How to Use Windows AppLocker to Prevent Cyberattacks
When we talk about system security we often hear a term called whitelist. But, have you wondered, what is it? And how is it helpful? The term whitelist was used for the first time in 1884 and refers to a list of trusted email senders, list of allowed system based on their MAC address, list of trusted applications that can run on the system and others.
As the number of cyber-attacks have grown, it has become essential to differentiate between malicious and the clean files. Microsoft has always tried to protect its users by offering various security features. Since the launch of Windows 7, it has added a new feature for application whitelisting called Windows AppLocker.
This article explains about the feature, how it can be configured? And what are the benefits? Let’s dive into these details.
Advantages of Whitelisting
Most of you have heard the term whitelisting, but we bet only far and few would have tried to understand how it works. The use of it is not that difficult but maintaining it over the years might be quite a task. But this doesn’t eradicate the benefits of using it. When implemented in proper manner it is definitely worth it.
However, if you are few of those who know about it and have already removed local administrator rights for the end user, thumbs up! It is indeed a solid step towards ensuring safety of your system. But things do not end here. To secure your workstations you need to do other things too.
Why so? Well, these days you may find applications that detect if you are a local admin or not. If you aren’t, then they ask for permission to finish the installation without having local admin rights.
If the end user without local admin rights can install such application then so can the attackers. This is where application whitelisting works and stops this from taking place.
Also Read: Data Breaches That Shook The World
How to Configure AppLocker?
First things first if you are using enterprise version you already have licensed AppLocker. That means, you just need to configure the basic settings.
To configure you will need to check certain prerequisites:
1. Check if you are using enterprise version of Windows 7 or higher. To do so, Right Click on My Computer and from the context menu select Properties. This will open a window with all the information.
2. Next, to configure AppLocker using Group Policy check if you are part of Active Directory domain. To do so, Right Click on My Computer and from the context menu select Properties. This will open a window with all the information.
If everything is in line you can proceed further.
3. Now, create Group Policy linked with the systems to which you want to apply AppLocker policies. Refer to the screenshot below for further clarification:
4. Here under Group Policy you need to configure how AppLocker should behave. The settings for AppLocker will be found under “Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Application Control Policies”
AppLocker rules are divided into 5 parts you can create rules for:
- MSI installers
- Packaged Apps
- Next go to properties by right clicking on the AppLocker name and then set the rules you want to implement. You can choose either Enforce rules or Audit only. Once decided with which one you want to proceed with, start configuring the rules.
If you are doing it for the first time chose Audit only and start using Default rules. The window after choosing Default rules will look like the screenshot below:
You are almost there, the last thing you need to do is configure in Group Policy is the Application Identity service.
To specify it within the same Group Policy go to Computer Settings \ Policies \ Windows Settings \ Security Settings \ System Services \ Application Identity and setting it to AutomaticThere you are, your AppLocker is setup with basic settings.
Note: If you have selected Audit, only you can review the logs in Windows event viewer under Applications and Services log \ Microsoft \ Windows \ AppLocker. Also, note default rules will ensure that the files located under C:\program files, C:\program files (x86) and C:\Windows will only run. This is the most secure way to ensure your system is protected. As if a malware is placed within Appdata then AppLocker will prevent it from running, only if you select Enforce rule after reviewing the logs.
Alternatively, you can use digital signature to trust an application. To create this rule, you need to create publisher rule and then define new rule under different section.
Once you have followed the steps mentioned you are all set and your system is protected. Application whitelisting in my opinion is an important step one shouldn’t ignore it. We need to control the things that run on our or clients machine. Stopping unwanted things from running will ensure security. Hope you will give it a try to add additional layer of security.