Learn What IT Pros Need to Know About Windows 11 - August 24th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 24th at 1 PM ET!
Windows Client OS

Block Untrusted Apps Using AppLocker

In today’s Ask the Admin, I will share my strategy for using AppLocker to block untrusted apps.



Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

Application Control, along with removing administrative privileges from users, is an essential part of your defense-in-depth strategy. Users with local administrative privileges can always find ways to bypass AppLocker and other Group Policy settings. If you are serious about controlling what users can install, the first and most important step is to remove users from the local Administrators group.

Removing users from the Administrators group is not enough to block portable applications. The Google Chrome installer offers users who do not have administrative privileges the option to install the browser for the logged-in user only.

Fortunately, it is enough to enable AppLocker with the default rules to block the Chrome installer. The default AppLocker rules only permit executables to run from trusted locations, such as the Windows directory. Standard users, those that are not members of the local Administrators group, do not have write access to trusted locations.

Google offers Chrome as a Windows Installer (.msi) download for enterprise distribution. The default AppLocker rules allow .msi files to run from publishers trusted by Windows. Google signs the MSI, so it runs. However, unlike the consumer version of the Chrome installer, it will not install Chrome without administrator privileges.

AppLocker Goals

For many organizations, the default AppLocker rules combined with standard user accounts can provide a fair amount of additional protection against malware. AppLocker can be configured to be more restrictive but that can make endpoints harder to manage. How you decide to configure AppLocker depends on what your goal is:

  1. Do you want to use AppLocker as a defense mechanism against malware?
  2. Do you want to prevent users from installing software that is not approved by IT?
  3. Do you want both of the above?

In my experience, AppLocker is buggy. It does not always do what is written on the tin. It does not provide enough flexibility to really lock down an environment while providing users the scope they need to get work done.

Modifying the default Windows Installer rules in AppLocker (Image Credit: Russell Smith)
Modifying the Default Windows Installer Rules in AppLocker (Image Credit: Russell Smith)

Who Do You Trust?

The default rules for AppLocker are sufficient to act as additional protection against malware, with the exception of Windows Installer Rules. It allows all trusted .msi files to run. The problem with this is that it might allow a user, in theory at least, to install a web browser from a trusted publisher. From here, any number of vulnerabilities could be exploited.

AppLocker rules (Image Credit: Russell Smith)
AppLocker Rules (Image Credit: Russell Smith)

I prefer to create a series of Windows Installer rules that allow users to install applications from trusted publishers. Rather than use the default Windows Installer rule that allows all signed files to run, I modify the default rule. I only allow files signed by Microsoft, instead of all digitally signed Windows Installer files. I also add additional rules for publishers that I trust, such as Google and Dell.

AppLocker at work (Image Credit: Russell Smith)
AppLocker at Work (Image Credit: Russell Smith)

If needed, I add publisher Executable rules, which allows users to install portable applications from publishers I trust. For example, I could allow users to install Google Chrome but block all other portable apps. You might also want to add Microsoft as a trusted publisher in Executable rules. It is best to avoid creating deny rules, as they always take precedence. If needed, it is possible to create exceptions to allow rules.

For more information on configuring AppLocker, see Setting Application Control Policies with Microsoft’s AppLocker on Petri.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.


Sponsored By