Paul Cooke - CISSP Director Microsoft Session Code: CLI322

Protecting Your Digital Assets Traditional ways Standard user, strong authentication, … Anti-virus, firewall, IDS, … Data access control policies Access Control Policies (ACLs) DRM, encryption, … However… Any software running on the user’s behalf has the same access to data as the user running it

Application Control - Situation Today Users can install and run non-standard applications Even standard users can install some types of software Unauthorized applications may: Introduce malware Increase helpdesk calls Reduce user productivity Undermine compliance efforts

Windows 7 AppLocker TM Eliminate unwanted/unknown applications in your network Enforce application standardization within your organization Easily create and manage flexible rules using Group Policy

Simple Rule Structure Allow Limit execution to “known good” and block everything else Deny Deny “known bad” and allow execution of everything else Exception Exclude files from allow/deny rule that would normally be included “Allow all versions greater than 12 of the Office Suite to run if it is signed by the software publisher Microsoft EXCEPT Microsoft Access.”

Publisher Rules Rules based upon application digital signatures Can specify application attributes Allow for rules that survive application updates “Allow all versions greater than 12 of the Office Suite to run if it is signed by the software publisher Microsoft.”

Rule Targeting Rules can be associated with any user or group Provides granular control of specific applications Supports compliance by enforcing who can run specific applications “Allow users in the Finance Department to run…”

Multiple Rule Sets Rule Types Executable Installer Script DLL Allows construction of rules beyond executable only solutions Provides greater flexibility and enhanced protection “Allow users to install updates for Office as long as it is signed by Microsoft and is for version 12.*”

Rule Creation Wizards Step-by-step approach Fully integrated help Rule creation modes Manual Automatically generated Import / Export Intuitive so that rules are easy to create and maintain

Audit Only Mode Test rules before enforcement Events written to local audit log Applications and Service Logs | Microsoft | Windows | AppLocker PowerShell cmdlets Turn audit events into rules

PowerShell Cmdlets Core needs scriptable through PowerShell Building blocks for a more streamlined end-to-end experience Inbox cmdlets Get-AppLockerFileInformation Get-AppLockerPolicy Set-AppLockerPolicy New-AppLockerPolicy Test-AppLockerPolicy

PowerShell Example Scenario Test-AppLocker Policy New- AppLocker Policy Get-AppLocker FileInformation Retrieve file information from event log Create a new policy Test the new policy Set-AppLocker Policy Set the policy Help DeskLocal or GPO Admin Bob calls Help Desk because AppLocker has blocked a finance application that he really needs to run for his job. Help Desk agrees to temporarily add a rule to local GPO to allow the program.

Custom Error Messages Configurable in Group Policy Computer Configuration | Administrative Templates | Windows Components | Windows Explorer | Set a support web page link Sets URL for Support Web page that is displayed to the user

Architectural Overview Process 1 Appid.sysAppid.sys AppIDAppID SRP Kernel AppID/SRP Service SRP UM ntoskrnlntoskrnl Process 2 ntdllntdll Process 3

AppLocker

Deployment Best Practices Create a desktop lockdown strategy Inventory your applications Select and test rule types (allow / deny) in a lab Define GPO strategy and structure Build a process for managing rules Document your AppLocker design Build reference computers Test and update the policy using audit-only Enable rule enforcement Maintain the policy

Key Takeaways AppLocker helps the enterprise protect its digital assets by preventing unwanted software from running AppLocker provides an improved management experience making it easier to maintain a list of approved applications AppLocker helps reduce support and license related costs by standardizing execution environments

Call To Action Everyone – Adopt Signed Applications Signed code comes with a higher assurance of authenticity and integrity If you are developing applications – sign them If you are using applications – ask for them to be signed

Call To Action Enterprise Customers Review your defense in depth strategy Consider allow-listing applications ISVs Leverage this opportunity by building solutions Develop solutions for enterprises as they adopt application allow-listing

Sessions On-Demand & Community Resources for IT Professionals Resources for Developers Microsoft Certification & Training Resources Resources

Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.