INF258x: Implementing AppLocker on Domain-joined Windows 10 Clients Estimated Time: 30 minutes You have a domain-joined Windows 10 client computer. You plan to take advantage of the AppLocker to prevent running unauthorized apps on the local computer. Objectives After completing this lab, students will be able to: • Implement AppLocker by using Group Policy AppLocker complements application control policies provided in Windows 10 by such mechanisms as Device Guard. It also allows for implementing code integrity in scenarios where Device Guard is not available. Implementing AppLocker involves: • Defining AppLocker rules – in an Active Directory environment, this is accomplished by using Group Policy • Auditing app usage based on defined AppLocker rules – this is an optional, typically intermediate implementation stage that allows for evaluating whether the rules will accomplish intended objectives. • Enforcing app usage based on defined AppLocker rules Lab environment The lab consists of the following computers: • LON-DC1 – a Windows Server 2016 domain controller in the adatum.com single-domain forest. • LON-CL1 – a Windows 10 Enterprise version 1607 (or newer) domain member computer with Remote Server Administration Tools for Windows 10. In order to be able to manage AppLocker via Group Policy, the target computers must run Windows 10 Enterprise or Windows 10 Education. You can also use Group Policy-based management to control apps running on Windows Server 2016 computers. In order to apply AppLocker to other editions of Windows 10, you have to use AppLocker configuration service provider (CSP). For more information regarding AppLocker CSP, refer to https://docs.microsoft.com/en-us/windows/client-management/mdm/applocker-csp All computers have Windows PowerShell Remoting enabled and have Internet connectivity Exercise 1: Implement AppLocker on a domain-joined Windows 10 client In this exercise, you will implement AppLocker to prevent running unauthorized apps on domain-joined Windows 10 clients. The main tasks for this exercise are as follows: 1. Create an AppLocker policy with default rules for audit only and assign it to a Windows 10 computer 2. Generate the AppLocker policy auditing events 3. Review the AppLocker policy events 4. Implement custom AppLocker policy rules Task 1: Create an AppLocker policy with default rules for audit only and assign it to a Windows 10 computer 1. Sign in to the LON-CL1 Windows 10 lab virtual machine with the following credentials: • USERNAME: ADATUM\Administrator • PASSWORD: Pa55w.rd 2. While signed in to LON-CL1 as ADATUM\Administrator, click Start, in the Start menu, expand the Windows Administrative Tools folder, right-click Active Directory Administrative Center, click More, and then click Run as administrator. 3. In the Active Directory Administrative Center console, ensure that Adatum (local) entry is selected, click IT, in the Tasks pane, click New and then click Group. 4. In the Create Group window, specify the following: • Group name: AppLocker Computers • Group (SamAccountName): AppLocker Computers • Group type: Security • Group scope: Global 5. Click Members and click Add. 6. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object Types. 7. In the Object Types dialog box, select the Computers checkbox and click OK. 8. In the Enter the object names to select text box, type LON-CL1 and click OK. 9. Back in the Create Group: AppLocker Computers window, click OK 10. While signed in to LON-CL1 as ADATUM\Administrator, click Start, in the Start menu, expand the Windows Administrative Tools folder and click Group Policy Management. 11. In the Group Policy Management console, expand the Forest: Adatum.com and Domains nodes, right click Adatum.com, and click the Create a GPO in this domain, and Link it here entry in the right-click menu. 12. In the New GPO dialog box, in the Name text box, type AppLocker Policy and click OK. 13. Back in the Group Policy Management console, expand the Adatum.com node and click the AppLocker Policy GPO. If prompted with the message box stating You have selected a link to a Group Policy Object (GPO). Except for changes to link properties, changes you make here are global to the GPO, and will impact all other locations where this GPO is linked, enable the checkbox Do not show this message again and click OK. 14. On the Scope tab of the AppLocker Policy GPO, click Authenticated Users, click Remove and, when prompted to confirm, click OK. 15. Click Add, in the Select User, Computer, or Group dialog box, type AppLocker Computers and click OK 16. Right-click the AppLocker Computers GPO and, in the right-click menu click Edit. This will open Group Policy Management Editor. 17. In the Group Policy Management Editor window, expand Computer Configuration, Policies, Windows Settings, Security Settings, Application Control Policies, and AppLocker. 18. In the tree pane, under the AppLocker node, right-click Executable Rules and click Create Default Rules. Review the set of default rules. 