Applocker Configuration Template
Log In or Register to download the BES file, and more.

0 Votes

Description

This is a template for implementing AppLocker using Bigfix.

The script was written for imaging, therefore the relevance is True. We are only working with Appx files in Windows 10, however, the rule collection types should be very similar. In this example, I only want the Administrator account to have access to Settings and block access for all other users. Since Applocker rules go based on User or Group SID, I am using powershell to pull the SID of the Administrator user that is then applied to the windows.immersivecontrolpanel.appx rule. All of the other rulles apply to everyone.

The XML part of the script gets messed up  when being displayed on Bigfix.me, therefore I have provided it below. If you download the .bes file it will be correct.

<AppLockerPolicy Version="1">
  <RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
  <RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
  <RuleCollection Type="Script" EnforcementMode="NotConfigured" />
  <RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
  <RuleCollection Type="Appx" EnforcementMode="Enabled">
    <FilePublisherRule Id="f9e7ee63-13da-4646-8f44-f8bed6c4e75e" Name="windows.immersivecontrolpanel, from Microsoft Corporation" Description="" UserOrGroupSid="{{0}" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="windows.immersivecontrolpanel" BinaryName="*">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="6e977e00-e0e1-4b26-a163-9ba2c251e5c5" Name="Microsoft.BioEnrollment, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.BioEnrollment" BinaryName="*">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
  </RuleCollection>
</AppLockerPolicy>

 


Property Details

ID25578
StatusQA - Ready for Production Level Testing
TitleApplocker Configuration Template
CategoryBigfix.me
SourceInternal
Source IDn0m4d1c
Source Release Date10/19/2018 12:00:00 AM
KeywordsApplocker Configuration Template Windows 10
Is TaskTrue
Added by on 11/9/2018 3:10:06 PM
Last Modified by on 11/12/2018 9:33:48 AM
Counters 163 Views / 0 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 81 fixlets and 86 analyses   * Results in a true/false
Show indented relevance
true

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
//Creates a directory for our created files to go
if {exists file "C:\Apps\Locker\Applocker.ps1"}
    delete "C:\Apps\Locker\Applocker.ps1"
endif
if {exists file "C:\Apps\Locker\Applocker.xml"}
    delete "C:\Apps\Locker\Applocker.xml"
endif

//Creates a ps1 file that gets the Administrator SID and uses that to create an XML configuration file.
delete __createfile

createfile until _end_

$User = Get-WmiObject win32_UserAccount -Filter 'Name = "Administrator"'

$xml = @'
="1">
="Exe" EnforcementMode="NotConfigured" />
="Msi" EnforcementMode="NotConfigured" />
="Script" EnforcementMode="NotConfigured" />
="Dll" EnforcementMode="NotConfigured" />
="Appx" EnforcementMode="Enabled">
="f9e7ee63-13da-4646-8f44-f8bed6c4e75e" Name="windows.immersivecontrolpanel, from Microsoft Corporation" Description="" UserOrGroupSid="{{0}" Action="Allow">

="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="windows.immersivecontrolpanel" BinaryName="*">
="*" HighSection="*" />



="6e977e00-e0e1-4b26-a163-9ba2c251e5c5" Name="Microsoft.BioEnrollment, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">

="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.BioEnrollment" BinaryName="*">
="*" HighSection="*" />





'@ -f $User.SID

$xml | out-file C:\Apps\Locker\Applocker.xml -Encoding utf8

_end_

copy __createfile C:\Apps\Locker\Applocker.ps1

action uses wow64 redirection {not x64 of operating system}

//Runs the ps1 files that creates our configuration file.
waithidden powershell -ExecutionPolicy Bypass -command "C:\Apps\Locker\Applocker.ps1"

//Runs the command to implement the configuration file.
waithidden powershell -ExecutionPolicy Bypass -command "Set-AppLockerPolicy –XMLPolicy C:\Apps\Locker\Applocker.xml"

//Sets the Applocker service to start automatically
waithidden sc.exe config appidsvc start=auto

// Pauses BigFix for 15 sec
parameter "start" = "{now}"
pause while {now < ( (( parameter "start" of action ) as time ) + 15* second)}

//Clean up
if {exists file "C:\Apps\Scripts\n0m4d1c.ps1"}
    delete "C:\Apps\Locker\Applocker.ps1"
endif
if {exists file "C:\Apps\Scripts\POS_Applocker_Test.xml"}
    delete "C:\Apps\Locker\Applocker.xml"
endif
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!