Application Control or AppLocker Policies – In simple words, they are used to Audit and control Applications, scripts and packages execution. They are extremely critical when you have large number of users making changed to the environment and you would want to Audit what occurred where, when, on which system and most importantly by Who?
When you have such large number of Audit Logs, you could also leverage existing monitoring tools like SCOM (ACS) or other event viewer monitor to trigger necessary actions, and update the concerned team accordingly.
Let us now being configuration of AppLocker –
1. Login to Domain Controller, launch Group Policy Management Console. Create a new Group Policy. I have created a new Group Policy named – AppLocker for this post.
2. Go to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Application Control Policies
3. Right click on “Executable Rules” and select “Create Default Policies”, repeat the process for “Script Rules” as needed
this would show the policies as shown below
4. Once the policies are created, click on AppLocker and select “Configure rule enforcement” on the right hand side pane.
5. Here, you could either “Enforce rules” or “Audit” the rule, that would create event log on Event Viewer
6. Once the policy is enforced, ensure that you apply Group Policy to Domain or OU, where you need it to apply and run “gpupdate /force”
7. AppLocker also needs “Application Identity” service to be started. This service is set to Manual by default, it can be set to Automatic using Group Policy. Ensure that you keep this service running.
8. Once this is done, any executable that gets launched on the system, will be logged in the Event Viewer as show below
9. For the scripts, I wrote a simple “Hellow World”, powershell script and its executation gets logged as well
Now that we have Event Logs are being created, they can be easily tracked in any event log monitoring system or auditing tool such as Microsoft SCOM – ACS.