Logo
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
EPL Standings
 
 
Windows Server

Securing Windows Server 2008 R2 : AppLocker (part 2) - Publisher, Path & File hash condition

8/18/2011 4:41:48 PM

Publisher condition

By selecting the Publisher condition, you will be required to browse to an application file so that the information about the Publisher as well as about the application itself can be retrieved. Publisher is the best selection choice whenever possible to assure consistency. When an application that has been identified via Publisher is managed by AppLocker, it will always be correctly identified across workstations regardless of the installation directory.

You can also use the Publisher condition to create rules that are more generic and impact multiple applications instead of a single named application. For instance, let us assume that I would like all applications from a particular vendor to be allowed to run on the kiosk machines in my environment. The applications from the vendor are various, and the version information changes frequently. Creating individual rules for each of the applications and then keeping them up to date as changes occur would be a heavy administrative task.

To begin your configuration, you create a GPO and apply it to the kiosk machines OU. Next, you need to create your AppLocker rule. In this case, instead of specifying each individual application with a different rule, you should utilize the Publisher condition to create a single rule that is scoped to the vendor level. To do this, you will still need to have the information of an application to be used as a sampling that has been digitally signed from the vendor you are trying to configure.

Begin the Create New Rule... wizard and once you arrive on the conditions screen, select Publisher and browse to the sample application. Once all of the application information has populated on the screen, you can then use the slider shown in Figure 5 to adjust the rule to a broader scope. By moving the slider up, it removes the application-specific information from the rule, such as File Version and File Name. You can even go so far up as to remove Product Name, which would leave only the Publisher name of the vendor in the screen, as displayed in Figure 5. This would effectively create an AppLocker rule that targets a specific vendor instead of an application created by the vendor.

Figure 5. Publisher Condition.

Path condition

There are times when selecting the Publisher condition is just not possible. If vendors do not digitally sign their applications, then the Publisher condition cannot be utilized. Another viable choice when this is the case is the Path condition.

The Path condition requires you to browse to the location of the executable and select it. The policy will recall the executable file information as well as the path to the executable. Both local paths and network paths may be specified. AppLocker marches to the beat of its own tune, in that path, variables may be specifics; however, the path variables are unique to AppLocker. The path variables used by AppLocker do not follow the standardized Windows environmental variables, and even though some of the values are indeed the same, others are quite different. Table 2 displays a comparison between some of the AppLocker path variables and the Windows environmental variables.

Table 2. AppLocker and Windows Environmental Variables
Windows PathAppLocker VariableWindows Environmental Variable
Windows%WINDIR%%SystemRoot%
System32%SYSTEM32%%SystemDirectory%
Windows installation directory%OSDRIVE%%SystemDrive%
Program Files%PROGRAMFILES%%ProgramFiles% and %ProgramFiles(x86)%

When the path option is utilized with an Allow policy, the executable in the selected path will be allowed to run, but executable files in other directory paths, even with the same executable name, will be denied. An example of how Allow behaves is as follows: You configure an Allow rule for an application named BearToast. The application’s executable file, BTst.exe, is located in the C:\Program Files\BToast directory. Configuring this rule only allows applications with that designation executable name within that specific directory to run. Any applications of the same flavor in other directories will be denied.

File hash condition

For applications that are not digitally signed and have varying paths, File hash is an option that may be used. When you are selecting File hash with an application executable, a computation is performed to generate a unique File hash that will be used to identify the applications.

One thing to be aware of is that the File hash will only pertain to that exact version of the application. If different versions of the application exist in the environment, you must create a rule for each that you wish to effect.

Automatically Generate Rules

The final rule creation method available to administrators to create rules within AppLocker is called Automatically Generate Rules. Instead of individually creating rules for applications, the Automatically Generate Rules allow the administrator to select at the folder level.

All of the applications which reside in the selected folder will automatically be configured within the rule set. You can indicate which conditions should be used to identify the different applications. Publisher conditions are preferred and in the case that a file is not digitally signed, you may indicate an alternative method on the Rule Preferences screen, displayed in Figure 6. This is a fast and easy way to create multiple rules in one fell swoop. Also be aware that this method can only be used to create Allow rules.

