data ................................................................ 60 6.5 Export AppLocker Rules for Base Build to XML File ............................................................... 62 4 | AppLocker Design Guide 6.6 Create AppLocker Rules for Individual Applications ............................................................. 63 6.7 Clear AppLocker Policy from Reference Computers ............................................................. 63 7 Phase 4 – Stabilize ..................................................................................................................................................... 65 7.1 Overview of the Stabilize Phase .................................................................................................... 65 7.2