App locker
36
Eliminating Malware, Inappropriate Eliminating Malware, Inappropriate Software, and Most IT Problems Software, and Most IT Problems with AppLocker with AppLocker Greg Shields, MVP, Greg Shields, MVP, vExpert vExpert Head Geek, Concentrated Technology www.ConcentratedTech.com
-
Upload
concentrated-technology -
Category
Technology
-
view
1.277 -
download
4
description
Transcript of App locker
Eliminating Malware, Inappropriate Eliminating Malware, Inappropriate Software, and Most IT Problems with Software, and Most IT Problems with AppLockerAppLocker
Greg Shields, MVP, vExpertGreg Shields, MVP, vExpertHead Geek, Concentrated Technologywww.ConcentratedTech.com
This slide deck was used in one of our many conference presentations. We hope you enjoy it, and invite you to use it
within your own organization however you like.
For more information on our company, including information on private classes and upcoming conference appearances, please
visit our Web site, www.ConcentratedTech.com.
For links to newly-posted decks, follow us on Twitter:@concentrateddon or @concentratdgreg
This work is copyright ©Concentrated Technology, LLC
AgendaAgenda
Part I: Today’s IT is All Backwards. AppLocker Puts the Horse Before the Cart.– Discuss: What security tools are you using
today?
– Discuss: How then could you protect yourself against something you know nothing about?
– Discuss: So, was this guy crazy, or brilliant?
Part II: Implementing AppLocker (without Completely Screwing Up Your Network!)
3
DISCUSS: What SecurityDISCUSS: What SecurityTools are You Using Today?Tools are You Using Today?
What types of products do youuse today to keep your systemssecure?
Do they work?
When do they fail?
4
Part I: TodayPart I: Today’’s IT Security iss IT Security isAll Backwards. AppLocker PutsAll Backwards. AppLocker Putsthe the HorseHorse Before the Before the CartCart..
Anti-Virus, Anti-Malware,Anti-Virus, Anti-Malware,Anti-Oh My!Anti-Oh My!
We in IT are always looking for the “anti-” solution for protecting our computers.– Anti-virus “protects” us against viruses.
– Anti-malware “protects” us against malware.
– Firewalls “protect” us against incoming worms.
These have been great solutions for years, and are used by nearly 100% of environments.– But, in a way, they’re all backwards.
6
Anti-Virus, Anti-Malware,Anti-Virus, Anti-Malware,Anti-Oh My!Anti-Oh My!
Browser-based attacks, worms, viruses, there’s a common thread in virtually all forms of malware…
Their code has to be processed if it is to run!
This begs the question:
“If virtually all malware requires processing to be dangerous, could I protect myself by simply preventing that processing from occurring in the first place?”
7
The Dreaded Zero-DayThe Dreaded Zero-Day
Let’s look at this a different way:
“POSIT: You cannot protect yourself against the dreaded zero-day attack.”
8
The Dreaded Zero-DayThe Dreaded Zero-Day
Let’s look at this a different way:
“POSIT: You cannot protect yourself against the dreaded zero-day attack.”
Reasons for this include:– A zero-day means that the attack arrives before the
protection from that attack arrives.– Signature- and even heuristic-based solutions require…
well…signatures and heuristics.– The time distance between vulnerability and attack must
be exceptionally short.– Secrecy is critically important. Yet “no-algorithm-secrec
y ” is also one of the tenets of cryptography. Bad.
DISCUSS: So How Then CouldDISCUSS: So How Then CouldYou Protect Yourself AgainstYou Protect Yourself AgainstSomething You Know Nothing About?Something You Know Nothing About?
What are the protections against the zero-day?– You can’t write a signature…
– You can’t define a heuristic…
Are your security vendorsreally just taking your money?
10
AppLocker Changes the MindsetAppLocker Changes the Mindset
With AppLocker, you no longer care about signatures or heuristics.– You care about what you’ve specifically allowed to run.– …and you don’t care about everything else.
AppLocker creates an environment of “approved execution” for many types of code.– Executable files (.exe and .com)– Scripts (.js, .ps1, .vbs, .cmd, and .bat)– Windows Installer files (.msi and .msp)– DLL files (.dll and .ocx)
Blacklisting, the Blacklisting, the ““OldOld”” Way Way
Most anti-Anything solutions are examples of blacklisting.– “I don’t want the following code to execute on my
system.”
