Currently I am working on a Citrix environment (XenApp 6.5) and we are implementing the application lockdown policy. This policy replaces the old Software restriction policy known in server 2003. The policy works in Windows 7 , Windows Server 2008 (R1 and R2).

First it's a computer policy so it needs to be placed in the OU where the servers are placed in. Now we create a new Policy and call it in this blog  'ApplicationControl Computer Policy'. Now right click on the 'ApplicationControl Computer Policy' and choose 'Edit' and now we can browse to the location where we can configure the policy.

Figure 1

application policy Figure 1.png

 

 

When you browsed to the part were the creation of the applocker takes place you can configure 3 parts:

  • Executable Rules
  • Windows Installer Rules
  • Script Rules

All come with a wizard to create standard ruleset's in most environments it's advised to use these. They will configure %programfiles% etc as part of the system where it's allowed to run programs from.

For the Windows Installer Rules it is usefull to run the wizard on the %programfiles% directory so it will find the msi files that are used with the program's installed on the server. Now a user can for example install the citrix client (user part mini setup). Otherwise you will get helpdesk call's that they cannot launch ica files from the server :)

Figure 2

 NOTE: to get the applocker policy working on a server the Identity Service must! run otherwise the policy will not work.

Now right clikc on the Executable Rules and choose 'automaticly generate rules'. This will automaticly create the rules and excludes after you select the folder where you have your programs installed in. (see Figure 4) Click Next to configure the way you want to scan the folder.

Figure 3

Figure 4

 

We have choosen in this blog to use 'path:Rules are created using file's path'. If you create hash files remember that everytime you change the file you have to recreate the hash!

Figure 5

Rules are now created after you get a analyses screen and you look what path's are created.You will also get a warning that default rules are not in the list for this rule choose YES to create them.

Figure 6

 

Now your Executable Rules will look like the example in Figure 7 you see it is set on 'Everyone'. From the field most administrators when creating policy they wil set a Deny apply policy in the advanced settings of a policy so they won't get the policy while logging on to a server as a administrator. This however doesn't work on these policy's. To get around it you need to set a group on the policy and then your done.

Figure 7

Enjoy creating applocker policy's, play with it in a test environment before implementing it in a production environment!! I found that setting a rule on %windir%\cmd.exe blocked the use of the cmd far better then using the policy that you are not allowed to start it. This also blocks cmd files in homedir etc and won't simply open the cmd executable!

Also because it's a computer policy select in the Details tab of the policy > GPO Status > User Configuration Settings disabled . this will speed up processing of your policy.

Hope you enjoyed reading this litle howto.

Update: If you are not sure what impact implementing these policyset will give in the organization simply put on auditing first with the basic rule sets and in the eventviewer (windows events > applocker) you will see all the exe's etc that would have been blocked by the policy. Then you can create a plan to implement the policy without a huge impact on your organization and helpdesk :)