Windows 7 Applocker and Software Restriction Policies PT1
Thought I’d knock out a quick blog post on my studies of Windows 7’s implimentation of Applocker and SRP’s. Now traditionally SRP’s have been good in theory but if you attempt to use them they will lead to a world of hurt. The same is still true so unless you REALLY REALLY need to lock down your systems that much then leave well alone. Still its covered in the exam objectives so I gotta study it in some form.
Software restriction policies are a way of limiting the applications that can be executed on windows 7. These policies are set in group policy so they can be set on the local workstation or as part of an AD GPO distribution. Applocker does the same thing but in a slightly different way (and it also overides a clashing SRP).
To begin to configure a SRP you will need to get into either the local workstations gpedit.msc tool or AD’s GPO editor and drill down into COMPUTER CONFIGURATION/WINDOWS SETTINGS/SECURITY SETTINGS/SOFTWARE RESTRICTION POLICY. The container starts life empty so you will need to right click on the node and choose “Create software restriction policy”.
You will then be greated with these new options
From within the Security Levels you have 3 available options which are Disallowed, Basic User and Unrestricted. These 3 settings will specify the default options for applications that have no specific rule defined. Disallowed obviously means that software with no specific policy defined will not be allowed to run. Basic User allows software to run that does not have a specific policy defined providing that it requires no administrative access to the file system etc. Unrestricted simply means that any software will be allowed to run that does not have a specific SRP defined. To enable any of these settings you need to open the setting type you want and click the set as default button.
I shall miss out on the Additional Rules section for the moment as this is where you set specific rules for applications. The next option down is Enforcement, this defines how strict the default policies are, configurable options include applying the policies to all software files excluding or including DLL files etc. You can also specify if the SRP’s apply to users or all users including administrators (dangerous) and ignoring or enforcing certificate rules.
The Designated File Types option specifys what is considered to be executable file types (in addition to exe and vbs), from this menu you can remove any of the default types or add your own.
The Trusted Publishers option allows you to specify who is allowed to manage the list of trusted pulishers and you can set either to allow both users and administrators to manage the list, or just administrators or just enterprise administrators. There are also 2 other settings you can change which relate to checking whether the publishers certificate is still valid or not.
Looking at this post I think I will split this into two or three posts, I will go into actually creating a SRP in the next blog but for now heres a video of a basic one in action.
