Solved

AppLocker Whitelist/Blacklist

Posted on 2014-07-21
9
437 Views
Last Modified: 2014-07-31
is there a recommended BL/WL for AppLocker?
0
Comment
Question by:DukewillNukem
  • 4
  • 3
  • 2
9 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 40208812
Hi.

This cannot exist as companies use different programs.
Tell us what problem you face where this list would help, please.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40208821
You have to determine that yourself... Most of the native OS programs obviously can be tursted, however do you really want them to run? You can use ShadowCopy to copy the SAM or NTDS.dit files, or use the NTDSutil in 2008 to make a copy of both the SAM and NTDS.dit file... That isn't a good thing for most people, so maybe you actually want to black-list that one or others that may be similarly abused.
-rich
0
 

Author Comment

by:DukewillNukem
ID: 40211345
ok,ill try a differetn approach instead: im also deploying EMET and im not sure if AL will be really needed? are there any use cases/best practices where it shows how those two technologies could be combined?
0
Register Today - IoT Current and Future Threats

Are you prepared to protect your organization from current and future IoT Threats?  Join our Wi-Fi expert in episode three of our webinar series for a look at the current state of Wi-Fi IoT and what may lie ahead. Register for our live webinar on April 20th at 9 am PDT!

 
LVL 54

Expert Comment

by:McKnife
ID: 40211385
Where is the connection EMET<->Applocker? I don't see it.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40211422
No studies, because they are two different things. EMET hopes to apply mitigations to programs from being exploitable via memory and overflow conditions, while AL wants to prevent certain programs from executing altogether. You can do both, and probably should.
-rich
0
 

Author Comment

by:DukewillNukem
ID: 40211591
ok,is there a best practice doc by M$?
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 40211627
EMET has Forum support or if you pay for Microsoft Premier Support Services.
http://social.technet.microsoft.com/Forums/security/en-US/home?forum=emet
http://blogs.technet.com/b/srd/archive/tags/emet/
http://blogs.technet.com/b/srd/
http://blogs.technet.com/b/srd/archive/2014/04/30/continuing-with-our-community-driven-customer-focused-approach-for-emet.aspx
http://blogs.technet.com/b/security/ <-- first article, run as a non-administrator to be safe...
The last link above may help you the most, it talks about how and what you need to do to secure windows:
Principal of Least Privilege, Locking down Java/Flash, proper use of user rights/groups.
-rich
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40212483
I think he meant BPs for Applocker.
No, there are no official MS best practices.

But what would you expect to get? Of course the best here is the one that is most secure while being functional and non-intrusive to users. And the most secure is the one that uses a whitelist with only known applications, as simple as that. If that can be non-intrusive? Sure, if the admin does a good job... anytime.

So to help you, you need to tell us your goal, what are you trying to protect against what possible risk? What is your scenario, detailed?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40231737
Duke, you make me shake my head a little. You ask for Applocker, and accept an answer about EMET best practices and ignore my questions.
While it is perfectly ok to close a question as you like, it is not ok to ignore offers.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question