Eliminating Malware, Inappropriate Eliminating Malware, Inappropriate Software, and Most IT Problems with Software, and Most IT Problems with AppLockerAppLocker

Greg Shields, MVP, vExpertGreg Shields, MVP, vExpertHead Geek, Concentrated Technologywww.ConcentratedTech.com

This slide deck was used in one of our many conference presentations. We hope you enjoy it, and invite you to use it

within your own organization however you like.

For more information on our company, including information on private classes and upcoming conference appearances, please

visit our Web site, www.ConcentratedTech.com.

For links to newly-posted decks, follow us on Twitter:@concentrateddon or @concentratdgreg

This work is copyright ©Concentrated Technology, LLC

AgendaAgenda

Part I: Today’s IT is All Backwards. AppLocker Puts the Horse Before the Cart.– Discuss: What security tools are you using

today?

– Discuss: How then could you protect yourself against something you know nothing about?

– Discuss: So, was this guy crazy, or brilliant?

Part II: Implementing AppLocker (without Completely Screwing Up Your Network!)

3

DISCUSS: What SecurityDISCUSS: What SecurityTools are You Using Today?Tools are You Using Today?

What types of products do youuse today to keep your systemssecure?

Do they work?

When do they fail?

4

Part I: TodayPart I: Today’’s IT Security iss IT Security isAll Backwards. AppLocker PutsAll Backwards. AppLocker Putsthe the HorseHorse Before the Before the CartCart..

Anti-Virus, Anti-Malware,Anti-Virus, Anti-Malware,Anti-Oh My!Anti-Oh My!

We in IT are always looking for the “anti-” solution for protecting our computers.– Anti-virus “protects” us against viruses.

– Anti-malware “protects” us against malware.

– Firewalls “protect” us against incoming worms.

These have been great solutions for years, and are used by nearly 100% of environments.– But, in a way, they’re all backwards.

6

Anti-Virus, Anti-Malware,Anti-Virus, Anti-Malware,Anti-Oh My!Anti-Oh My!

Browser-based attacks, worms, viruses, there’s a common thread in virtually all forms of malware…

Their code has to be processed if it is to run!

This begs the question:

“If virtually all malware requires processing to be dangerous, could I protect myself by simply preventing that processing from occurring in the first place?”

7

The Dreaded Zero-DayThe Dreaded Zero-Day

Let’s look at this a different way:

“POSIT: You cannot protect yourself against the dreaded zero-day attack.”

8

The Dreaded Zero-DayThe Dreaded Zero-Day

Let’s look at this a different way:

“POSIT: You cannot protect yourself against the dreaded zero-day attack.”

Reasons for this include:– A zero-day means that the attack arrives before the

protection from that attack arrives.– Signature- and even heuristic-based solutions require…

well…signatures and heuristics.– The time distance between vulnerability and attack must

be exceptionally short.– Secrecy is critically important. Yet “no-algorithm-secrec

y ” is also one of the tenets of cryptography. Bad.

DISCUSS: So How Then CouldDISCUSS: So How Then CouldYou Protect Yourself AgainstYou Protect Yourself AgainstSomething You Know Nothing About?Something You Know Nothing About?

What are the protections against the zero-day?– You can’t write a signature…

– You can’t define a heuristic…

Are your security vendorsreally just taking your money?

10

AppLocker Changes the MindsetAppLocker Changes the Mindset

With AppLocker, you no longer care about signatures or heuristics.– You care about what you’ve specifically allowed to run.– …and you don’t care about everything else.

AppLocker creates an environment of “approved execution” for many types of code.– Executable files (.exe and .com)– Scripts (.js, .ps1, .vbs, .cmd, and .bat)– Windows Installer files (.msi and .msp)– DLL files (.dll and .ocx)

Blacklisting, the Blacklisting, the ““OldOld”” Way Way

Most anti-Anything solutions are examples of blacklisting.– “I don’t want the following code to execute on my

system.”

Blacklisting, the Blacklisting, the ““OldOld”” Way Way

Most anti-Anything solutions are examples of blacklisting.– “I don’t want the following code to execute on my

system.”

