I did this by manually editing the XML file. I wanted to change that so that I did not have to remake this policy every time there is a new version or build. You do that in the Group Policy editor by right clicking on the AppLocker part and selecting import.Īfter I imported the rules I noticed that the rules apply for a specific version of the different files. These files showed in the screenshot could not become a publisher rule, meaning that they are most likely not signed correctly or missing.Īfter the rules was created I then imported them to my AppLocker policy. These files are highlighted in yellow in this screenshot: I did not care for those at that moment, since I knew I had to do this in several rounds. There was a couple of files it could not create rules for. Get-AppLockerFileInformation -EventLog -EventType audited | New-AppLockerPolicy -RuleType publisher -rulenameprefix “Round1” -IgnoreMissingFileInformation -Xml > Round1.xml I first tried with an empty ruleset, but that did not work out.Īfter the first boot with the AppLocker policy active and after I logon as a normal user I generated an AppLocker policy from the audit events using these cmdlets: I needed these rules or else AppLocker would not do anything. The first thing I did was to create the following path rules (Builtin\Administrators – All files) under the AppLocker configuration and I set everything up to audit: But if someone can learn from my failures that’s great. I ended up doing several audits and in the end I was not successful. In this blogpost I will go over how I logged AppLocker and tried to figure out what files that is actually needed and only allow that as a base for an AppLocker policy. This something could either be everything under C:\windows and c:\programfiles, or it could be every file that is signed by Microsoft. Normally what you would do when setting up AppLocker is that you would start out by trusting something.
I wanted to try and see if I was able to use AppLocker to only allow needed files (Real whitelisting).
0 kommentar(er)
