Asi implementing-application-whitelisting-with-applocker
install
source · Clone the upstream repo
git clone https://github.com/plurigrid/asi
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/plurigrid/asi "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/asi/skills/implementing-application-whitelisting-with-applocker" ~/.claude/skills/plurigrid-asi-implementing-application-whitelisting-with-applocker && rm -rf "$T"
manifest:
plugins/asi/skills/implementing-application-whitelisting-with-applocker/SKILL.mdsource content
Implementing Application Whitelisting with AppLocker
When to Use
Use this skill when:
- Implementing application control to prevent unauthorized software execution on Windows endpoints
- Meeting compliance requirements (PCI DSS 6.4.3, NIST 800-53 CM-7, ACSC Essential Eight)
- Blocking common attack vectors: living-off-the-land binaries (LOLBins), script-based attacks, unauthorized admin tools
- Restricting software installation in kiosk, POS, or high-security environments
Do not use this skill for macOS/Linux application control (use OS-native tools like Gatekeeper or AppArmor) or for enterprise-grade WDAC (Windows Defender Application Control) deployments.
Prerequisites
- Windows 10/11 Enterprise or Education, or Windows Server 2016+
- Application Identity service (AppIDSvc) enabled on target endpoints
- Active Directory with Group Policy Management Console (GPMC)
- Complete application inventory of approved software
- Test OU with representative endpoints for policy validation
Workflow
Step 1: Inventory Approved Applications
Before creating AppLocker rules, catalog all legitimate software:
# Generate application inventory on reference endpoint Get-AppLockerFileInformation -Directory "C:\Program Files" -Recurse ` -FileType Exe | Export-Csv "C:\AppLocker\app_inventory_progfiles.csv" -NoTypeInformation Get-AppLockerFileInformation -Directory "C:\Program Files (x86)" -Recurse ` -FileType Exe | Export-Csv "C:\AppLocker\app_inventory_progfiles86.csv" -NoTypeInformation # Include Windows system executables Get-AppLockerFileInformation -Directory "C:\Windows" -Recurse ` -FileType Exe | Export-Csv "C:\AppLocker\app_inventory_windows.csv" -NoTypeInformation
Step 2: Create AppLocker Policy with Default Rules
# In Group Policy Editor (gpedit.msc) or GPMC: # Navigate to: Computer Configuration → Policies → Windows Settings # → Security Settings → Application Control Policies → AppLocker # Enable default rules for each rule collection: # - Executable Rules: Allow Everyone to run files in Program Files and Windows # - Windows Installer Rules: Allow Everyone to run digitally signed MSIs # - Script Rules: Allow Everyone to run scripts in Program Files and Windows # - Packaged App Rules: Allow Everyone to run signed packaged apps # PowerShell: Generate default rules $defaultRules = Get-AppLockerPolicy -Local -Xml Set-AppLockerPolicy -XmlPolicy $defaultRules -Merge
Step 3: Create Publisher-Based Rules (Preferred)
Publisher rules are the most maintainable since they survive application updates:
<!-- Example AppLocker policy XML for publisher rules --> <RuleCollection Type="Exe" EnforcementMode="AuditOnly"> <!-- Default: Allow Windows binaries --> <FilePublisherRule Id="a9e18c21-ff54-4677-b3ac-4b9a03261f6c" Name="Allow Microsoft signed" Description="Allow all Microsoft-signed executables" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION*" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*"/> </FilePublisherCondition> </Conditions> </FilePublisherRule> <!-- Allow specific third-party vendor --> <FilePublisherRule Id="b2e28c32-aa65-5788-c4bd-5c0b14372e7d" Name="Allow Adobe Acrobat" Description="Allow Adobe-signed Acrobat executables" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=ADOBE INC.*" ProductName="ADOBE ACROBAT*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*"/> </FilePublisherCondition> </Conditions> </FilePublisherRule> </RuleCollection>
Step 4: Block Known-Abused Binaries (LOLBins)
# Deny rules for commonly abused living-off-the-land binaries # These are legitimate Windows tools frequently used by attackers $denyPaths = @( "%SYSTEM32%\mshta.exe", "%SYSTEM32%\wscript.exe", "%SYSTEM32%\cscript.exe", "%SYSTEM32%\regsvr32.exe", "%SYSTEM32%\certutil.exe", "%SYSTEM32%\msbuild.exe", "%SYSTEM32%\installutil.exe", "%WINDIR%\Microsoft.NET\Framework\*\msbuild.exe", "%WINDIR%\Microsoft.NET\Framework64\*\msbuild.exe" ) # Create deny rules in AppLocker policy for standard users # Important: Deny rules take precedence over Allow rules # Apply only to standard users (not admins who may need these tools)
Step 5: Configure Script Rules
