Windows is the most widely used operating system in the world. With that comes rather scary malware and exploits. Our computers have become indispensable tools, brimming with countless applications for productivity, education, entertainment, and more. All of that is juicy information waiting for hackers to take, spy on, or hold for ransom. But what if there was a way to lock down Windows in such a manner where rogue apps are stopped dead in their tracks? Enter AppLocker, a powerful, built-in Windows feature designed to do just that. Through application control policies, it allows you to dictate what can and cannot run on your system.
AppLocker is commonly used in business settings to restrict users from running unknown applications that are not installed by admins. This is often to prevent end users from installing time wasters or malware. In this case, we will be using it personally for added security, by making sure we don't knowingly or unknowingly walk into traps!
Things to Note
Before we get into the crux of it, there are some important things that you need to know before you go setting up AppLocker. Here are some of the most important:
- AppLocker rules can be dangerous. Improper configuration can result in you potentially breaking Windows. Proceed with care.
- If you already have malware, this guide will not help you yet. Clean your system first.
- AppLocker is only officially available on Pro & Enterprise editions of Windows. While it is possible to use AppLocker on the Home edition, configuring it without the Local Security Policy app is challenging and out of scope for this guide.
- AppLocker is not the end-all be-all. The efficacy is only going to be as secure as your rules itself, and there are known bypasses. We will cover blocking the most common, but it is not likely to protect you from highly sophisticated malware and/or supply chain attacks.
- It goes without saying, but these more extreme measures will reduce convenience. You will have to add exceptions or disable AppLocker if you want to run files not from whitelisted publishers and/or paths. Just keep in mind, allowing malware will still let malware infect your system.
With that out of the way, let's waste no time and get right to it!
First things first, we need to enable the "Application Identity" service in Windows. This service is required for AppLocker to work. By default, this is in manual mode and not started. Open up a command prompt window as administrator, and run the following commands:
sc start AppIDSvc sc config AppIDSvc start=auto
You should see something like this if you did it correctly.
Now, we're going to run the "Local Security Policy" snap-in. Open up your start menu and search for it. You can also enter "secpol.msc" into the Run dialog.
Once the Local Security Policy snap-in opens, you will want to proceed to Application Control Policies->AppLocker, as shown.
Now, we are going to go into every single Rules category (Executable, Windows Installer, Script, and Packaged App) and create the default rules. This is imperative, as not doing this will cause issues. To do this, click each rule category, then in the right side, right click and click "Create Default Rules"
In most cases, this will create 3 rules:
- Allow all files in the Windows folder
- Allow all files in the Program Files folders
- Allow administrators to run everything
We will need to delete the third rule from each category it presents itself in. As we are an administrator, this would prevent other rules from taking effect. To do this, right click and click "Delete".
Initial configuration of AppLocker is complete, now it's time to enable it! Right click on the "AppLocker" category in Application Control Policies and click Properties. Then, checkmark every ruleset you want enforced, follow by "Enforce rules". Click Apply, then OK.
The rules should go into effect immediately. You will now find that most of your currently installed apps should work fine, but in some apps and files you run, you will get this message:
This means that AppLocker is doing its job and preventing the execution of these apps, as they are not defined in your rules. Sweet.
Now, here comes the most time consuming part, which is whitelisting your trusted sources and apps.
You have three ways to do this:
- By a signed publisher (most secure & convenient)
- By a file hash (reasonably secure but not convenient)
- By a file path (less secure but more convenient)
At this point, it's up to you, but I would recommend whitelisting all files signed by Microsoft just for good measure. Here is how whitelisting a publisher would work:
So, it's not super difficult, but it can be time consuming if you have a lot of apps from different publishers. Thankfully, there are some faster ways.
One way is to just allow all trusted publishers. A trusted publisher is a software developer or company that has a valid code signing certificate issued by a reputable certificate authority (CA). The CA is responsible for verifying the identity of the publisher before issuing the certificate. For most usecases, you can do this. If you're paranoid, you can whitelist the publisher manually.
The next way is to automatically generate rules by using the wizard. You can click on a directory, and it will automatically scan the files you currently have installed. Keep in mind that while this will create publisher rules, it will only apply to the specific app and its version, so it may not be as efficient as manually doing it.
You can also whitelist entire directories by using the wildcard in the "Path" option, such as: C:\SomeFolder\*. Keep in mind the security implications though.
This same idea applies to almost every other rule category, so if you have a batch script or something, you will likely need to whitelist it.
Blocking Common Bypasses
At this point, we've configured AppLocker in the way we've wanted to, but wait we're not done! There are some things we need to take care of, and that's some common bypass methods + exploited Windows tools.
For security, we need to block some Windows utilities. These files are as follows:
*Do not block if you use developer tools such as Visual Studio.
**I will not be using AppLocker but instead applying a firewall restriction to prevent network access. But you could also block via AppLocker if you so choose.
This is just as straightforward as other rules, but instead setting the action to "Deny":
If you want to follow my lead and block regsvr32 from network access, from the Start Menu, type and launch "Windows Defender Firewall with Advanced Security". Click on outbound rules and add 2 firewall rules for C:\Windows\System32\regsvr32.exe and C:\Windows\SysWOW64\regsvr32.exe.
That basically covers everything!
Practicing Logical Security
As I've said before, AppLocker will not fully protect you, but it will get you most of the way there. AppLocker is best paired with other forms of security hygiene. Here are some things I follow:
- Always aim to download software from a trusted vendor.
- Don't just ignore UAC prompts. They might be annoying, but if you know an app does not need admin permissions, don't grant them.
- Treat all unsigned and/or uncommonly downloaded apps as suspicious. Apps from unknown sources or modified/cracked apps can contain malware not detected by anti-malware solutions.
- Run suspicious software in an isolated sandbox or virtual machine first. Keep it isolated to that VM if you can and monitor its activity. If it blocks/doesn't run in a virtual machine, it's probably not worth running on your main system.
- Keep your OS and software up to date (duh)
- Use a network firewall such as Portmaster or NetLimiter to monitor and control your system's network traffic.
Through this guide, we have delved deep into using AppLocker, a powerful, built-in Windows feature. By controlling the applications that can run on your system, you effectively fortify your digital fortress against many threats, significantly reducing the likelihood of falling prey to malicious software. Remember though, as powerful as AppLocker is, it is not an infallible shield. Its efficacy lies in its correct use, coupled with logical security practices like downloading software from trusted sources, staying vigilant with admin permissions, treating unsigned apps with suspicion, and keeping your system up-to-date. In the end, cybersecurity is not a destination, but a journey, where constant vigilance, education, and adjustment are the keys to safety. With AppLocker in your arsenal, and a mindset tuned towards security, you're well-equipped for this journey.