Presentation is loading. Please wait.

Presentation is loading. Please wait.

Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.

Published byDuane Griffith Modified over 8 years ago

Similar presentations

Presentation on theme: "Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using."— Presentation transcript:

1 Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using Additional Rules to Help Identify Software What Makes an Effective Software Restriction Policy? Using AppLocker in Windows 7 and Later Managing Windows Environments with Group Policy

2 © 2013 Global Knowledge Training LLC. All rights reserved. Section Objectives After completing this section, you will be able to: Define software restriction policies Explain how to create software restriction policies Describe the additional rules that you can apply to software restriction policies Describe the characteristics of an effective software restriction policy Describe the AppLocker features 11-2

3 © 2013 Global Knowledge Training LLC. All rights reserved. What Is a Software Restriction Policy? 11-3 Software Restriction Policies Defined Software Restriction Policy Deployment

4 © 2013 Global Knowledge Training LLC. All rights reserved. Software Restriction Policies Defined Software restriction policies are used to prevent unauthorized software from executing. 11-4

5 © 2013 Global Knowledge Training LLC. All rights reserved. Software Restriction Policy Deployment System policy Define policy for the domain using the Group Policy editor. Policy is downloaded by Group Policy to the computer. Policy is enforced by the operating system when the software is run. Deny Notepad.exe Deny *.vbs Allow C:Scripts 1 2 3 11-6

6 © 2013 Global Knowledge Training LLC. All rights reserved. Creating a Software Restriction Policy 11-7 Administrative Privileges Software Restriction Policy Options Selecting Executables Trusted Publishers Default Security Levels and Exceptions

7 © 2013 Global Knowledge Training LLC. All rights reserved. Administrative Privileges The following users are allowed to create and manage software restriction policies: Local administrators for an individual computer Members of Domain Admins Members of Enterprise Admins Any user who has been delegated the permissions to create policies and manage links 11-7

8 © 2013 Global Knowledge Training LLC. All rights reserved. Software Restriction Policy Options The options for software restriction policies enable you to limit the scope of the restrictions. Administrators can be exempt from the restrictions. 11-8

9 © 2013 Global Knowledge Training LLC. All rights reserved. Selecting Executables The default extension types cover most forms of executable files. Custom extensions can be added. 11-10

10 © 2013 Global Knowledge Training LLC. All rights reserved. Trusted Publishers Trusted publishers are entities whose code- signing certificates are trusted. The Trusted Publishers Properties dialog box can control who is able to manage the Trusted Publisher list. 11-11

11 © 2013 Global Knowledge Training LLC. All rights reserved. Default Security Levels and Exceptions A software restriction policy is not enabled by default. A software restriction policy can be set to unrestricted or disallowed. Software restriction policies can be either user or computer policies. 11-12

12 © 2013 Global Knowledge Training LLC. All rights reserved. Using Additional Rules to Help Identify Software The rules used to identify software and software components include: Hash: A fingerprint of a file Certificate: A digital certificate provided by a manufacturer Path: The UNC path of where the file is located Zone: A defined Internet zone Software rules are reviewed and applied in a specific order. 11-13

13 © 2013 Global Knowledge Training LLC. All rights reserved. The Hash Rule Hash rules are easy to set up. An MD5 hash is generated based on a file you select. If that hash matches an application that a user attempts to run, it will be “disallowed” or “allowed” depending on the scenario. 11-15

14 © 2013 Global Knowledge Training LLC. All rights reserved. The Certificate Rule The certificate rule is potentially the most secure. Creating and using a certificate rule is more complex. The Microsoft code- signing tools are needed to apply a signature to files. 11-16

15 © 2013 Global Knowledge Training LLC. All rights reserved. The Path Rule The path rule is very simple to configure, but easy to circumvent. 11-17

16 © 2013 Global Knowledge Training LLC. All rights reserved. Software Rules Order of Precedence Software rules are applied in the following order: Hash rule 1 Certificate rule 2 Path rule 3 Zone rule 4 Default rule 5 11-19

17 © 2013 Global Knowledge Training LLC. All rights reserved. What Makes an Effective Software Restriction Policy? 11-21 Software Restriction Policy Characteristics Post-Deployment Considerations

