Link to home
Start Free TrialLog in
Avatar of sunhux
sunhux

asked on

Propagate Applocker rules to all laptops/PCs in the domain

Ok, after I've created a set of rules, how do I propagate them to all PCs/laptops in
the domain ?  Using RSAT or SCCM or ?

The PCs/laptops are on Win 7 Enterprise.

Basically the rules block cmd.exe & mmc.exe from being run by all domain users
on all laptops/PCs except a handful (of about 12 domain ids that belong to end
user support team)
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

You distribute it via a Group Policy that contains the AppLocker rules
I hope you used hash rules? Also don't forget that scripts can be executed nevertheless, so for a waterproof concept, whitelisting is preferred over blacklisting.
Avatar of sunhux
sunhux

ASKER

>Group Policy that contains the AppLocker rules
Have a screen shot to show a sample of how this is done?

Whitelisting has the risk of causing disruptions more than blacklisting though I agree it's more foolproof:
hopefully I don't have clever users who knows how to make copies of say  cmd.exe & Powershellxx.exe :
these 2 binaries are known to be used by Ransomware to exploit
ASKER CERTIFIED SOLUTION
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If we use a publisher rule like in the screenshot to block (and not allow) an executable, a simple copying and renaming will allow us to run it. I would not recommend that. Don't use blacklisting, it is quite easily circumvented.
Sunhux, you should take a test workstation and create rules for whitelisting and enforce auditmode (there are two modes: enforce or audit only) , then have a script find all executables and execute those - then adjust the rules if needed and re-test. This is a major project and will take time, but really, blacklisting is not the right approach to arm oneself against malware/ransomware.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Right. It's the name as in the digital signature, not the name of the actual file that matters.
So is this statement true or false?
If we use a publisher rule like in the screenshot to block (and not allow) an executable, a simple copying and renaming will allow us to run it.

Not trying to be a difficult, just making sure I understand correctly
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial