Problem:
How do I configure Windows AppLocker to Protect Against Ransomware Attacks
Solution:
First open the local security policy
Go to Application Control Policies and then AppLocker. Right click on AppLocker and go to Properties
First you will want to set AppLocker to an Audit only mode while you collect logs and see what might be blocked from running. Change all the drop downs to Audit only and click Ok
You can now collect you log data in the Windows Event Log under: Application and Services Logs> Microsoft> Windows> AppLocker. Check the EXE and DLL log to see which applications would be blocked from running.
Once you can see from the logs which applications would be blocked you can start to generate the allow rules. First right click on Executable Rules and go to Automatically Generate Rules
We will create Publisher based rules (it will use that publisher’s certificate) and to fall back to a file hash if there is no certificate. AppLocker will scan your machine for applications and generate rules for each one
Click Create to create the rules
You will see a pop-up asking if you want to create the default rules, click Yes
This will add some suggested default rules. From what is created we will delete:
(Default Rule) All files
(Default Rule) All files located in the Program Files folder
The list of rules should then look like this
Right click on Windows Installer Rules and go to Automatically Generate Rules
Click Next
We will create Publisher based rules (it will use that publisher’s certificate) and to fall back to a file hash if there is no certificate
Click Create to create the rules
You will see a pop-up asking if you want to create the default rules, click Yes
This will add some suggested default rules. From what is created we will delete:
(Default Rule) All Windows Installer files
Right click on Script Rules and go to Automatically Generate Rules
Click Next
We will create Publisher based rules (it will use that publisher’s certificate) and to fall back to a file hash if there is no certificate
Click Create to create the rules
You will see a pop-up asking if you want to create the default rules, click Yes
This will add some suggested default rules. From what is created we will delete:
(Default Rule) All scripts
Right click on Packaged app Rules and go to Automatically Generate Rules
Click Next
Click Next
Click Create to create the rules
Now we can check the logs again
Test the configuration by downloading an .exe and trying to run it
The service should be started but we need to set it to automatic startup
Open PowerShell as an Administrator and run the below:
sc.exe config appidsvc start= auto