Making managing Applocker easier
I'm fortunate enough to have application whitelisting in use on our domain using Windows Applocker policies. It does add quite a lot of administrative overhead to manage but I've done a few things to make it easier.
The first is an automated whitelisting process using a Powershell script and the Windows Task Scheduler.
Task Scheduler runs the Powershell script below every 5 minutes on a domain server and checks a file share in Azure for .exe files. Only Administrators have access to this directory so to add an app to the whitelist we just dump the .exe we want to whitelist into the directory, wait for it to disappear, and then run gpupdate to sync the new policy containing the whitelisted app.
This is the Powershell code which the Task Scheduler runs every 5 minutes to monitor the fileshare for new files to whitelist:
=======================================================================
# This script will auto-add stuff to the AppLocker Enforce GPO
# Parse a directory to obtain either the file hash or publisher of a file
$acctKey = ConvertTo-SecureString -String "XXXXXX" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential -ArgumentList "Azure\XXXXXX", $acctKey
New-PSDrive -Name Z -PSProvider FileSystem -Root "\\path-to-your-fileshare" -Credential $credential
$exeDirectory = 'z:\'
$testFilePath = 'z:\*'
$xmlFile = 'c:\temp\applocker.txt'
The first is an automated whitelisting process using a Powershell script and the Windows Task Scheduler.
Task Scheduler runs the Powershell script below every 5 minutes on a domain server and checks a file share in Azure for .exe files. Only Administrators have access to this directory so to add an app to the whitelist we just dump the .exe we want to whitelist into the directory, wait for it to disappear, and then run gpupdate to sync the new policy containing the whitelisted app.
This is the Powershell code which the Task Scheduler runs every 5 minutes to monitor the fileshare for new files to whitelist:
# This script will auto-add stuff to the AppLocker Enforce GPO
# Parse a directory to obtain either the file hash or publisher of a file
$acctKey = ConvertTo-SecureString -String "XXXXXX" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential -ArgumentList "Azure\XXXXXX", $acctKey
New-PSDrive -Name Z -PSProvider FileSystem -Root "\\path-to-your-fileshare" -Credential $credential
$exeDirectory = 'z:\'
$testFilePath = 'z:\*'
$xmlFile = 'c:\temp\applocker.txt'
# Below is the path to the Group Policy object containing your Applocker settings
$ldapPathEnforce = 'LDAP://XXXX/CN={XXXXXX},CN=Policies,CN=System,DC=YOURDOMAIN,DC=ORG'
#Only run if something is in the directory
if (test-path $testFilePath) {
Get-AppLockerFileInformation -Filetype exe -Directory $exeDirectory -Recurse |
New-AppLockerPolicy -RuleType Publisher,Hash -User Everyone -RuleNamePrefix AutoGenerated -XML | Out-File $xmlFile
# Merge contents of the newly generated XML file into the current AppLocker GPO
Set-AppLockerPolicy -XmlPolicy $xmlFile -LDAP $ldapPathEnforce -Merge
# Delete the contents of the AppLocker temp directory to avoid duplicate rules
Remove-Item z:\*
Send-MailMessage -To "XXXXX" -From "XXXXX" -Subject "Applocker rule added" -Attachments $xmlFile -SmtpServer XXXXX
# Delete the temporary XML file used to update the GPO
Remove-Item c:\temp\applocker.XML
}
========================================================================
The second thing I've done involves a combination of Azure Automation and Powershell. It allows us to temporarily disable Applocker which makes it easier to install applications which temporarily extract other executables into the c:\users\username\appdata\local\temp directory. This can be a pain especially when the install fails so quickly you don't have time to even grab the temporary .exe file before the installation cleans itself up.
To accomplish this I created two Azure Automation Powershell Runbooks in Azure which can be triggered by webhooks and run on a Hybrid Worker group consisting of an on premises Domain server. That sounds like a lot but it's not too bad and most of it is done in Azure under the Automation Accounts blade.
I would show screenshots for this in Azure but chances are they'll be out of date next week.
