AppLocker
AppLocker is an application whitelisting technology introduced with Microsoft's Windows 7 operating system. It allows restricting which programs users can execute based on the program's path, publisher, or hash,[1] and in an enterprise can be configured via Group Policy.
Summary
Windows AppLocker allows administrators to control which executable files are denied or allowed to execute. With AppLocker, administrators are able to create rules based on file names, publishers or file location that will allow certain files to execute. Unlike the earlier Software Restriction Policies, which was originally available for Windows XP and Windows Server 2003,[2] AppLocker rules can apply to individuals or groups. Policies are used to group users into different enforcement levels. For example, some users can be added to an 'audit' policy that will allow administrators to see the rule violations before moving that user to a higher enforcement level.
AppLocker availability charts
Starter | Home Basic | Home Premium | Professional | Enterprise | Ultimate |
---|---|---|---|---|---|
No | No | No | Create policies, but cannot enforce | Create and enforce policies | Create and enforce policies |
RT | (Core) | Pro | Enterprise |
---|---|---|---|
No | No | No | Yes |
Home | Pro | Enterprise | Education |
---|---|---|---|
Yes | Yes | Yes | Yes |
Bypass techniques
There are several generic techniques for bypassing AppLocker:
- Writing an unapproved program to a whitelisted location.
- Using a whitelisted program as a delegate to launch an unapproved program.[8][9][10][11]
- Hijacking the DLLs loaded by a trusted application in an untrusted directory.[12]
References
- ^ "AppLocker". Microsoft TechNet. Microsoft. Retrieved 23 August 2012.
- ^ "Using Software Restriction Policies to Protect Against Unauthorized Software". Microsoft TechNet. Microsoft. Retrieved 27 July 2017.
- ^ "Windows Versions That Support AppLocker". Microsoft. Retrieved 27 July 2017.
- ^ Visser, Erwin (18 April 2012). "Introducing Windows 8 Enterprise and Enhanced Software Assurance for Today's Modern Workforce". Windows for your Business. Microsoft. Archived from the original on 25 December 2012. Retrieved 22 November 2012.
- ^ Dudau, Vlad (10 June 2015). "Microsoft shows OEMs how to market Windows 10; talks features and SKUs". Neowin. Neowin LLC. Retrieved 19 June 2015.
- ^ "Find out which Windows is right for you". Microsoft. Microsoft Inc. Retrieved 2 July 2015.
- ^ "Removal of Windows edition checks for AppLocker". Microsoft. Microsoft Inc. Retrieved 22 February 2023.
- ^ "AppLocker Bypass – InstallUtil". Penetration Testing Lab. 8 May 2017. Retrieved 27 July 2017.
- ^ "AppLocker Bypass Techniques". Evi1cg's blog. Retrieved 27 July 2017.
- ^ "How to Bypass Windows AppLocker". Hacking Tutorial. 19 April 2017. Retrieved 27 July 2017.
- ^ "caseysmithrc/gethelp.cs". Github Gist. Archived from the original on 14 May 2019. Retrieved 14 May 2019.
- ^ "Bypassing Application Whitelisting". CERT/CC Blog. Retrieved 27 July 2017.
- v
- t
- e
- APIs
- Architecture
- Booting process
- Games
tools
- App Installer
- Command Prompt
- Control Panel
- Device Manager
- Disk Cleanup
- Drive Optimizer
- Driver Verifier
- DirectX Diagnostic Tool
- Event Viewer
- IExpress
- Management Console
- Netsh
- Performance Monitor
- Recovery Console
- Resource Monitor
- Settings
- Sysprep
- System Configuration
- System File Checker
- System Information
- System Policy Editor
- System Restore
- Task Manager
- Windows Error Reporting
- Windows Ink
- Windows Installer
- PowerShell
- Windows Update
- WinRE
- WMI
- 3D Viewer
- Clock
- Calculator
- Calendar
- Camera
- Character Map
- Clipchamp
- Cortana
- Edge
- Fax and Scan
- Feedback Hub
- Get Help
- Magnifier
- Maps
- Messaging
- Media Player
- 2022
- Movies & TV
- Mobility Center
- Money
- Narrator
- Notepad
- OneDrive
- OneNote
- Paint
- Paint 3D
- People
- Phone Link
- Photos
- Quick Assist
- Remote Desktop Connection
- Snipping Tool
- Speech Recognition
- Skype
- Sports
- Start
- Sticky Notes
- Store
- Tips
- Voice Recorder
- Weather
- WordPad
- Xbox
- Active Directory
- Domains
- DNS
- Group Policy
- Roaming user profiles
- Folder redirection
- Distributed Transaction Coordinator
- MSMQ
- Windows Media Services
- Active DRM Services
- IIS
- WSUS
- SharePoint
- Network Access Protection
- PWS
- DFS Replication
- Print Services for UNIX
- Remote Desktop Services
- Remote Differential Compression
- Remote Installation Services
- Windows Deployment Services
- System Resource Manager
- Hyper-V
- Server Core
- Boot Manager
- Console
- CSRSS
- Desktop Window Manager
- Portable Executable
- Enhanced Write Filter
- Graphics Device Interface
- Hardware Abstraction Layer
- I/O request packet
- Imaging Format
- Kernel Transaction Manager
- Library files
- Logical Disk Manager
- LSASS
- MinWin
- NTLDR
- Ntoskrnl.exe
- Object Manager
- Open XML Paper Specification
- Registry
- Resource Protection
- Security Account Manager
- Server Message Block
- Shadow Copy
- SMSS
- System Idle Process
- USER
- WHEA
- Winlogon
- WinUSB
- Solitaire Collection
- Surf
Microsoft Store
- DVD Player
- File Manager
- Hover!
- Mahjong
- Minesweeper
- Category
- List