Script Rules (critical for preventing script-based attacks): Allow: - Scripts in C:\Program Files\* (publisher or path-based) - Scripts in C:\Windows\* (default Windows scripts) - Approved admin scripts from \\fileserver\scripts\* Deny (for standard users): - PowerShell scripts from user-writable directories - VBScript from %TEMP%, %APPDATA%, %USERPROFILE%\Downloads - JavaScript (.js) from any user-writable location DLL Rules (optional, high performance impact): - Enable only in high-security environments - Allow signed DLLs from Program Files and Windows directories - Performance impact: 5-10% CPU increase during DLL loading
Step 6: Deploy in Audit Mode First
# CRITICAL: Always deploy AppLocker in Audit mode before Enforce mode # Audit mode logs what would be blocked without actually blocking # Set enforcement mode to Audit Only in GPO: # AppLocker → Executable Rules → Properties → Configured: Audit only # AppLocker → Script Rules → Properties → Configured: Audit only # AppLocker → Windows Installer Rules → Properties → Configured: Audit only # Ensure Application Identity service is running Set-Service -Name AppIDSvc -StartupType Automatic Start-Service AppIDSvc # Link GPO to test OU New-GPLink -Name "AppLocker-Audit-Policy" ` -Target "OU=AppLocker-Pilot,DC=corp,DC=example,DC=com" # Monitor audit logs for 2-4 weeks # Event Log: Applications and Services Logs → Microsoft → Windows → AppLocker # Event IDs: # 8003 = EXE/DLL would be blocked # 8006 = Script/MSI would be blocked # 8023 = Packaged app would be blocked
Step 7: Analyze Audit Logs and Refine Rules
# Export AppLocker audit events Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" ` -FilterXPath "*[System[EventID=8003]]" | Select-Object TimeCreated, @{N='User';E={$_.Properties[0].Value}}, @{N='FilePath';E={$_.Properties[1].Value}}, @{N='FileHash';E={$_.Properties[4].Value}} | Export-Csv "C:\AppLocker\audit_blocked_exes.csv" -NoTypeInformation # Review blocked applications # For each blocked legitimate application: # 1. Create a publisher rule (if signed) or path rule (if unsigned) # 2. Add to AppLocker policy # 3. Re-audit for 1 additional week
Step 8: Switch to Enforce Mode
# After audit period with no legitimate applications blocked: # Change enforcement mode from Audit to Enforce # Update GPO: # AppLocker → Executable Rules → Properties → Configured: Enforce rules # AppLocker → Script Rules → Properties → Configured: Enforce rules # Phased enforcement: # Week 1: Enforce EXE rules only # Week 2: Enforce Script rules # Week 3: Enforce MSI rules # Week 4: (Optional) Enforce DLL rules # Maintain monitoring: Event IDs 8004 (blocked EXE), 8007 (blocked script)
Key Concepts
| Term | Definition |
|---|---|
| Application Whitelisting | Security model that allows only pre-approved applications to execute, denying everything else by default |
| Publisher Rule | AppLocker rule based on digital signature; most resilient to application updates |
| Path Rule | AppLocker rule based on file system path; less secure as attackers can place files in allowed paths |
| Hash Rule | AppLocker rule based on file hash; most restrictive but breaks on every application update |
| LOLBin | Living Off the Land Binary; legitimate OS tool abused by attackers to avoid detection |
| Audit Mode | AppLocker logs policy violations without blocking; essential for rule refinement |
| Enforcement Mode | AppLocker actively blocks applications that violate policy rules |
Tools & Systems
- AppLocker (built-in): Windows application control feature in Enterprise/Education editions
- WDAC (Windows Defender Application Control): More advanced successor to AppLocker for modern Windows
- Microsoft LAPS: Manages local admin passwords to prevent bypassing AppLocker via admin rights
- WDAC Wizard: GUI tool for creating Windows Defender Application Control policies
- AaronLocker: Open-source AppLocker rule generator by Microsoft employee (GitHub)
Common Pitfalls
- Skipping Audit mode: Deploying AppLocker in Enforce mode without audit period will block critical applications and cause outages.
- Relying solely on path rules: Users with write access to allowed paths (C:\Windows\Temp) can bypass path-based rules. Prefer publisher rules.
- Not blocking user-writable directories: The most common gap is allowing execution from %TEMP%, Downloads, or %APPDATA%.
- Forgetting Application Identity service: AppLocker requires the AppIDSvc service running. If it stops, all rules stop enforcing.
- Admin bypass: Local administrators can bypass AppLocker by default. For full enforcement, combine with WDAC which enforces for all users including admins.
- DLL rule performance: Enabling DLL rules creates significant performance overhead. Only enable in high-security environments where the tradeoff is justified.