With blacklisting solutions, you must constantly update the blacklist with those applications which shouldn’t run.– Viruses shouldn’t run

– Malware shouldn’t run

– Browser Helper Objects shouldn’t run

– Bad applications shouldn’t run

Blacklisting, the Blacklisting, the ““OldOld”” Way Way

Anti-Anything solutions are examples of blacklisting.– “I don’t want the following code to execute on my

system.”

With blacklisting solutions, you must constantly update the blacklist with those applications which shouldn’t run.– Viruses shouldn’t run

– Malware shouldn’t run

– Browser Helper Objects shouldn’t run

…but the problem arrives when someone writes a piece of code that you haven’t seen before.

Now, you have to figure out what it is and what it does so you can prevent it.

Whitelisting, the Whitelisting, the ““NewNew”” Way Way

With whitelisting, you instead identify which executables are allowed to run on your systems.– Does this sound like a hard thing to do?

Whitelisting, the Whitelisting, the ““NewNew”” Way Way

With whitelisting, you instead identify which executables are allowed to run on your systems.– Does this sound like a hard thing to do?Hey Greg:

Tell the story now about

that one guy at your very

first TechMentor!

You know, the guy who

needed to personally

approve every application!

DISCUSS: So, was this guyDISCUSS: So, was this guycrazy, or brilliant?crazy, or brilliant?

This fellow IT Professional at my first TechMentor, the one who needed to approve each application…

…was this draconian…? …or early brilliance…?

17

Whitelisting, the Whitelisting, the ““NewNew”” Way Way

With whitelisting, you will specify the executables and scripts which you’ve tested and approved.– Windows Installer and DLLs are also possible, but

very, very challenging (and a performance hit).

– New malware will likely never get executed in your environment, because it can’t.

Interestingly enough:AppLocker’s older brother “Software Restriction Policies” highlighted both

blacklisting and whitelisting.

With Applocker, focus on the white.

Whitelisting, the Whitelisting, the ““NewNew”” Way Way

Also good for…– “Not-quite-malware”. You know, those stupid

apps that users install that invariably self-destruct their system.

– License assurance. You won’t get hit with a license violation for software you didn’t approve, because it can’t run.

– Version assurance. Versions that you haven’t specifically approved won’t run. Thus, users who can’t or won’t upgrade (or accept WSUS updates) can’t run software until they do.

Some will argue that these are even more exciting than anti-malware!

DEMO: Timeout for a QuickDEMO: Timeout for a Quick““Where is AppLockerWhere is AppLocker”” Demo. Demo.

Let’s take a quick spin through AppLocker.– So you can get familiarized with it before moving

on.

20

Part II: Implementing AppLocker Part II: Implementing AppLocker (Without Completely Screwing Up Your (Without Completely Screwing Up Your Network!)Network!)

What you NeedWhat you Need

AppLocker has high-end requirements– Windows 7 Ultimate

– Windows 7 Enterprise

– Windows Server 2008 R2 Standard

– Windows Server 2008 R2 Enterprise

– Windows Server 2008 R2 Datacenter

– Group Policy to deploy rules.

– RSAT (GPMC) to create rules.

– A plan.(I love it when a plan comes together…)

22

The Plan.The Plan.

#1: Determine how to implement AppLocker

#2: Create a list of applications #3: Select the types of rules to create #4: Define the Group Policy structure and

rule enforcement #5: Create a process for managing rules #6: Document your AppLocker plan

23

#1: Determine How to#1: Determine How toImplement AppLockerImplement AppLocker

Determine whether interoperability with Software Restriction Policy is needed.– Necessary for down-level clients, those not at Windows 7 U or

E

Determine and document where to use AppLocker.– AppLocker might not be useful for all machines.

– Local administrators can change settings. Change policy for administrators?

Select whether to use “allow” actions only or “allow” and “deny”.

24

#2: Create a List of Applications#2: Create a List of Applications

Create an inventory of applications that are installed in different OUs.– Do it manually (bleh)

– Consider using “Automatically generate rules”(useful against golden images)

– Consider using “Audit only mode”. (nice!)

