Applocker Configuration

Applocker is going to be put through it's paces with various attacks and mitigations. To this end the configuration will be consistent for the various tests with more or less out of the box policy, approving everything currently installed. Any program not whitelisted is implicitly denied. This page will describe how Applocker is configured. There will be no Deny rules unless stated.

Applocker is available with Windows 7 Ultimate and Enterprise, Windows 8 and 10 Pro Editions and is a application whitelisting service that is meant to keep the system safe from malware executing. It does this via GPO and Publisher, Hash and Path rules for the following file types:

Executables (.exe, .com)

Dll's (.ocx, . dll)

Scripts (.vbs, .js, .ps1, .cmd, .bat)

Windows Installers (.msi, .mst, .msp)

Packaged App (.appx)

There is an undocumented feature of blocking API's when DLL enforcement is enabled, requiring path rules to allow.Applocker will be configured to protect all files on C:\, enforcing Executables, Dll's and Installers by Publisher and falling back to Hash. The default rules wont be added with the exception of DLL and Packaged App Rules. The default rules are too easy to bypass, however approving all DLL's so performance isn't impacted involves too much time and effort for these demo's.

To configure Applocker open Gpedit.msc or Group Policy Management, browse to Computer Configuration > Windows Settings > Security Settings > Application Control Policies > Applocker.

Right click and check each of the 'Configured' boxes, click on the 'Advanced' tab and enable DLL Rules, Apply. 

For each of the 'Rule' types, expect 'DLL Rules' and 'Package App Rules', right click and 'Automatic Generate Rules'

'DLL Rules' and 'Package App Rules' select 'Create Default Rules'. For the DLL rules delete the Administrator approval rule.

Update the folder path to C:\ so all files on the system are approved. 

Go with the default of Publisher rules with files that are not signed will use the Hash value.

Click 'No', never use the default rules except where stated and this is for this demo only.

Review the Rules and click 'Create'

Now repeat for each rule set, dont forget to use the default rules for DLL and Packages.

The Applocker Rules will not take affect until the AppIDSvc has started. Change the Service 'Startup Type' from Manual to Automatic by either setting the Registry value 'Start' from 4 to 2, then starting the service. Or running this bit of Powershell as Administrator.

Set-Service -Name AppIDSvc -StartupType Automatic
Get-service -Name AppIDSvc | Start-Service

To confirm Applocker is enforcing open the Applocker Event Log and wait for the 8001 event, this may take a few minutes whilst the Applocker database is being populated. Reboot and check for any errors.​

Some things to keep in mind with Applocker.

  • Applocker does not enforce policy on System and Service Accounts.

  • Setting the AppIDSvc to manual and rebooting disables Applocker.

  • DLL rules do affect performance if they are not carefully implemented.

  • It is possible especially with DLL rules enable to exceed GPO or the Applocker database size with too many approvals. Approved files will become unapproved and subsequently denied.