Hi. This is Greg Shields and I am going to show you how to control the execution of your applications using Applocker. You will see here that I brought up the Group Policy Management Console and I created a new Group Policy Object. This one I have just called Applocker. What I want to do to actually create an application control policy is to first edit this Applocker Policy. You will see I brought it up here inside of the Group Policy Management Editor. If I scroll down past Computer Configuration/Policies/Windows Settings/Security Settings, you will see a node down here called Application Control Policies and this is where Applocker really lives.
Now the first thing you have to do to really turn on Applocker is to actually enable its rule enforcement. If I click here on Applocker, you will see the configure rule enforcement link. If I then click that I have three different options for the different types of rules I want to turn on, Executable rules, Windows Installer rules, and Script rules. For each of these three I can turn them on, once they are turned on I can configure whether I want to enforce the rules or just set so they will audit only. In the audit only configuration no applications will actually be prevented from executing. However, I will get event log error messages that let me know that users are attempting to run these prevented applications. As you can imagine, audit only is good for insuring that I have got the right Applocker rules configured at first.
If I set these to configure and set them to enforce the rules, this will actually turn on Applocker for Executable rules, Windows Installer rules, and Script rules. Under the Advanced tab here you will see we can also tune on DLL rules collection. However, we are given a warning that turning this on can affect system performance. It is generally not a good idea to turn on DLL rules collection unless you really mean it.
Once I have turned on Applocker, I click the OK button here and then I need to go and actually configure the rules that I want to turn on. If I click Executable Rules and then right click it, you will see I have three primary options, Create New Rule, Automatically Generate Rules, and Create Default Rules. At very first what I want to do is create the Default Rules because these set up those default rules for how I will actually use Applocker. What this does is turn on the whitelisting type of approach that we talked about in the article.
Once I have created those default rules, one of the easiest ways you can create a list of rules associated with the computer is by right clicking Executable Rules and choosing Automatically Generate Rules. What I want to do is actually run this generation tool, this inventory tool, against a computer that is configured via some sort of baseline configuration that I have deployed to my users. I can set this to run against the program files or I can it against the entire C: drive.' I can choose which user or security group I want the rules to apply to and then also a name to identify this set of rules. Once I click the next button I can chose what types of rules I want to create, whether these be Publisher Rules or File Hash Rules. If I want I can also reduce the number of rules that are created by grouping together similar files.
Now what this does is help determine what types of rules are being created. If I am actually going to look at that digital signature associated with each executable via a Publisher Rule or if I am just going to hash all the files, all the executables on this computer. It is generally a good idea to start with Publisher Rules where ever possible and then resort to File Hash Rules as your second line of defense. If I chose the Next button it is going to go through the process of inventorying all the executables on this computer.' In this case I did just the files in C: program files. Once it is done it will show me which rules it has created. Here I have created nine Publisher Rules and one File Hash Rule, and I have looked at 26 different files in total. If I chose the create button here you can see the rules have now been created. These actually allow these executables to run on the computers that are configured. Once I am done with this I can chose any Windows Installer Rules or Script Rules and ultimately deploy this Group Policy as well to the computers in my domain.'