The Powershell code which is triggered by the Azure Automation Runbook is below:
Runbook 1 (Disable Applocker on C:\)
======================================================================
# REE 2019
# This script will automatically disable applocker enforcement on the C: drive
$allowAllFile = 'c:\scripts\applocker_allow_all.txt'
$originalPolicyFile = 'c:\temp\AppLockerEnforcePolicy.xml'
$ldapPathEnforce = 'LDAP://xxxxxxxx/CN={xxxxxxxx},CN=Policies,CN=System,DC=YOURDOMAIN,DC=ORG'
#Export the current Applocker policy into a file so that
#we can remove this temp rule when we are finished
Get-AppLockerPolicy -Ldap $ldapPathEnforce -Domain -Xml | out-file $originalPolicyFile
# Merge contents of the file containing the XML to add the allow-all in C: drive
Set-AppLockerPolicy -XmlPolicy $allowAllFile -LDAP $ldapPathEnforce -Merge
=======================================================================
Runbook 2 (Re-enable Applocker on C:\)
=======================================================================
# REE 2019
# This script will remove the allow-all on C: drive rule added to AppLocker
#
$allowAllFile = 'c:\scripts\applocker_allow_all.txt'
$originalPolicyFile = 'c:\temp\AppLockerEnforcePolicy.xml'
$ldapPathEnforce = 'LDAP://xxxxxxxx/CN={xxxxxxxx},CN=Policies,CN=System,DC=YOURDOMAIN,DC=ORG'
#Overwrite the current policy with the original policy
#that was saved out before adding the allow-all on C: drive rule
Set-AppLockerPolicy -XmlPolicy $originalPolicyFile -LDAP $ldapPathEnforce
# Delete the temporary XML file
Remove-Item $originalPolicyFile
$ldapPathEnforce = 'LDAP://XXXX/CN={XXXXXX},CN=Policies,CN=System,DC=YOURDOMAIN,DC=ORG'
#Only run if something is in the directory
if (test-path $testFilePath) {
Get-AppLockerFileInformation -Filetype exe -Directory $exeDirectory -Recurse |
New-AppLockerPolicy -RuleType Publisher,Hash -User Everyone -RuleNamePrefix AutoGenerated -XML | Out-File $xmlFile
# Merge contents of the newly generated XML file into the current AppLocker GPO
Set-AppLockerPolicy -XmlPolicy $xmlFile -LDAP $ldapPathEnforce -Merge
# Delete the contents of the AppLocker temp directory to avoid duplicate rules
Remove-Item z:\*
Send-MailMessage -To "XXXXX" -From "XXXXX" -Subject "Applocker rule added" -Attachments $xmlFile -SmtpServer XXXXX
# Delete the temporary XML file used to update the GPO
Remove-Item c:\temp\applocker.XML
}
========================================================================
The second thing I've done involves a combination of Azure Automation and Powershell. It allows us to temporarily disable Applocker which makes it easier to install applications which temporarily extract other executables into the c:\users\username\appdata\local\temp directory. This can be a pain especially when the install fails so quickly you don't have time to even grab the temporary .exe file before the installation cleans itself up.
To accomplish this I created two Azure Automation Powershell Runbooks in Azure which can be triggered by webhooks and run on a Hybrid Worker group consisting of an on premises Domain server. That sounds like a lot but it's not too bad and most of it is done in Azure under the Automation Accounts blade.
I would show screenshots for this in Azure but chances are they'll be out of date next week.
The Powershell code which is triggered by the Azure Automation Runbook is below:
Runbook 1 (Disable Applocker on C:\)
======================================================================
# REE 2019
# This script will automatically disable applocker enforcement on the C: drive
$allowAllFile = 'c:\scripts\applocker_allow_all.txt'
$originalPolicyFile = 'c:\temp\AppLockerEnforcePolicy.xml'
$ldapPathEnforce = 'LDAP://xxxxxxxx/CN={xxxxxxxx},CN=Policies,CN=System,DC=YOURDOMAIN,DC=ORG'
#Export the current Applocker policy into a file so that
#we can remove this temp rule when we are finished
Get-AppLockerPolicy -Ldap $ldapPathEnforce -Domain -Xml | out-file $originalPolicyFile
# Merge contents of the file containing the XML to add the allow-all in C: drive
Set-AppLockerPolicy -XmlPolicy $allowAllFile -LDAP $ldapPathEnforce -Merge
=======================================================================
Runbook 2 (Re-enable Applocker on C:\)
=======================================================================
# REE 2019
# This script will remove the allow-all on C: drive rule added to AppLocker
#
$allowAllFile = 'c:\scripts\applocker_allow_all.txt'
$originalPolicyFile = 'c:\temp\AppLockerEnforcePolicy.xml'
$ldapPathEnforce = 'LDAP://xxxxxxxx/CN={xxxxxxxx},CN=Policies,CN=System,DC=YOURDOMAIN,DC=ORG'
#Overwrite the current policy with the original policy
#that was saved out before adding the allow-all on C: drive rule
Set-AppLockerPolicy -XmlPolicy $originalPolicyFile -LDAP $ldapPathEnforce
# Delete the temporary XML file
Remove-Item $originalPolicyFile
=======================================================================
The last thing is to create a Flow job in Office 365 which gives the admins a button to press which disables Applocker on the C: drive, waits an hour, and then re-enables it.
Comments
Post a Comment