From what I see, AppLocker is just Software Restriction Policies (SRP) with some improvements and as a stand-alone solution is not enough to protect an enterprise.
So the answer is, "yes, you sill need to remove admin rights." Below is some history of the feature and my testing results to explain the reason why.
SRP had a bad reputation for some due to its cumbersome setup and maintenance. It was also very easily circumvented. Just run a restricted program from inside a .zip file and voila, there's your restricted application running.
AppLocker has made improvements to both, but maintenance is still an issue.
Behind The Scenes, Why You Still Need to Remove Admin Rights:
For AppLocker, the policies require the Application Identification Service (AppIDSvc) to be be running on the client machine. If you are running Windows 7 with Administrative Rights, this service is easily disabled as well as your AppLocker policies. What's more, as a service, it can be controlled with Registry Settings. I'll talk more about this further on in this post.
Testing:
I wanted to see what it took to initially setup AppLocker, and if it would truly protect my environment by not allowing certain software applications to run. Here's the blow-by-blow:
- Logged on as Administrative User
- Setup two of the three Default AppLocker Path Rules
Allow: All apps from Program Files Folder
Allow: All apps from Windows Folder - Created C:\Tools and C:\Program Files\InstallsAfterAppLocker Folders
- Copied notepad.exe to C:\Tools & C:\Program Files\InstallsAfterAppLocker Folders
Run notepad from C:\Tools - Got an AppLocker message, notepad doesn't start
(Expected)
Run notepad from ..\InstallsAfterAppLocker - No Message, but notepad doesn't start
(Not Expected)
Run winzip installer from ..\InstallsAfterAppLocker - Install starts but fails half-way
through (Expected but quarky)
Downloaded a scientific calculator
Run from C:\Tools - Got an AppLocker message, Calculator doesn't start (Expected)
Run from ..\InstallsAfterAppLocker, Runs Fine (Expected) - Booted in SafeMode
Set AppIDSvc to Disabled
Downloaded the GooglePack and installed it
Reset AppIDSvc to Automatic, rebooted in normal startup mode
After a short time messages began to pop up from the SystemTray from Spyware Doctor
(Part of the Google Pack)
Some GooglePack apps didn't run, other worked no problem (Not Expected) - Created several Windows Installer App Rules, Apple was not on the approved publisher list.
Downloaded the iTunes installer, wouldn't run (Expected)
Set the AppIdSvc to disabled and rebooted
Installed iTunes without issue (Expected)
Reset AppIdSvc to automatic and rebooted
iTunes still runs without issue
Then I began to think about an Administrator who utilized 'System Services' MS GPO Policy. With this policy you can set a service's startup type. In my testing, even after I disabled the AppIdSvc, I still needed to reboot for the AppLocker policies to be disabled. If GPO set this service to startup when my machine rebooted, I would still have been limited by the AppLocker policies.
As I mentioned above, services can be controlled via Reg Keys. By default, System and Administrators have full rights to HKLM\System\CurrentControlSet\services\AppIDSvc. By removing these rights you effectively negate the ability for Group Policy to alter the settings, thereby ensuring the service will not be started when you reboot.
Summary:
- Users running with standard user rights would still need a solution to allow apps requiring admin rights to run/install without having the administrator password.
- User running with Admin Rights can easily circumvent AppLocker.
- AppLocker is somewhat easier to setup than SRP was, but maintaining a white list of applications is tedious and time-consuming.
- In my experience, SRP was used to prevent users from running certain applications because they were running as Admins. Often times it wasn't that the company didn't want the application to be run, they were just concerned with what could be done with the application if given admin rights.
- Using AppLocker alone as a solution for Least Privilege would not be enough to protect your enterprise however, AppLocker and BeyondTrust Privilege Manager used together enable users to run with standard user rights complement each other nicely
I agree. AppLocker by itself seems like a great way for a home user to secure their desktop and prevent their kids from installing/using undesired applications. Using AppLocker in conjunction with GPO may "work" in securing your desktops, but as the author stated, it is a maintenance headache and still leaves open some potential security holes.
ReplyDeleteAppLocker seems like the way to go so long as the user truly understands what they trying to accomplish and that have a thorough understanding of how Windows functions not just from an Administrative way but from the actual System way itself. The average home-user I can only see getting themselves into some serious issues...but that is why they have tech support staff.
ReplyDelete