Problem

AppLocker is application whitelisting technology that has been around since Windows 7 launched.  Whitelisting boils down to the locations users can write to.  That may be oversimplifying it, but I really think if you understand user-writeable directories, you can effectively block users from running software they shouldn’t be running.  Traditionally, AppLocker has been hard to implement and maintain for several reasons, most of which had to do with maintaining the ruleset and auditing machines in the environment for user-writeable directories.  Fortunately, someone at Microsoft had the idea to put together a toolkit to make things easier.  It is called AaronLocker and is maintained by Aaron Margosis from Microsoft.  It’s been around for a couple of years and although the GitHub repo isn’t updated all that often, it’s solid and can be used by anyone looking to pilot and deploy AppLocker in their own environment.

Normally, I would be hesitant to point people at a tool that is only maintained by one person, but Aaron works for Microsoft, hosts this in the Microsoft corporate GitHub, and I’ve seen it referenced by well-respected people in the Windows security community.

Solution

This project is hosted on GitHub at https://github.com/microsoft/AaronLocker .  I’m not going to get into how to install and use git to clone a repository.  There are plenty of resources available online for that.  I will however show how to quickly generate a ruleset once it is cloned to a machine and configured.  When starting with AppLocker, I recommend building a clean copy of the standard corporate image with core applications in a VM.  Use this as a development environment for quickly updating and generating new AppLocker rulesets with AaronLocker.  Don’t worry too much about all the apps in the environment.  Once you have a base audit ruleset configured and applied to machines, the next step is to setup Windows event forwarding to centralize the collection of AppLocker events.  If you apply the audit policy to enough machines, you’ll see what would be blocked if AppLocker is set to enforce mode.  There are scripts in AaronLocker to export the events to a .csv file or Excel workbook for quick review.

All of this together gets you an easy to maintain AppLocker environment with auditing and quick turn around on developing new rules.  This will greatly enhance the security of the environment without causing end users too much pain in their day to day work.

Here is the high-level process I normally work through when deploying AppLocker with AaronLocker:

  1. Clone the repository
  2. Download accesschk.exe from sysinternals
  3. Create a default policy set
  4. Understand the user writeable directories on the machine
  5. Understand known admins in the environment
  6. Build rules for unsafe paths
  7. Import the base ruleset in audit mode
  8. Configure windows event forwarding and collection

I’m not going to get into the step-by-step process for running AaronLocker here, because there is great documentation in Aaron’s repo and some great videos on YouTube.

X-Centric has great resources to help with AppLocker implementations, so please reach out if you are interested in having one of our consultants help jumpstart an implementation in your own environment.

For more information on AppLocker and AaronLocker, check out the resources below:

AaronLocker Repo – https://github.com/microsoft/AaronLocker

SysInternals Accescheck – https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk

AppLocker Documentation: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview

Justin Knash is the CTO of X-Centric and specializes in security, automation, cloud, and core Microsoft and Linux infrastrcucture.  Contact him via email at jknash@x-centric.com or on Twitter at @justinknash.