AppLocker
AppLocker is an application whitelisting technology that is built into the Windows Operating System. Its purpose is to restrict applications and scripts that are allowed to run on a machine, defined through a set of policies which are pushed via GPO. Rules can be based on file attributes such as publisher, name, version, hash or path; they can be to "allow" or deny"; and can be assigned on an individual user or group basis.
AppLocker will also change the PowerShell Language Mode from FullLanguage to ConstrainedLanguage. This restricts the .NET types that can be used, preventing Add-Type
with any arbitrary C# as well as New-Object
on types that are not specifically permitted.
As a defence, AppLocker is only as good as the defined ruleset. Microsoft ships default rules, which are very broad and allow all executables and scripts located in the Program Files and Windows directories.
Last updated