Figure 6. Rule Preferences.
Other -----------------
- Securing Windows Server 2008 R2 : AppLocker (part 1) - Enabling AppLocker & Configuring AppLocker
- SharePoint 2010 Search : Setting Up the Crawler - Crawling SharePoint Sites & Crawling Users Profiles
- SharePoint 2010 Search : Setting Up the Crawler - The Search Service Application & Indexing
- Microsoft Lync Server 2010 Front End : Administration & Troubleshooting
- Microsoft Lync Server 2010 Front End : Configuration
- Microsoft Dynamic NAV : Rapid Implementation Methodology
- Managing stylesheets in Dynamics NAV
- Exchange Server 2010 : Mastering Mobile Device and Wireless Access Essentials & Mastering Remote Mail and Outlook Anywhere Essentials
- Exchange Server 2010 : Managing Mobile Messaging Users - Mastering Outlook Web App Essentials
- Microsoft SQL Server 2008 Analysis Services : Designing More Complex Dimensions - Grouping and Banding
- Microsoft SQL Server 2008 Analysis Services : Building a Simple Cube
- Migrating to Windows Small Business Server 2011 Standard : Preparing Your Server (part 4) - Running the Migration Preparation Tool
- Migrating to Windows Small Business Server 2011 Standard : Preparing Your Server (part 3) - Best Practices Analyzer & Optimize Exchange Mailboxes
- Migrating to Windows Small Business Server 2011 Standard : Preparing Your Server (part 2) - Install Router, Firewall & Configuring Active Directory
- Migrating to Windows Small Business Server 2011 Standard : Preparing Your Server (part 1) - Network Configuration
- Microsoft Dynamics CRM 2011 : Adding Target Products and Sales Literature
- Microsoft Dynamics CRM 2011 : Selecting Target Marketing Lists
- Windows Server 2008 R2 : Administer Group Policy (part 2) - Use the Group Policy Management Editor
- Windows Server 2008 R2 : Administer Group Policy (part 1) - Use the Group Policy Management Console
- Microsoft Dynamics AX 2009 : The MorphX Tools - Table Browser Tool & Find Tool
 
 
Most view of day
- Windows Home Server 2011 : Maintaining Windows Home Server - Checking System Uptime
- Windows Server 2008 : Promoting a Domain Controller with dcpromo
- Microsoft Lync Server 2010 : Planning for Voice Deployment - Voice Resilience
- SQL Server 2012 : Running SQL Server in A Virtual Environment - MONITORING VIRTUALIZED DATABASE SERVERS
- System Center Configuration Manager 2007 : Desired Configuration Management - Configurations
- SharePoint 2010 : Packaging and Deployment Model - Features (part 3) - Upgrading Features
- Deploying the Client for Microsoft Exchange Server 2007 : Deploying with Microsoft Systems Management Server, Managing Postdeployment Tasks
- Windows Server 2012 : Ensuring DHCP availability (part 3) - Managing DHCP failover
- Monitoring Windows Small Business Server 2011 : Using the Windows SBS 2011 Best Practices Analyzer
- Customizing Dynamics AX 2009 : Number Sequence Customization
Top 10
- Windows Server 2012 : DHCP,IPv6 and IPAM - Exploring DHCP (part 3) - Creating IPv4 DHCP Scopes
- Windows Server 2012 : DHCP,IPv6 and IPAM - Exploring DHCP (part 2) - Installing DHCP Server and Server Tools
- Windows Server 2012 : DHCP,IPv6 and IPAM - Exploring DHCP (part 1)
- Windows Server 2012 : DHCP,IPv6 and IPAM - Understanding the Components of an Enterprise Network
- Microsoft OneNote 2010 : Using the Research and Translate Tools (part 3) - Translating Text with the Mini Translator
- Microsoft OneNote 2010 : Using the Research and Translate Tools (part 2) - Translating a Word or Phrase with the Research Pane
- Microsoft OneNote 2010 : Using the Research and Translate Tools (part 1) - Setting Options for the Research Task Pane, Searching with the Research Task Pane
- Microsoft OneNote 2010 : Doing Research with Linked Notes (part 2) - Ending a Linked Notes Session, Viewing Linked Notes
- Microsoft OneNote 2010 : Doing Research with Linked Notes (part 1) - Beginning a Linked Notes Session
- Microsoft OneNote 2010 : Doing Research with Side Notes (part 3) - Moving Side Notes to Your Existing Notes
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro