Goodbye Applocker and welcome back SRP

Update 01.12.2012: clarified Applocker support on server core installations.


Hello folks! Today I want to share some personal opinions about one Windows whitelisting technology — Applocker, especially about the future.

Why Applocker?

Not all know that this is not something new (as Microsoft promotes), but a next generation of Software Restriction Policies (SRP). SRP is original Microsoft whitelisting technology which was introduced in 2001 (with Windows XP release). Due to various reasons, SRP didn’t become a popular technology that was used by systems administrators (not talking about home users). Microsoft attempted to make SRP more flexible, user-friendly and simple in configuration and usage. As the result, we got SRPv2 called Applocker, which was introduced in Windows 7 and Windows Server 2008 R2.

From the first look it was a nice replacement for SRP with some useful additions. For example, we can export and import rules in XML format, create rule collections, added new useful variables, nice rule creation wizard and built-in security filtering. I successfully used Applocker on my personal computers when I got an access to Windows 7 (previously I used SRP) as a free and powerful malware protection mechanism.

Why not Applocker?

Even though, Microsoft actively promoted Applocker between IT Pros, the technology remained behind the scene, because it was available only in Windows 7 Ultimate and Enterprise editions. This was a bad move, because small business market not always can purchase Enterprise editions and commonly uses Professional edition (a replacement for Vista Business). Windows 7 Pro has Applocker console where you can create rules and export them, you cannot enforce them. There are no business decisions to limit Applocker to top desktop editions (Ultimate and Enterprise). In small business (SMB) it is easier to keep similar operating systems (say, Windows 7 Pro clients and SBS servers) than for large enterprises. Thus, it is almost impossible for companies to use Applocker as a unified whitelisting technology, because there are systems which do not support Applocker. And companies have to maintain both technologies — Applocker for modern systems and SRP for other systems. Theoretically. In practice, SRP has better support and sometimes is better than Applocker. Here is a full list of operating systems that supports Applocker:

  • Windows 7 Ultimate, Enterprise
  • Windows 8 Enterprise
  • Windows Server 2008 R2 (all editions)
  • Windows Server 2012 (all editions, except server core installation)

and SRP support:

  • Windows XP Professional, MediaCenter
  • Windows Vista Business, Ultimate, Enterprise
  • Windows 7 Professional, Ultimate, Enterprise
  • Windows 8 RT, Professional, Ultimate, Enterprise
  • Windows Server 2003 (all editions)
  • Windows Server 2008 (all editions)
  • Windows Server 2008 R2 (all editions)
  • Windows Server 2012 (all editions)

feel the difference. Also Applocker has a serious (in certain cases — blocking) bug: you cannot create path rules for network locations (or mapped drives). On the other hand, SRP lacks in built-in security filtering, as the result we have to maintain multiple group policy objects (GPO) to allow various software usage scenarios depending on a user permissions. Also I would like to show you a quick table that displays feature support in Applocker and SRP:

  SRP AppLocker
Rules applies to (in a single GPO): All users Specified users and groups
Default action level Unrestricted Deny
Has explicit “Allow” action Yes, of course! Yes, of course!
Has explicit “Deny” actions Yes, of course! Yes, of course!
Has special action Yes, of course! No!
Certificate rules Yes, of course! No!
Publisher rules No! Yes, of course!
Hash rules Yes, of course! Yes, of course!
Network zone rules Yes, of course! No!
Path rules Yes, of course! Yes, of course!
System environment variables Yes, of course! No!
Special environment variables No! Yes, of course!
Can read paths from registry Yes, of course! No!
Audit mode Yes, of course! Yes, of course!
Rule collections No! Yes, of course!
Rule creation wizrd Yes, of course! Yes, of course!
Policy export/import No! Yes, of course!
PowerShell support No! Yes, of course!
Error messages when application is blocked Yes, of course! Yes, of course!
Configurable extension list Yes, of course! No!
Can control Metro apps No! Yes, of course!

The table displays the most important features that we may want to see in any whitelisting technology.

Recently I bought a new notebook and installed Windows 8 Pro. I was really disappointed when I noticed, that Applocker is partially supported there (cannot enforce rules). I spend some time to move Applocker rules to SRP.

Conclusion

Windows 8 is second Windows OS generation where we can use Applocker, however technology support is limited again. Even though, SRP has few disadvantages (comparing with Applocker), better OS support makes more sense and is more decisional than anything else. I don’t see any chances for Applocker to become a popular whitelisting technology in near future. If you have something to tell about the subject — you are welcome in comments.

Comments:

Peter Kriegel
Peter Kriegel 24.09.2012 21:08 (GMT+3)

Thank you for sharing this! Peter Kriegel http://www.admin-source.de

Tim
Tim 02.10.2012 16:24 (GMT+3)

AFAIK, Windows Server 2008 R2 Web and Foundation doesn't support AppLocker rules.

Vadims Podans
Vadims Podans 05.10.2012 04:18 (GMT+3)

Are you sure? I haven't access to these editions and cannot check it.

Gr
Gr 05.10.2012 19:35 (GMT+3)

http://blogs.technet.com/b/markrussinovich/archive/2005/12/12/circumventing-group-policy-as-a-limited-user.aspx That's one of the major reasons not to use srp.

Vadims Podans
Vadims Podans 05.10.2012 21:17 (GMT+3)

I would disagree. DLL injection can be prevented by SRP (though, it is not enabled by default). In addition, this process is not too easy for users.

Gr
Gr 06.10.2012 00:01 (GMT+3)

What's the policy/setting for disabling dll injection? How about chasing version and controlling apps with SRP? Isn't that an impossible pain too?

Vadims Podans
Vadims Podans 06.10.2012 02:04 (GMT+3)

> What's the policy/setting for disabling dll injection? in the SRP/Enforcement you can enable SRP for DLLs too. In this case all disallowed (which are not explicitly allowed) DLLs will not be executed. > How about chasing version and controlling apps with SRP? agree, this is huge question. There is no way to chase app version (unlike Applocker), but there are workarounds, when you can use hash rules for these purposes. On the other hand, Applocker cannot protect systems from recent Adobe compromise: http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html Applocker cannot differentiate 2 certificates with the same subject (even if they are issued by different CAs). In this case, new Adobe certificate (most likely) will have the same Subject field, as the result all files signed by Adobe (and malware too) will be considered as trusted. To prevent this, you should not use publisher rules, as the result, you can't use app version control.

sergio
sergio 13.09.2013 08:17 (GMT+3)

Guys I would recommend the applocker replacement freeware tool that requires WinXP and better http://www.processblocker.com/

Alexey
Alexey 12.04.2014 04:42 (GMT+3)

It appears both SRP and AppLocker have a huge security hole http://blog.didierstevens.com/2011/01/24/circumventing-srp-and-applocker-by-design/. Thank you, Microsoft.

Vadims Podans
Vadims Podans 12.04.2014 18:14 (GMT+3)

It is not neither, nor SRP, nor Applocker issue. Instead, it is particular app's fault, because Excel runs code internally and this is outside of SRP/Applocker scope.

Alexey
Alexey 01.05.2014 06:50 (GMT+3)

Well, actually not. Apps can load DLLs and AppLocker is designed to prevent loading unwanted DLLs. However, malicious application can set a special flag (specified in MSDN) and Windows would simply bypass AppLocker checks! Absolutely hilarious! Didier writes that MS recognized the problem and issued a fix, but only for Win7 and greater. OK, WnXP is no longer supported, but Vista remains vulnerable.

phil
phil 22.11.2014 22:08 (GMT+3)

MS oughta be ashamed for depriving average users of their most advanced system security tools in the age of crypto ransomware.

Chris Collins
Chris Collins 12.02.2016 17:26 (GMT+3)

I am using applocker fine on my win 8.1 pro desktop (yes enforced), yet I found many articles including this one that claim its audit only?

I do agree tho this should be in all versions of windows.

Vadims Podāns
Vadims Podāns 13.02.2016 16:49 (GMT+3)

> yet I found many articles including this one that claim its audit only

where did you find it in this blog post? There is a mention about audit mode support, which doesn't mean that this is the only mode.

Bjorn
Bjorn 25.02.2016 17:41 (GMT+3)

Vadims, thank you for this article. Since it is a few years old, how do you think AppLocker works now?

I'm asking, since I have setup SRP whitelisting as an extra layer of protection on our client computers. Now I realised that SRP is not supported on Windows 7 and Windows 10. Having a look on AppLocker, I think personally AppLocker seems a bit more difficult to setup and manage compared to SRP.

Care to give an update on this matter?

Thank you.

/Bjorn

Vadims Podans
Vadims Podans 25.02.2016 17:48 (GMT+3)

> Now I realised that SRP is not supported on Windows 7 and Windows 10.

what??? Sorry, but SRP is fully working on all Windows operating system versions starting with Windows XP Pro till the current Windows 10.

What you may experience that once you configure at least one rule in the Applocker section, SRP is switched off. It is by design, you cannot simultaneously run SRP and Applocker.

> Care to give an update on this matter?

there is nothing to update. Applocker doesn't support Windows 10. It is dead. Period.

Bjorn
Bjorn 01.03.2016 08:38 (GMT+3)

Vadims, thank you for your reply. 

You are right, I can see that Windows 10 is not on the list of AppLocker supported operating systems.

I know indeed that SRP is working for Windows 10, I'm using whitelisting GPO's on my Windows 10 workstation as I write and it's working well. But is it supported? Based on this TechNet article stating "Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier". 

To confuse things even more, there is another article showing how to use AppLocker (locally) on a Windows 10. Also the Windows 10 Security Overview mentions AppLocker, but not SRP.

Microsoft is doing a great job here confusing customers!

 

Vadims Podāns
Vadims Podāns 01.03.2016 08:48 (GMT+3)

Yes, Applocker is still supported as it is shipped within a Windows OS. However, Microsoft don't want to speak about SRP as they actively promote Applocker.

Bjorn
Bjorn 01.03.2016 09:13 (GMT+3)

Ok, thanks for clarifying. I will continue with SRP whitelisting then. 

 

 

Captcha