AppLocker - PimmyTrousers/Cooking-Recipes GitHub Wiki

AppLocker is a anti-executable solution that is available for the majority of windows products. IT works by preventing processed from launching based on a whitelist and blacklist.

AppLocker rules come in three types:

• Path
  • Specifies that files from certain locations can be executed, quite easy to bypass
• Hash
  • Difficult to maintain put difficult to bypass as well
• Publisher
  • Based on certificate information

AppLocker is not meant to be a standalone solution, rather it should be layered on top of other techniques.

• To allow only signed applications to run

1. To open the Local Security Policy MMC snap-in, click Start, type secpol.msc, and then press ENTER.
2. In the console tree, double-click Application Control Policies, and then double-click AppLocker.
3. Right-click Executable Rules, and then click Create New Rule.
4. On the Before You Begin page, click Next.
5. On the Permissions page, click Next to accept the default settings.
6. On the Conditions page, click Next.
7. On the Publisher page, note that the default setting is to allow any signed file to run, and then click Next.
8. On the Exceptions page, click Next.
9. On the Name and Description page, accept the default name or enter a custom name and description, and then click Create.