Server Admin I Unit 8.9 App Restriction Policies Flashcards
Software Restriction Policies
Policies that allow an organization to control the applications that run on the computers in their environment.
Default Software Restriction Policies
There are no default policies. .exe files run based on NTFS file permissions.
Three Software Restriction “Security Levels”
- Unrestricted
- Disallowed
- Basic User
Unrestricted “Security Level”
All applications are allowed to run, except those specifically excluded.
Disallowed “Security Level”
All applications are prohibited, except those specifically excluded.
Basic User
All applications that standard users can run are allowed. All apps that require admin priviledge are not allowed .
Four Software Restriction Rules
- Hash
- Certificate
- Network Zone
- Path.
Hash Software Restriction Rule (2)
- Uses digital fingerprint (hash file) to ID and restrict software usage.
- Very narrow in scope, can be defeated by using a different software version.
Certificate Software Restriction Rule (3)
- Uses digital signature (certificate) of the softwares publisher.
- Applies to all applications from specific publisher.
- Considered too broad in scope at times.
Network Zone Software Restriction Rule
Condition specifies where the appilcation originated. Includes: Internet Zone, Intranet Zone, Restricted Sites, Trusted Sites, and Local Computer Zone.
Path Software Restriction Rule (4)
- Condition specifies a folder, file or a wildcard of files to restrict or allow execution.
- Path conditions are least secure of all software restriction conditions.
- When using Path , use NTFS to prevent users from copying .exe’s to locations outside the scope of the path condition.
- If a folder is specificed, restriction applies to all programs within the folder.
Applocker
Application Control Policies introduced with Windows 7 and WinServer’08 R2.
Benefits to Applocker over Software Restictions (5)
- Wizard can recommend rules based on folder contents.
- Polcies can be applied to specific user or groups
- Policies can be applied to all versions of an app.
- Exceptions can be included in policies.
- Allows flexibility in ID software to block.
Applocker Rule Types (4)
- Executable
- Windows Installer
- Script
- Packaged App
Executable Applocker Rule (2)
- Applies to files with .exe and .com extensions.
2. Initial scope of the rule is Everyone.
Windows Installer Applocker Rule
Applies to .msi and .msp file extensions.
How can the Windows Installer Applocker Rule control software installation (3)
- Based on presence of digital signature.
- Based on user of software (can be combined with digital signature requirement)
- Software or Software Updates via Group Policy
Script Applocker Rule
Applies to .ps1 , .bat, .cmd, .vbs, and .js file extensions
Packaged App Applocker Rule
Applies to Windows apps (.appx) purchased through the WIndows Store and can be used only on Windows 8
Applocker Rule Conditions (3)
- Publisher
- Path
- Hash
What service must be started to use Applocker
Application Identity Service (ApplIDSvc)
Applocker Soft Enforcement
Auditing mode that Applocker uses to monitor application events, software is still allowed to run. Applies to all rules within a specific type.
What information is saved in the Applock Event Log (4)
- Rule name
- SID of the user or group
- File and path of the restricted or permitted application
- Rule type or condition used.
What two things need to be done to allow Applocker to be used?
- Create default rules so the OS will be allowed to run.
2. Set rules to Enforce.
To apply Group Policy Preferences to pre-Windows7 clients what do you need?
- Download and install client-side extensions (CSE’s)
2. Use Group Policy to rollow out CSEs to clients.
