AppLocker

Last updated

AppLocker is an application whitelisting technology introduced with Microsoft's Windows 7 operating system. It allows restricting which programs users can execute based on the program's path, publisher, or hash, [1] and in an enterprise can be configured via Group Policy.

Contents

Summary

Windows AppLocker allows administrators to control which executable files are denied or allowed to execute. With AppLocker, administrators are able to create rules based on file names, publishers or file location that will allow certain files to execute. Unlike the earlier Software Restriction Policies, which was originally available for Windows XP and Windows Server 2003, [2] AppLocker rules can apply to individuals or groups. Policies are used to group users into different enforcement levels. For example, some users can be added to an 'audit' policy that will allow administrators to see the rule violations before moving that user to a higher enforcement level.

AppLocker availability charts

AppLocker availability on Windows 7 [3]
StarterHome BasicHome PremiumProfessionalEnterpriseUltimate
NoNoNoCreate policies, but cannot enforceCreate and enforce policiesCreate and enforce policies
AppLocker availability on Windows 8 [4]
RT(Core)ProEnterprise
NoNoNoYes
AppLocker availability on Windows 10 [5] [6] [7]
HomeProEnterpriseEducation
YesYesYesYes

Bypass techniques

There are several generic techniques for bypassing AppLocker:

Related Research Articles

Microsoft Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for servers, and Windows IoT for embedded systems. Defunct Windows families include Windows 9x, Windows Mobile, and Windows Phone.

<span class="mw-page-title-main">Microsoft Office</span> Suite of office software

Microsoft Office, or simply Office, is a discontinued family of client software, server software, and services developed by Microsoft. It was first announced by Bill Gates on August 1, 1988, at COMDEX in Las Vegas. Initially a marketing term for an office suite, the first version of Office contained Microsoft Word, Microsoft Excel, and Microsoft PowerPoint. Over the years, Office applications have grown substantially closer with shared features such as a common spell checker, Object Linking and Embedding data integration and Visual Basic for Applications scripting language. Microsoft also positions Office as a development platform for line-of-business software under the Office Business Applications brand.

<span class="mw-page-title-main">Malware</span> Malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

A whitelist is a list or register of entities that are being provided a particular privilege, service, mobility, access or recognition. Entities on the list will be accepted, approved and/or recognized. Whitelisting is the reverse of blacklisting, the practice of identifying entities that are denied, unrecognised, or ostracised.

<span class="mw-page-title-main">Privilege escalation</span> Gaining control of computer privileges beyond what is normally granted

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

<span class="mw-page-title-main">Windows Registry</span> Database for Microsoft Windows

The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interfaces can all use the registry. The registry also allows access to counters for profiling system performance.

<span class="mw-page-title-main">Adblock Plus</span> Content-filtering and ad blocking browser extension

Adblock Plus (ABP) is a free and open-source browser extension for content-filtering and ad blocking. It is developed by developer Wladimir Palant's Eyeo GmbH, a German software company. The extension has been released for Mozilla Firefox, Google Chrome, Internet Explorer, Microsoft Edge, Opera, Safari, Yandex Browser, and Android.

<span class="mw-page-title-main">User Account Control</span> Security software

User Account Control (UAC) is a mandatory access control enforcement feature introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a more relaxed version also present in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows 11. It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorises an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges and malware are kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorises it.

<span class="mw-page-title-main">Task Manager (Windows)</span> Task manager application included with the Windows NT family of operating systems

Task Manager, previously known as Windows Task Manager, is a task manager, system monitor, and startup manager included with Microsoft Windows systems. It provides information about computer performance and running software, including name of running processes, CPU and GPU load, commit charge, I/O details, logged-in users, and Windows services. Task Manager can also be used to set process priorities, processor affinity, start and stop services, and forcibly terminate processes.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

A number of computer operating systems employ security features to help prevent malicious software from gaining sufficient privileges to compromise the computer system. Operating systems lacking such features, such as DOS, Windows implementations prior to Windows NT, CP/M-80, and all Mac operating systems prior to Mac OS X, had only one category of user who was allowed to do anything. With separate execution contexts it is possible for multiple users to store private files, for multiple users to use a computer at the same time, to protect the system against malicious users, and to protect the system against malicious programs. The first multi-user secure system was Multics, which began development in the 1960s; it wasn't until UNIX, BSD, Linux, and NT in the late 80s and early 90s that multi-tasking security contexts were brought to x86 consumer machines.

Microsoft Desktop Optimization Pack (MDOP) is a suite of utilities for Microsoft Windows customers who have subscribed to Microsoft Software Assurance program. It aims at bringing easier manageability and monitoring of enterprise desktops, emergency recovery, desktop virtualization and application virtualization.

Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection. RDS was first released in 1998 as Terminal Server in Windows NT 4.0 Terminal Server Edition, a stand-alone edition of Windows NT 4.0 Server that allowed users to log in remotely. Starting with Windows 2000, it was integrated under the name of Terminal Services as an optional component in the server editions of the Windows NT family of operating systems, receiving updates and improvements with each version of Windows. Terminal Services were then renamed to Remote Desktop Services with Windows Server 2008 R2 in 2009.

<span class="mw-page-title-main">DriveSentry</span>

DriveSentry was an antivirus program, developed by DriveSentry Inc, to protect Microsoft Windows users from malware. It is available free for personal use, though with restricted functionality.

<span class="mw-page-title-main">Windows 8</span> Ninth major release of Windows NT, released in 2012

Windows 8 is a major release of the Windows NT operating system developed by Microsoft. It was released to manufacturing on August 1, 2012, and was made available for download via MSDN and TechNet on August 15, 2012. Nearly three months after its initial release, Windows 8 finally made its first retail appearance on October 26, 2012.

<span class="mw-page-title-main">Microsoft Store</span> Digital distribution platform for Microsoft Windows, Xbox One and Series X/S

The Microsoft Store is a digital distribution platform operated by Microsoft. It was created as an app store for Windows 8 and Windows Server 2012 as the primary means of distributing Universal Windows Platform apps. With Windows 10, Microsoft merged its other distribution platforms into Microsoft Store, making it a unified distribution point for apps, console games, and digital videos. Digital music was included until the end of 2017, and E-books were included until 2019.

<span class="mw-page-title-main">Gatekeeper (macOS)</span> Security feature of macOS

Gatekeeper is a security feature of the macOS operating system by Apple. It enforces code signing and verifies downloaded applications before allowing them to run, thereby reducing the likelihood of inadvertently executing malware. Gatekeeper builds upon File Quarantine, which was introduced in Mac OS X Leopard and expanded in Mac OS X Snow Leopard. The feature originated in version 10.7.3 of Mac OS X Lion as the command-line utility spctl. A graphical user interface was originally added in OS X Mountain Lion (10.8) but was backported to Lion with the 10.7.5 update.

Windows 8, a major release of the Microsoft Windows operating system, was available in four different editions: Windows 8 (Core), Pro, Enterprise, and RT. Only Windows 8 (Core) and Pro were widely available at retailers. The other editions focus on other markets, such as embedded systems or enterprise. All editions support 32-bit IA-32 CPUs and x64 CPUs.

<span class="mw-page-title-main">Windows RT</span> 2012 device-oriented operating system from Microsoft

Windows RT is a mobile operating system developed by Microsoft. It is a version of Windows 8 or Windows 8.1 built for the 32-bit ARM architecture (ARMv7). First unveiled in January 2011 at Consumer Electronics Show, the Windows RT 8 operating system was officially launched alongside Windows 8 on October 26, 2012, with the release of three Windows RT-based devices, including Microsoft's original Surface tablet. Unlike Windows 8, Windows RT is only available as preloaded software on devices specifically designed for the operating system by original equipment manufacturers (OEMs).

References

  1. "AppLocker". Microsoft TechNet . Microsoft. Retrieved 23 August 2012.
  2. "Using Software Restriction Policies to Protect Against Unauthorized Software". Microsoft TechNet . Microsoft. Retrieved 27 July 2017.
  3. "Windows Versions That Support AppLocker". Microsoft. Retrieved 27 July 2017.
  4. Visser, Erwin (18 April 2012). "Introducing Windows 8 Enterprise and Enhanced Software Assurance for Today's Modern Workforce". Windows for your Business. Microsoft. Archived from the original on 25 December 2012. Retrieved 22 November 2012.
  5. Dudau, Vlad (10 June 2015). "Microsoft shows OEMs how to market Windows 10; talks features and SKUs". Neowin. Neowin LLC. Retrieved 19 June 2015.
  6. "Find out which Windows is right for you". Microsoft. Microsoft Inc. Retrieved 2 July 2015.
  7. "Removal of Windows edition checks for AppLocker". Microsoft. Microsoft Inc. Retrieved 22 February 2023.
  8. "AppLocker Bypass – InstallUtil". Penetration Testing Lab. 8 May 2017. Retrieved 27 July 2017.
  9. "AppLocker Bypass Techniques". Evi1cg's blog. Retrieved 27 July 2017.
  10. "How to Bypass Windows AppLocker". Hacking Tutorial. 19 April 2017. Retrieved 27 July 2017.
  11. "caseysmithrc/gethelp.cs". Github Gist. Archived from the original on 14 May 2019. Retrieved 14 May 2019.
  12. "Bypassing Application Whitelisting". CERT/CC Blog. Retrieved 27 July 2017.