– Configure the Application Identity Service to start for computers in an OU.

– Enable Audit only mode.

– Forward logs (more about this in a sec).

25

Automatically Generate RulesAutomatically Generate Rules

26

#3: Select the Types of Rules#3: Select the Types of Rulesto Createto Create

Select which rule collections to use– Executable files– Windows Installer files– Scripts– DLLs

Select which rule conditions to use– Path Rules– File Hash Rules– Publisher Rules

Determine how to allow system files to run– Start by creating “Default Rules”

27

Rule ConditionsRule Conditions

Path Rules– Restrict based on name and location of the executable’s

file. Wildcards accepted.

File Hash Rules– Path rules are easy to bypass. Just change the filename or

file path to bypass the rule.

– File Hash Rules hash each file, making this impossible.

– Challenging when files change (as with updates).

Publisher Rules– Requires that files are signed, but these files are often

signed by their manufacturer.

– Sliding scale of Version, File Name, Product Name, & Publisher.

– Different files can have different scopes.28

Rule ConditionsRule Conditions

29

Default RulesDefault Rules Executable default rule types

– Allow members of the local Administrators group to run all applications.

– Allow members of the Everyone group to run applications that are located in the Windows folder.

– Allow members of the Everyone group to run applications that are located in the Program Files folder.

Windows Installer default rule types– Allow members of the local Administrators group to run all Windows Installer files.

– Allow members of the Everyone group to run digitally signed Windows Installer files.

– Allow members of the Everyone group to run all Windows Installer files located in the Windows\Installer folder.

Script default rule types– Allow members of the local Administrators group to run all scripts.

– Allow members of the Everyone group to run scripts located in the Program Files folder.

– Allow members of the Everyone group to run scripts located in the Windows folder.

DLL default rule types– Allow members of the local Administrators group to run all DLLs.

– Allow members of the Everyone group to run DLLs located in the Program Files folder.

– Allow members of the Everyone group to run DLLs located in the Windows folder.

#4: Define the Group Policy#4: Define the Group PolicyStructure and Rule EnforcementStructure and Rule Enforcement

Select enforcement settings for each OU. Determine rule and enforcement setting

inheritance in Group Policy.– Rule collections that are not configured will be

enforced.

– Group Policy does not overwrite or replace rules that are already present in a linked GPO.

– AppLocker processes the explicit deny rule configuration before the allow rule configuration.

– For rule enforcement, the last write to the GPO is applied.

31

#5: Create a Process for#5: Create a Process forManaging RulesManaging Rules

Document an end-user support policy for blocked applications.– Remember the guy at my first TechMentor. He had a

user policy for unblocking applications!

– Set a Support Page Link via Group Policy.

– Found in Policies | Administrative Tools | Windows Components | Windows Explorer | Support Web page URL

Determine whether to use event forwarding.– AppLocker events are stored under Applications and

Settings\Logs\Microsoft\Windows\AppLocker.

– Consider setting up event forwarding to collect events.

32

#6: Document the Plan#6: Document the Plan

I know, I know, we all hate to document.– But with something as powerful as this, wouldn’t

you want an offline copy…?

Document your AppLocker plan to use when deploying AppLocker and for future reference.

33

What if you DO Screw Up?What if you DO Screw Up?

Advice: Don’t.– AppLocker does not provide a way to undo an

action.

– However, there is a slight delay in the application of policies, so you can change your rules if you still have the AppLocker snap-in open.

– The policy will take some time to propagate to a client computer that is joined to a domain

– So you might be able delete the erroneous rules and create the correct ones before the policy is applied.

34

This slide deck was used in one of our many conference presentations. We hope you enjoy it, and invite you to use it

within your own organization however you like.

For more information on our company, including information on private classes and upcoming conference appearances, please

visit our Web site, www.ConcentratedTech.com.

For links to newly-posted decks, follow us on Twitter:@concentrateddon or @concentratdgreg

This work is copyright ©Concentrated Technology, LLC