Blacklisting, the Blacklisting, the ““OldOld”” Way Way
Most anti-Anything solutions are examples of blacklisting.– “I don’t want the following code to execute on my
system.”
With blacklisting solutions, you must constantly update the blacklist with those applications which shouldn’t run.– Viruses shouldn’t run
– Malware shouldn’t run
– Browser Helper Objects shouldn’t run
– Bad applications shouldn’t run
Blacklisting, the Blacklisting, the ““OldOld”” Way Way
Anti-Anything solutions are examples of blacklisting.– “I don’t want the following code to execute on my
system.”
With blacklisting solutions, you must constantly update the blacklist with those applications which shouldn’t run.– Viruses shouldn’t run
– Malware shouldn’t run
– Browser Helper Objects shouldn’t run
…but the problem arrives when someone writes a piece of code that you haven’t seen before.
Now, you have to figure out what it is and what it does so you can prevent it.
Whitelisting, the Whitelisting, the ““NewNew”” Way Way
With whitelisting, you instead identify which executables are allowed to run on your systems.– Does this sound like a hard thing to do?
Whitelisting, the Whitelisting, the ““NewNew”” Way Way
With whitelisting, you instead identify which executables are allowed to run on your systems.– Does this sound like a hard thing to do?Hey Greg:
Tell the story now about
that one guy at your very
first TechMentor!
You know, the guy who
needed to personally
approve every application!
DISCUSS: So, was this guyDISCUSS: So, was this guycrazy, or brilliant?crazy, or brilliant?
This fellow IT Professional at my first TechMentor, the one who needed to approve each application…
…was this draconian…? …or early brilliance…?
17
Whitelisting, the Whitelisting, the ““NewNew”” Way Way
With whitelisting, you will specify the executables and scripts which you’ve tested and approved.– Windows Installer and DLLs are also possible, but
very, very challenging (and a performance hit).
– New malware will likely never get executed in your environment, because it can’t.
Interestingly enough:AppLocker’s older brother “Software Restriction Policies” highlighted both
blacklisting and whitelisting.
With Applocker, focus on the white.
Whitelisting, the Whitelisting, the ““NewNew”” Way Way
Also good for…– “Not-quite-malware”. You know, those stupid
apps that users install that invariably self-destruct their system.
– License assurance. You won’t get hit with a license violation for software you didn’t approve, because it can’t run.
– Version assurance. Versions that you haven’t specifically approved won’t run. Thus, users who can’t or won’t upgrade (or accept WSUS updates) can’t run software until they do.
Some will argue that these are even more exciting than anti-malware!
DEMO: Timeout for a QuickDEMO: Timeout for a Quick““Where is AppLockerWhere is AppLocker”” Demo. Demo.
Let’s take a quick spin through AppLocker.– So you can get familiarized with it before moving
on.
20
Part II: Implementing AppLocker Part II: Implementing AppLocker (Without Completely Screwing Up Your (Without Completely Screwing Up Your Network!)Network!)
What you NeedWhat you Need
AppLocker has high-end requirements– Windows 7 Ultimate
– Windows 7 Enterprise
– Windows Server 2008 R2 Standard
– Windows Server 2008 R2 Enterprise
– Windows Server 2008 R2 Datacenter
– Group Policy to deploy rules.
– RSAT (GPMC) to create rules.
– A plan.(I love it when a plan comes together…)
22
The Plan.The Plan.
#1: Determine how to implement AppLocker
#2: Create a list of applications #3: Select the types of rules to create #4: Define the Group Policy structure and
rule enforcement #5: Create a process for managing rules #6: Document your AppLocker plan
23
#1: Determine How to#1: Determine How toImplement AppLockerImplement AppLocker
Determine whether interoperability with Software Restriction Policy is needed.– Necessary for down-level clients, those not at Windows 7 U or
E
Determine and document where to use AppLocker.– AppLocker might not be useful for all machines.
– Local administrators can change settings. Change policy for administrators?
Select whether to use “allow” actions only or “allow” and “deny”.
