As we have mentioned numerous times in our blog posts, your company’s biggest security vulnerabilities are its users. While security awareness training is a huge step in the right direction, it is not a foolproof plan to stop a user from opening a malicious attachment or surfing to a web address that hosts nefarious intentions. There are many tools that a security professional can use to help mitigate the risk. They range in price from reasonable to astronomical, as most software suites tend to do.
This blog post isn’t about those.
We’re focusing our efforts this week on an oft-overlooked tool that’s already in most of our environments, but for some reason isn’t being implemented. It’s an unfortunately obscure gem from the folks in Redmond called Microsoft Windows AppLocker.
Caveat: We at Alpine are NOT Microsoft fanbois. In fact, most of us use Macs for our day-to-day work. But we’re respectful of software as used for its intended purpose, and which does so effectively. And we’re also not one of those closed-minded wackadoos who thinks that no good code could possibly come out of the 98052 zip code. Keep an open mind, people…
What is AppLocker?
AppLocker is a whitelisting/blacklisting capability for executables on your users’ workstations. It that has been around since Windows 7 and Windows Server 2008 R2. It allows IT administrators to create “allow” and “deny” rules for applications based on users and/or groups, and then deploy those rules as a group policy. For instance, admins can allow developers to run their tools, but a non-developer can be prevented. AppLocker can help govern the execution of:
- Executable files (.exe, .com)
- Scripts (.js, .ps1, .vbs, .cmd, .bat)
- Windows Installer files (.msi, .msp)
- DLLs (.dll, .ocx)
Considerations and Shortcomings
- AppLocker is not a magic bullet! To be good, it needs some time and attention — but it is time well spent! Performing a true whitelist, where only apps you specify are allowed to execute, takes a bit of work. You need a plan to get configured and optimized to make sure that the programs and Windows functions that you want to work, do work. Thankfully, there are facilities for that. You can put AppLocker in logging mode for a while and just capture what the app WOULD have done. Then, after you have captured the normal state, you can implement the rules in blocking mode and be confident your users won’t be negatively impacted — just the bad guys.
- AppLocker also has very specific set of file types that it can deny, as I have mentioned above. This leaves out some things that you otherwise might want to be able control. For instance, you cannot control the execution of macros in Microsoft Office, which are a popular vector for malware, such as cryptoviruses. Thankfully, you can implement other group policies to handle macro execution. The trick again becomes allowing your users to do what they actually NEED to get done with the macros, while nixing the baddies. This may require some software development and some buy in from business management.
- Users running with the local admin account on a machine are not effected by AppLocker’s rules. This is mitigated because NO ONE SHOULD BE RUNNING AS THE LOCAL ADMINISTRATOR. RIGHT?
There are definitely other tools out there, free and paid, that can help with managing user access to programs and files. While we called out the benefits you can glean from using AppLocker, the overarching point of this article was to point out the fact that you don’t always need to introduce a new vendor and new software into your environment to take steps in your cyber security system to reduce user risk.
On a similar note, Microsoft has recently announced a threat management platform that also executes at the endpoint. While I’m extremely skeptical of the efficacy based on what I’ve read, and the privacy concerns it surfaces are more than a little troubling, there’s a chance that they could be working on another diamond in the rough here.
Stay tuned and watch those users!