1 00:00:03,080 --> 00:00:07,190 So let's wrap up this module with a quick demo of the App Locker policy. 2 00:00:08,090 --> 00:00:09,920 So I've created a GPO. 3 00:00:10,760 --> 00:00:15,110 Let me go ahead and edit it and drill into Windows Settings. 4 00:00:15,110 --> 00:00:16,160 Security Settings. 5 00:00:16,160 --> 00:00:18,070 Application Control Policies. 6 00:00:18,950 --> 00:00:19,970 App Locker. 7 00:00:20,870 --> 00:00:24,380 And you'll see here my four different kinds of executable rules. 8 00:00:25,290 --> 00:00:29,100 I also have the ability to configure kind of global behavior. 9 00:00:30,060 --> 00:00:36,600 So for each rule I can configure whether the rules are enforced or whether the rules are just audited. 10 00:00:36,630 --> 00:00:38,130 As I had mentioned earlier. 11 00:00:39,020 --> 00:00:41,210 And that's a pretty straightforward thing to do. 12 00:00:41,210 --> 00:00:45,020 And I'm going to go ahead and configure executable rules to be enforced. 13 00:00:45,930 --> 00:00:49,470 And then I'm going to go ahead and create some executable rules. 14 00:00:50,400 --> 00:00:53,610 So the first thing I'm going to do is create default rules. 15 00:00:54,520 --> 00:00:59,140 And these default rules are those rules that I mentioned that essentially create a white list or an 16 00:00:59,140 --> 00:01:02,200 allow list for pretty much everything to execute by default. 17 00:01:03,130 --> 00:01:08,980 So anything in program files or underneath it, anything underneath windows and then anything for members 18 00:01:08,980 --> 00:01:12,550 of the built in administrators group anywhere are allowed to execute. 19 00:01:13,420 --> 00:01:18,670 And now what I'm going to do is create a rule that essentially prevents Notepad from running. 20 00:01:19,540 --> 00:01:21,820 So if I go in, I have some options. 21 00:01:22,760 --> 00:01:27,920 I can create a new rule manually or I can use the automatically generate rules wizard. 22 00:01:28,770 --> 00:01:34,440 And that will essentially scan a folder that contains executables and create rules dynamically for each 23 00:01:34,440 --> 00:01:35,670 of those executables. 24 00:01:36,570 --> 00:01:39,990 But we're going to go ahead and do the manual rule creation. 25 00:01:40,830 --> 00:01:46,950 And I can choose to allow or deny this particular executable or this particular process for a particular 26 00:01:46,950 --> 00:01:47,340 group. 27 00:01:48,200 --> 00:01:54,590 In this case, I'm going to say everyone and I can choose publisher path or file hash. 28 00:01:55,500 --> 00:01:58,440 In this case, I'm going to choose a specific path. 29 00:01:59,350 --> 00:02:01,150 And the path that I'm going to choose is. 30 00:02:01,150 --> 00:02:02,380 C Colin backslash. 31 00:02:02,380 --> 00:02:06,220 Windows backslash system32 backslash notepad dot xy. 32 00:02:07,090 --> 00:02:11,830 I didn't choose file hash because the file hash for a notepad is going to be different on different 33 00:02:11,830 --> 00:02:12,940 versions of Windows. 34 00:02:13,840 --> 00:02:19,930 So if I'm offering this rule on my server 2012 or to box and trying to apply it on a Windows seven box, 35 00:02:20,050 --> 00:02:25,330 the file hash will likely not work because the file hash will have changed on notepad between the different 36 00:02:25,330 --> 00:02:26,410 versions of Windows. 37 00:02:27,310 --> 00:02:31,930 And that's kind of one of the downsides of file hash is you sort of have to keep up with the different 38 00:02:31,930 --> 00:02:36,910 versions of each windows or of each of each version of an application that you're creating a rule for. 39 00:02:37,860 --> 00:02:39,480 So now I've got my rule. 40 00:02:40,380 --> 00:02:46,920 I could add an exception based on either publisher path or file hash, but I'm not going to go ahead 41 00:02:46,920 --> 00:02:47,610 and do that. 42 00:02:48,480 --> 00:02:54,960 And I can enter a name and I'll just say Notepad denied and create the rule. 43 00:02:55,820 --> 00:02:58,160 And now I've denied everyone the ability to run. 44 00:02:58,160 --> 00:03:01,940 NOTEPAD Everyone at least that processes this policy. 45 00:03:02,810 --> 00:03:06,870 Now keep in mind again that this is under computer configuration. 46 00:03:06,920 --> 00:03:12,200 So this policy is being applied to computers, but it is paying attention to who the users are on those 47 00:03:12,200 --> 00:03:12,860 computers. 48 00:03:13,730 --> 00:03:19,190 In this case, this one applies to everyone, but this one above it applies only to administrators that 49 00:03:19,190 --> 00:03:20,630 are logged on to that system. 50 00:03:21,500 --> 00:03:25,340 So hopefully that gives you a quick idea about how App Locker works. 51 00:03:26,240 --> 00:03:31,010 By and large, I typically use this when I primarily use executable rules. 52 00:03:31,900 --> 00:03:35,920 There's very few scenarios where other types of rules really make sense. 53 00:03:36,880 --> 00:03:40,480 Script rules would be another area that you might consider using. 54 00:03:41,330 --> 00:03:46,910 But the bottom line is that executable rules is where most of the power is in terms of whitelisting 55 00:03:46,910 --> 00:03:47,870 and blacklisting. 56 00:03:48,740 --> 00:03:51,440 Now, keep in mind, if I wanted to blacklist. 57 00:03:52,360 --> 00:03:54,910 I'm sorry if I wanted to create a white list. 58 00:03:55,000 --> 00:03:58,900 What I would do on these default rules is I would set all the action to deny. 59 00:03:59,740 --> 00:04:04,840 So we would say everything in program files is denied and everything in windows is denied. 60 00:04:05,680 --> 00:04:09,670 And then you would selectively allow other things that you want the user to do. 61 00:04:10,480 --> 00:04:13,990 And again, you can imagine how problematic that might be. 62 00:04:14,860 --> 00:04:20,230 But it is essentially the way that you can create a much more secure application whitelisting and application 63 00:04:20,230 --> 00:04:21,280 control policy.