24
#2: Create a List of Applications#2: Create a List of Applications
Create an inventory of applications that are installed in different OUs.– Do it manually (bleh)
– Consider using “Automatically generate rules”(useful against golden images)
– Consider using “Audit only mode”. (nice!)
– Configure the Application Identity Service to start for computers in an OU.
– Enable Audit only mode.
– Forward logs (more about this in a sec).
25
Automatically Generate RulesAutomatically Generate Rules
26
#3: Select the Types of Rules#3: Select the Types of Rulesto Createto Create
Select which rule collections to use– Executable files– Windows Installer files– Scripts– DLLs
Select which rule conditions to use– Path Rules– File Hash Rules– Publisher Rules
Determine how to allow system files to run– Start by creating “Default Rules”
27
Rule ConditionsRule Conditions
Path Rules– Restrict based on name and location of the executable’s
file. Wildcards accepted.
File Hash Rules– Path rules are easy to bypass. Just change the filename or
file path to bypass the rule.
– File Hash Rules hash each file, making this impossible.
– Challenging when files change (as with updates).
Publisher Rules– Requires that files are signed, but these files are often
signed by their manufacturer.
– Sliding scale of Version, File Name, Product Name, & Publisher.
– Different files can have different scopes.28
Rule ConditionsRule Conditions
29
Default RulesDefault Rules Executable default rule types
– Allow members of the local Administrators group to run all applications.
– Allow members of the Everyone group to run applications that are located in the Windows folder.
– Allow members of the Everyone group to run applications that are located in the Program Files folder.
Windows Installer default rule types– Allow members of the local Administrators group to run all Windows Installer files.
– Allow members of the Everyone group to run digitally signed Windows Installer files.
– Allow members of the Everyone group to run all Windows Installer files located in the Windows\Installer folder.
Script default rule types– Allow members of the local Administrators group to run all scripts.
– Allow members of the Everyone group to run scripts located in the Program Files folder.
– Allow members of the Everyone group to run scripts located in the Windows folder.
DLL default rule types– Allow members of the local Administrators group to run all DLLs.
– Allow members of the Everyone group to run DLLs located in the Program Files folder.
– Allow members of the Everyone group to run DLLs located in the Windows folder.
#4: Define the Group Policy#4: Define the Group PolicyStructure and Rule EnforcementStructure and Rule Enforcement
Select enforcement settings for each OU. Determine rule and enforcement setting
inheritance in Group Policy.– Rule collections that are not configured will be
enforced.
– Group Policy does not overwrite or replace rules that are already present in a linked GPO.
– AppLocker processes the explicit deny rule configuration before the allow rule configuration.
– For rule enforcement, the last write to the GPO is applied.
31
#5: Create a Process for#5: Create a Process forManaging RulesManaging Rules
Document an end-user support policy for blocked applications.– Remember the guy at my first TechMentor. He had a
user policy for unblocking applications!
– Set a Support Page Link via Group Policy.
– Found in Policies | Administrative Tools | Windows Components | Windows Explorer | Support Web page URL
Determine whether to use event forwarding.– AppLocker events are stored under Applications and
Settings\Logs\Microsoft\Windows\AppLocker.
– Consider setting up event forwarding to collect events.
32
#6: Document the Plan#6: Document the Plan
I know, I know, we all hate to document.– But with something as powerful as this, wouldn’t
you want an offline copy…?
Document your AppLocker plan to use when deploying AppLocker and for future reference.
33
What if you DO Screw Up?What if you DO Screw Up?
Advice: Don’t.– AppLocker does not provide a way to undo an
action.
– However, there is a slight delay in the application of policies, so you can change your rules if you still have the AppLocker snap-in open.
– The policy will take some time to propagate to a client computer that is joined to a domain
– So you might be able delete the erroneous rules and create the correct ones before the policy is applied.
34
This slide deck was used in one of our many conference presentations. We hope you enjoy it, and invite you to use it
within your own organization however you like.
For more information on our company, including information on private classes and upcoming conference appearances, please
visit our Web site, www.ConcentratedTech.com.
For links to newly-posted decks, follow us on Twitter:@concentrateddon or @concentratdgreg
This work is copyright ©Concentrated Technology, LLC