18 © 2013 Global Knowledge Training LLC. All rights reserved. Software Restriction Policy Characteristics Characteristics of an effective software restriction policy are: An effective software restriction policy can be deployed only after careful planning and testing. The policy is best deployed closest to the end user. The software restriction policy should be created in a separate GPO. 11-21

19 © 2013 Global Knowledge Training LLC. All rights reserved. Post-Deployment Considerations Monitor software restrictions for problems. Always deploy in a separate GPO. Be aware of conflicts between GPO settings and software restrictions. Software restrictions are inherited like all other GPO settings. Multiple software restriction policies that apply to a user or computer are cumulative. Software 11-22

20 © 2013 Global Knowledge Training LLC. All rights reserved. Using AppLocker in Windows 7 and Later 11-24 AppLocker Features The AppLocker Console AppLocker Properties Creating the Default Rules Creating Executable Rules Enabling the AppLocker Client

21 © 2013 Global Knowledge Training LLC. All rights reserved. AppLocker Features Applies to Windows 7 and later operating systems Publisher rules that are simpler and more powerful than the old certificate rules Simplified rule structure User rules for non-interactive logons Separate policies for.exe,.msi, scripts and.dlls Auditing mode Wizard for rule creation 11-25

22 © 2013 Global Knowledge Training LLC. All rights reserved. The AppLocker Console AppLocker is a new console within the GPO editor. 11-26

23 © 2013 Global Knowledge Training LLC. All rights reserved. AppLocker Properties Each type of rule can be enabled or disabled Executable rules Windows Installer rules Script rules Packaged app Rules Each rule can be set to either: Enforce rules (prevents software from running) Audit Only (allows software to run but provides audit trail) 11-27

24 © 2013 Global Knowledge Training LLC. All rights reserved. Creating the Default Rules The Default Rules must be created in order to allow built-in Windows Processes to run. 11-28

25 © 2013 Global Knowledge Training LLC. All rights reserved. Creating Executable Rules 11-29 Executable rules are configured the same as Windows Installer and Script rules. They can be allowed or denied and can be set to a particular group of users.

26 © 2013 Global Knowledge Training LLC. All rights reserved. Choosing the Conditions 11-30 The Conditions establish how the restriction is enforced: by Publisher, Path or File hash. The Publisher rule type is the most powerful and flexible.

27 © 2013 Global Knowledge Training LLC. All rights reserved. Publisher Settings 11-31 Publisher information is automatically extracted from the selected file. Values like the File Name and File Version can be set to a wildcard allowing flexibility in enforcement.

28 © 2013 Global Knowledge Training LLC. All rights reserved. Enabling the AppLocker Client The Application Identity service must be running on clients This can be enabled through a Group Policy as a System Service restriction Place this GPO on OUs that contain client machines to be restricted with AppLocker 11-32

29 © 2013 Global Knowledge Training LLC. All rights reserved. Summary Software restriction policies monitor and control hostile code that is introduced through e-mail or scripts on, or downloaded from, Web pages that are visited by the client. Software policies have the following characteristics: They specify which applications can or cannot be run. They can be applied to local computers, sites, domains, or OUs. They are created using the Group Policy MMC. They define the rules of your company regarding which of the software applications and components that are used on a daily basis should be trusted. They allow you to define which potentially dangerous software components and executables you should monitor and control. 11-34

30 © 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) You can create a software restriction policy for a local computer or for a domain-based computer. To create a policy for a local computer, you must be the local administrator of the local computer system or have been delegated administrative permissions. To create a policy for a local computer: 1.Log on locally as administrator and select Administrative Tools menu, Local Security Policy. 2.Navigate to Computer Settings, Security Settings, and Software Restriction Policies. 3.Select the software restriction policy options using the following dialog boxes:  Enforcement Properties  Designated File Types Properties  Trusted Publishers Properties 11-34

