![]() ![]() Also take some time to teach ServiceDesk how to create rules or how to escalate to the correct contact. Now it's a good time to prepare a note for users about the introduction of whitelisting and how to contact You/ServiceDesk if they get into trouble. You'll basically redo everything you did in this post. First audit all and then enforce, like with other executables. Configure the rest (75%) of the clients to use enforced mode.Configure about 25% of the clients to use enforced mode and create a PANIC policy.Teach ServiceDesk to deal with AppLocker and inform users.Tweak the rules based on the logged events.Create the first custom rule set based on the logged.Install event log forwarding and the required GPOs.Please read my first blog post to find the reasoning for this.Īfter creating your rules, it's time to audit for a few more weeks and make sure you will find fewer entries in the logs.Īs I stated in the previous blog post, my normal run for an AppLocker project is: Applications could contain flags that are passed to functions that signal AppLocker to circumvent the rules and allow another. AppLocker doesn't control the behavior of apps after they're launched. Normally, after this, I will edit the rule to point to the publishing company instead of the specific app. AppLocker rules allow or prevent an app from launching. You need to get the LDAP path to the object and the GUID for the GPO. What I normally do is take a specific app and make a publisher rule for it, merging it straight to a GPO in Active Directory, like this: Get-AppLockerFileInformation -EventLog -LogPath ForwardedEvents | where-object -Property Publisher -like "O=INTEL*" | New-AppLockerPolicy -RuleType Publisher | Set-AppLockerPolicy -LDAP "LDAP:///CN=,CN=Policies,CN=System,DC=elaiho,DC=int" -Merge To dump everything to a local GPO, use the following: Get-AppLockerFileInformation -EventLog -LogPath ForwardedEvents | New-AppLockerPolicy -RuleType Publisher -User Everyone -IgnoreMissingFileInformation -Optimize | Set-AppLockerPolicyĪfter this, you can open GPEDIT.msc and find the new rules to edit and export in your application control policies. Instead, I'll point you to the ones I use the most. I'm not going to go through every option. Some want to dump everything to a local GPO, edit there, export to an XML file, and import to an AD GPO. There are numerous ways to approach choosing the things to whitelist.
0 Comments
Leave a Reply. |