Solved

Applocker ignoring user security groups

Posted on 2014-04-28
9
1,709 Views
Last Modified: 2014-04-30
My Applocker policy appears to be behaving incorrectly, and I need to know if this is the type of behavior I should expect with the way the policy is setup.

Running Windows 2008 R2, all Windows 7 Ultimate clients.  Application Identity service enabled and started, and we have successfully used AppLocker for nearly 2 years now.  The Executable rules are being enforced, Windows Installer set to Audit only, and Script rules are not configured.  I never edit my policy right from GPO, I export it to my local desktop and edit it from my local security policy editor and then export/import back into my GPO.

I have a screenshot of a basic AppLocker policy that is not applying correctly in my mind.  With this policy (which I rebuilt as a test), I experience the following results when trying to open a .EXE from this location.
%OSDRIVE%\USERS\USERNAME\APPDATA\LOCAL\CITRIX\LAUNCHER\CITRIXONLINELAUNCHER.EXE

The user account which is a member of the Domain Admin security group gets blocked by the AppLocker policy when trying to launch GoToMeeting.

The user that is a member of the AppLocker Group, can run GoToMeeting.

The Administrator can launch GoToMeeting.

My path rules that are named All Files simply have an * for the path.  The AppLocker PC group contains every PC in the organization except Administrative computers, with Exceptions for C:\Program Files (x86)\* and C:\Windows\Temp\*

If I change my Allow rules from the security group Domain Admin, to just a username account then it allows the user to launch GoToMeeting.  Even though they are a member of the Domain Admin group.

What is the "catch all" for an administrative group to be able to install .EXE's using AppLocker?
applocker-policy.JPG
0
Comment
Question by:jmchristy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 40027865
Deny actions override allow actions in all cases. So if you deny *.exe, this will not let anyone of the group start that .exe, no matter if allowed by other rules.

Could it be that you ignored that?
0
 

Author Comment

by:jmchristy
ID: 40027870
I considered that...but I prove that incorrect by modifying the Allow rule for Domain Admins and substituting the a security group for a user account.  If I logon with that user account, I can launch GoToMeeting.

That rule is simply a path rule for *, and the Deny rule is still in place....and it works.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40027891
It should be easy to solve or at least say if it's malfunctioning, if we had the rules and all memberships listed. Your picture does not show what exceptions the deny rule has, for example and I am not sure what account is in what group.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:jmchristy
ID: 40027916
The first 3 rules are the default Executable AppLocker rules, that give full access to all files on the local system to Administrators, Program Files, and Windows Folder.

I did say what my exceptions were for that Deny rule.
C:\Program Files (x86)\*
C:\Windows\Temp\*

The Applocker PC security group has all non-admin computer accounts in the domain.
The Applocker Group security group has all non-admin user accounts in the domain.
Domain Admins security group has all administrative user accounts (4 users)

I'm testing this with my user account, which is part of the Domain Admin group.  

If I modify the bottom rule, that is supposed to be applied to Domain Admins to just my user account then I am able to run GoToMeeting.  IF I leave it as applying to Domain Admins, I get the blocked by AppLocker message.

I tested this with another user account that is a member of the Domain Admin group, and the same thing happens.  I've also tried a different security group, and it gets blocked as well.

It's just bizarre that if I change it to a user account, that same rule, it works for that user.
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 40027934
You are denying the computer accounts only? So the deny rule will not matter here. The reason why domain admins are denied access is because with UAC on, they are only treated as local admins if the elevate. Also, they are not part of the applocker group.

So it's expected behavior.
0
 

Author Comment

by:jmchristy
ID: 40031830
The work around for this, was to change my rule from Domain Admins to another security group that I created.  I believe I stated earlier that it did not work, but I chose an incorrect group when I was testing.

So if you look at my All files rule that is applied to Domain Admins, changing that from Domain Admins to another security group did the trick.

Thanks for the help.
0
 

Author Closing Comment

by:jmchristy
ID: 40031831
Helped point me in the right direction to find a solution...
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40031969
I think it was not only a direction-pointer. The domain admin group is also stripped off its token by UAC, so users have to elevate in order to use it (and so does applocker) - if I remember correctly.
0
 

Author Comment

by:jmchristy
ID: 40031987
You are correct, I found a few other posts on social.technet.microsoft.com that speak to that.

http://social.technet.microsoft.com/Forums/windows/en-US/34a10cfe-d21b-45fc-8756-b5614eebd287/applocker-default-executable-allow-rule-for-administrators-doesnt-work?forum=w7itprosecurity

It's funny though that I never ran across that following Microsoft's TechNet article years ago for implementing AppLocker, and I still don't find a reference to it.  

If someone else comes across where Microsoft states oh by the way, don't use the Domain Admin group (or any other built in group for that matter) in your rules unless you enjoy right clicking everything and selecting Run As Administrator....please post it here!
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question