31 © 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) To create a policy for a domain-based computer, you must be a member of the Domain Admins or Enterprise Admins group if the computer has been joined to an Active Directory domain. To create a policy for a site, domain, or OU: 1.Log on to the domain as Domain Admin or Enterprise Admin. 2.Open GPMC. 3.Select the site, domain, or OU that holds the workstations or member servers where a policy will be applied. 4.Create a new GPO for the policy that will be applied, and open it. 5.Navigate to Computer Settings, Policies, Security Settings, and Software Restriction Policies. 6.Select the software restriction policy options using the following dialog boxes:  Enforcement Properties  Designated File Types Properties  Trusted Publishers Properties 11-34

32 © 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) The default security settings for software restriction policies are: By default a software restriction policy is not enabled. The two conditional modes are:  Unrestricted  Disallowed Software restriction policies can be either user or computer policies. You can apply the following additional rules to software restriction policies: Hash rule: A fingerprint of a file. Certificate rule: A digital certificate provided by a manufacturer. Path rule: The UNC path of where the file is located. Zone rule: A defined Internet zone. 11-35

33 © 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) An effective software restriction policy must have the following characteristics: An effective software restriction policy can be deployed only after careful planning and testing. The policy is best deployed closest to the end user. It should be created in a separate GPO. 11-35

34 © 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) AppLocker Features 11-35 FeatureDescription Powerful Publisher Rules AppLocker can create a rule for a product name. This eliminates the need to regenerate the hash rule for every update of an application. The rule can be based upon publisher, product name, file name, or version. The information that the rule is based on is taken from the digital signature of the application. Rules Processing Structure AppLocker removes the complex precedence rules for different rule types. All Deny rules take precedence over Allow rules. User Rules for Noninteractive Logons A help desk administrator who is remotely administering a user's desktop will have the rules enforced whether he or she is interactively logged on or not. Separate Policies for.exe Files,.msi Files, Scripts, and DLLs Executable rules apply to executable code; path rules created for executable programs will not be applied to DLLs. You must create a DLL rule to control DLL behavior. Auditing ModeAn audit-only mode can be enabled to watch or track the AppLocker process without actually blocking access to files. Wizard for Rule Creation The wizard generates rules that will allow all applications in a specified folder to run.

35 © 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check 1.Software restriction policies have the following characteristics: (Choose all that apply.) a.They can be applied to local computers, sites, domains, or OUs. b.They specify which applications can or cannot be run. c.They specify which users can or cannot log on. d.They are created using the Group Policy MMC. 2.What are software restriction policies? Policies that monitor and control hostile code that are introduced through e-mail or scripts on, or downloaded from, Web pages that are visited by the client. 11-35/36

36 © 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 3.Describe the following AppLocker features: Auditing mode: An audit-only mode can be enabled to watch or track the AppLocker process without actually blocking access to files. Publisher rules: AppLocker can create a rule for a product name. This eliminates the need to regenerate the hash rule for every update of an application. The rule can be based upon publisher, product name, file name, or version. The information that the rule is based on is taken from the digital signature of the application. 11-36

37 © 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 4.Which dialog boxes are used to select software restriction policy options? (Choose all that apply.) a.Restriction Properties b.Enforcement Properties c.Designated File Types Properties d.Trusted Publishers Properties 11-36

38 © 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 5.Describe each of the following additional rules that you can apply to software restriction policies: Hash: A fingerprint of a file. Certificate rule: A digital certificate provided by a manufacturer. Zone rule: A defined Internet zone. Path rule: The UNC path of where the file is located. 11-36

Download ppt "Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using."

Similar presentations

Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
Khan Rashid Lesson 11-The Best Policy: Managing Computers and Users Through Group Policy.

Khan Rashid Lesson 11-The Best Policy: Managing Computers and Users Through Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.

Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Lesson 16: Creating Group Policy Objects

Lesson 16: Creating Group Policy Objects
Lesson 18: Configuring Application Restriction Policies

Lesson 18: Configuring Application Restriction Policies
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Performing Software Installation with Group Policy

Performing Software Installation with Group Policy
Guide to MCSE 70-290, Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.

Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Group Policy in Microsoft Windows Active Directory.

Group Policy in Microsoft Windows Active Directory.
Understanding Group Policy on Windows Server 2003 John Howard, IT Pro Evangelist, Microsoft UK

Understanding Group Policy on Windows Server 2003 John Howard, IT Pro Evangelist, Microsoft UK
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.

Similar presentations

Ads by Google