Prerequisites:

• AD01 is running Active Directory and DNS

• WKS01 is domain-joined

On my setup, these were done from a previous lab.

On ad01 log in as Administrator and go to Serve Manager->Group Policy Management

Under your domain in the left panel, create a new Organizational Unit called AppLocker

Now switch to Active Directory Users and Computers and move your normal domain user (jake in my case) and the WKS01 computer in the AppLocker OU

Back in Group Policy Management we want to create a new GPO

We will call it Applocker

Rclick AppLocker GPO -> Edit

Then go to Computer Configuration->Policies->Windows Settings->Security Settings->Application Control Policies->AppLocker->Executable Rules->Rclick->Create Default Rules

Now Rclick->Create New Rule

On the second page, select Deny

Leave the Conditions page as-is, on Publisher

On the Publisher page, set Putty.exe in the Downloads folder as the Reference.

If you don't have it, download it from chiark.greenend.org.uk/~sgtatham/putty/latest.html

We need to designate an exception as well. We will use Internet Explorer (published by Microsoft).

Name it "Block EXEs" and click Create

Now, in the left panel, click "AppLocker" and then "Configure rule enforcement"

Check the box for "Configured" at the top, and click "OK"

Lastly, make sure to Enforce the new GPO

Last thing before you leave Group Policy Management Editor - Go to Computer Configuration->Policies->Windows Settings->Security Settings->System Services, right click Application Identity, Properties and select Automatic and Apply

You can now exit Group Policy Editor

Still in Server Manager, go to Tools->Services

and start the Application Identity Service

It should be working now. Switch over to wks01 and log in as your named domain user (jake)

open a command prompt and run gpupdate /force

Try downloading from https://notepad-plus-plus.org/downloads/v7.8.8/

Then try running the installer

At this point I encountered some unusual issues with GPO blocking normal actions on wks1 like using the start menu, and blocking the execution of any program no matter the location, even after I disabled the rules. So I ended up rolling back to snapshot and doing most of the lab again.

This took me a long time to figure out.

Go back to Group Policy Management Editor->...->Applocker->Executable Rules

Since Applocker applies an implicite Deny All, we must first create an Allow All rule to make sure the rule doesn't affect executables outside downloads.

THEN we can create a Deny Rule for the path %OSDRIVE%\Users\*\Downloads\*

The * represents wildcard meaning anything can be in that space. Therefore, we are blocking execution from the Downloads folder for all users.

Then we must make some other tweaks to keep the rest of the system working properly.

Go to each of the other applocker Folders (Windows Installer Rules, Packaged app Rules, etc) and Create Default Rules for those too.

Then go back to AppLocker and Configure Role enforcement. Enable the Enforcement of all types of rules

Make sure Application identity services is running on both AD01 and WKS1

Then on WKS1 use an Administrator Command Prompt to run gpupdate /force again

Now it should be working. Running an exe from Downloads will result in this screen:

However, running it from a different directory such as Documents should be allowed (but possibly require elevation depending on your settings)

Let's say that due to company policy, we do not want users to run version 4.6 of Rufus (a utility for creating bootable USB drives)

On AD01 we will go back into Group Policy Management Editor and we will create a New Execution Rule based on Hash and select rufus-4.6p.exe

Now, back on WKS1, force a group policy update again

Now, if we try to run Rufus-4.6p it will outright deny it

However, if we try to run a different version such as Rufus-4.5p it will allow it (but may require elevation depending on settings)

This lab was much more challenging than I thought it would be. The initial setup seemed to work as expected, however, starting in deliverbale 2, I began encountering unexpected issues, such as Applocker blocking executables in almost my entire system. I could not even open the start menu on WKS01. It took me a long time to realize that AppLocker would apply a "Deny All" rule by default, and if I only wanted to block a few things, then I needed to create an "Allow all" rule first, as the default rules only cover a few directories. I wish that it had been easier to find documentation on effective AppLocker policy and best practices, maybe it is something I will write about in the future. Through troubleshooting and figuring out how to configure AppLocker, I certainly learned a lot about Windows Group Policy, which I have not worked with as much as I would like. Despite all of the difficulties, I definitely enjoyed the challenge.