Monday, January 5, 2015

Locking down software

software restriction policy

  • designed for legacy windows, (xp, earlier win2k8)
  • fairly east to bypass
  • all apps allowed by default
    • make specific restrictions


  • designed for win7/8, w2k8r2, win12 and greater
  • less easy to bypass
  • all apps denied by default
    • create default rules to run basic apps to preventing locking out of system

Check inidcates active status.

New path rule - can be bypassed by moving files to different path

Hash rule - application calculated hash. but hash changes for version changes.

Applocker (use with win 2008 R2/Win 7)

in a same policy, when both software restriction policy and applocker policy is used, software restrcition policy will be ignored.  use seperate polcies for each of them. for backward compatibility still need to use software restrictions.

first thing before enableing it is Create an "allow" rule to override the "deny all" default rule. Allows all windows and program files to run.

Although, enabled, applocker is not effect until rules and Application Identity Services on the workstation

Automatically create rules - scan for and allow to run installed apps. rules automatically generated. useful for programs outside of windows and program files folder.

Deny rule

deny running notepad,.exe but allow other apps to run

Enable the Application Identity Services

enable it in the same policy

or second option is to enable in the control panel services setting

finally, applocker policy takes time to take effect in contrast to other policy settings.

No comments:

Post a Comment