19. In the tree pane, under the AppLocker node, right-click Windows Installer Rules and click Create Default Rules. Review the set of default rules. 20. In the tree pane, under the AppLocker node, right-click Script Rules and click Create Default Rules. Review the set of default rules. 21. In the tree pane, under the AppLocker node, right-click Packaged app Rules and click Create Default Rules. Review the set of default rules. 22. In the tree pane, click AppLocker. 23. In the details pane, click Configure rule enforcement. 24. In the AppLocker properties window, specify the following settings and click OK: • Executable rules: enable the Configured checkbox and, in the drop down list, click Audit only • Windows Installer rules: enable the Configured checkbox and, in the drop down list, click Audit only • Script rules: enable the Configured checkbox and, in the drop down list, click Audit only • Packaged app Rules: enable the Configured checkbox and, in the drop down list, click Audit only Make sure that you do NOT enforce the rules at this point. 25. In the tree pane, click System Services sub-node under the Security Settings node. 26. In the list of services, double-click the Application Identity entry. 27. In the Application Identity Properties window, enable the checkbox Define this policy settings and click the Automatic option under the Select service startup mode label. AppLocker is dependent on the Application Identity service running. 28. While signed in to LON-CL1 as ADATUM\Administrator, right-click Start and then click Windows PowerShell (Admin). 29. From the Administrator: Windows PowerShell window, type the following and press Enter: Restart-Computer –ComputerName ‘LON-CL1’ -Force The restart is necessary in order for the group membership change of LON-CL1 to take effect. While you could potentially force the refresh of the Kerberos token of a computer account without the restart (by running klist –li 0x3e7 purge), this would not suffice to facilitate processing of the GPO that created. Task 2: Generate the AppLocker policy auditing events In order to generate audit logs, you will perform a number of standard administrative tasks while signed on as ADATUM\Administrator, including creating an Active Directory user (ADATUM\Student1) that you will subsequently sign-in as to the same Windows 10 computer in order to perform tasks that clearly qualify as unauthorized. Note that ADATUM\Student1 will be able to perform these unauthorized tasks primarily because of having have local Administrator privileges to the Windows 10 computer being used by ADATUM\Administrator. In general, you should avoid granting such privileges to users. In scenarios where this is not possible, you should use other control mechanisms (such as AppLocker, as illustrated in this lab) in order to mitigate potential exploits. Another factor that facilitates the exploit illustrated in this lab is using a privileged account (ADATUM\Administrator) to sign in to a client computer. To remediate this, you should consider restricting the usage of NTLM protocol and limiting number of computers where domain-level privileged accounts can sign in. This can be accomplished by implementing such security mechanisms as Protected Accounts, Authentication Policies, and Authentication Policy Silos. For more information regarding these topics, refer to https://docs.microsoft.com/en-us/windows- server/identity/ad-ds/manage/how-to-configure-protected-accounts 1. Sign in to the LON-CL1 Windows 10 lab virtual machine with the following credentials: • USERNAME: ADATUM\Administrator • PASSWORD: Pa55w.rd 2. While signed in to LON-CL1 as ADATUM\Administrator, click Start, in the Start menu, expand the Windows Administrative Tools folder, right-click Active Directory Administrative Center, click More, and then click Run as administrator. 3. In the Active Directory Administrative Center console, ensure that adatum (local) entry is selected, click IT in the details pane, in the Tasks pane, click New and then click User. 4. In the Create User window, specify the following and click OK. • Full name: Student1 • User UPN logon: [email protected] • User SamAccountName logon: Adatum\Student1 • Password: Pa55w.rd • Confirm password: Pa55w.rd • Password options: Other password options – Password never expires – enable the check box. 5. Click OK. 6. Right-click Start and then click Windows PowerShell (Admin). 7. From the Administrator: Windows PowerShell window, type the following and press Enter: Add-LocalGroupMember –Group ‘Administrators’ –Member ‘ADATUM\Student1’ You will use the ADATUM\Student1 account during this and subsequent tasks to test the functionality of Remote Credential Guard and the Restricted Admin Mode. 8. Remain signed-in to LON-CL1 as ADATUM\Administrator. Click Start, click the icon representing signed-in user, and click Switch account. 9. Sign in to the LON-CL1 Windows 10 lab virtual machine with the following credentials: • USERNAME: ADATUM\Student1 • PASSWORD: Pa55w.rd 10. While signed in to LON-CL1 as ADATUM\Student1, click Start, in the Start menu, click Windows System, and click Command Prompt.