Application Control - AppLocker and Windows Defender Application Control Overview

 

Process to reduce risk

The administrator uses application control to restrict applications users are allowed to run.  Application control policies are used to block unsigned scripts and MSIs and implement Windows PowerShell constrained mode.  Security administrators will want to use application control alongside endpoint protection products such as antivirus and endpoint detection and response.

Application control uses a predetermined list of parameters to allow applications to be trusted to run on the endpoint while blocking others.  Implementing application control can stop malware and unauthorized software. 

Microsoft implements application control for their operating systems.  Microsoft Windows 10 and Windows 11 include Windows Defender Application Control (WDAC) and AppLocker.  AppLocker will run on older Windows versions such as Windows 7, Windows 8/8.1, and Windows Server 2008 up through Windows 11 and Windows Server 2019.  It is preferable to use application control software that comes with a product to simplify deployment and reduce cost.  AppLocker is centrally managed using the existing Group Policy infrastructure, which makes testing and modifications easier.  Intune, Configuration Manager, and PowerShell can manage AppLocker.

Administrators can use the AppLocker policy in audit mode to produce event logs that contain application activity.  They can use PowerShell scripts to parse the event logs to produce data about applications, which he or she can use to build a list of allowed applications and remove other ones.  AppLocker uses the application publisher, installation path, or file hash to identify allowed software.  Any software that is not recognized is blocked, which can include malware.

AppLocker enforces allow and deny options a certain way.  Microsoft recommends using allow actions with exceptions because deny actions override allow actions.  Only files explicitly allowed in a rule are permitted.  The administrator can configure rules to allow files to run for users or groups of users and configure exceptions.  He or she can configure deny rules that disallow certain files and set exceptions for those.  Deny actions for a certain file or folder path still allow those users to run the file from any other path; however, for allow actions, only the specified files and files paths are allowed others are excluded.

AppLocker rule collections are in the five types below.

·         Executable files: .exe and .com

·         Windows Installer files: .msi, .mst, and .msp

·         Scripts: .ps1, .bat, .cmd, .vbs, and .js

·         DLLs: .dll and .ocx

·         Packaged apps and packaged app installers: .appx

DLL rule collection may cause performance problems because it checks each DLL before AppLocker allows it to run.  However, not checking DLLs increasing the risk of an AppLocker bypass. 

WDAC is available on Windows 10, Windows 11, and Windows Server 2016 and later.  The policies are device-wide and not per-user or per-group, use kernel mode, and managed by Intune, Microsoft Configuration Manager (limited), group policy, and scripting.  WDAC applies to the following file types:

·         Driver files: .sys

·         Executable files: .exe and .com

·         DLLs: .dll and .ocx

·         Windows Installer files: .msi, .mst, and .msp

·         Scripts: .ps1, .vbs, and .js

·         Packaged apps and packaged app installers: .appx

WDAC advantages include it using the Windows kernel and agentless operation.  It applies the policy early in the boot process before nearly all OS code and traditional antivirus.  The administrator uses WDAC to set application control policies for any code, including kernel mode drivers and Windows code.  The network administrator can protect WDAC policy tampering from local administrators by using digital signing.  The network administrator can protect the WDAC enforcement mechanism with memory integrity.    

More about AppLocker: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide

More about WDAC: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/feature-availability     

 

 

        

Comments

  1. JudithMarch 8, 2025 at 9:58 PM

    This blog is about the security of the site to reduce the risk of malicious activity which might effect the software performance.
    Medical Coding Courses in Bangalore

    ReplyDelete

Post a Comment

Popular posts from this blog

Antivirus Weaknesses

  Poor signature-based detection Antivirus or antimalware software runs on the endpoint and watches for malicious binaries.   The antivirus may include the inability to detect newer malicious binaries because the antivirus needs to be updated once the new malware is discovered.   In this case, some businesses and users’ systems are compromised because the attack is using a newly developed binary, and their antivirus does not know about it.   After the successful attack, the antivirus vendor updates their product, and all their customers are now protected.   Malware writers evaluate the antivirus detection and alter their binary, so it is no longer detected before deploying it again.      Incomplete Detection Another possible antivirus weakness is the inability to detect malware that uses certain parts of the operating system.   The attacker entices the user to download software that appears to be an “update”.   The “update” enters ...
Read more

Software Firewall

A software firewall or host-based firewall runs on a each server or workstation rather than being a separate device or hardware appliance.  In some cases, host-based firewalls are available as part of the operating system or the user can download and install one from software firewall vendors.  The host-based firewall settings can vary from host to host and can protect the host from attacks on the local network as well as from other networks.        The value of a host-based firewall is that it works against threats that pass through the network firewall. For example, if an attacker uses a malicious email to compromise one of the network hosts, and it attempts to spread to neighboring computers, the host-based firewall will block those attempts.  Using a host-based firewall is an important step in preventing reconnaissance, lateral movement or the spread of malware.  Once an attacker compromises a workstation, he or she may use tools to scan the...
Read more