I recently implemented AppLocker on just over 1000 servers. Creating the baseline rules were easy enough, but many of the servers run software that needs extra rules in order to function (sigh.. why can’t just developers sign all of their software?). I used Group Policy to implement a hierarchy of GPOs to roll out the baseline configuration, and specialized rules where needed.
Everything that gets blocked by AppLocker (even when in audit mode) gets recorded in the event log. This is quite handy when tasked with tailoring and adjusting AppLocker policies, but it’s very time consuming to look up the event log each time manually.
You can also query the local AppLocker configuration on a server by the already included cmdlet Get-AppLockerPolicy, in order to check what rules have gotten applied. Though I found this cmdlet to be difficult to work with, and not very intuitive in the way it functions.
These two problems lead me to create a PowerShell module which would let me easily overcome such challenges, and be able to support AppLocker across a fleet of servers, to quickly pinpoint any issues.
I chose to call this module AppLockerAdmin. It’s aimed at the administrators responsible for implementing and supporting AppLocker in an enterprise environment.
You can install the module from the PSGallery:
This function reads the AppLocker configuration from one or more computers, and presents the configuration as a simple powershell object.
# Different ways to run the cmdlet $Config = Get-AppLockerConfiguration -ComputerName 'Server1', 'Server2' $Config = Get-AppLockerConfiguration -OU "OU=Servers,DC=domain,DC=local" $Config = Get-AppLockerConfiguration -ADGroup MyComputerGroup
The output contains the following information:
- State of the AppLocker service (is it running?)
- Logsize of the AppLocker Event logs and the number of events
- Default is just 1MB, which you should set to at least 32MB when working with AppLocker
- Summary of the different rule collections (Dll, Exe, Msi, etc.)
- Are they enforced?
- How many rules are defined in that collection?
- Details of every rule configured
This function reads the AppLocker events from one or more computers, and presents the events as simple powershell objects. The cmdlet has some handy built-in filtering, to allow you to focus on the events that matter.
# Different ways to run the cmdlet $Events = Get-AppLockerEvent -ComputerName 'Server1', 'Server2' -MaxAgeHours 2 -Type Block -SkipPSScriptPolicyTest $Events = Get-AppLockerEvent -OU "OU=Servers,DC=domain,DC=local" -MaxAgeDays 1 -Type Audit -SkipPSScriptPolicyTest $Events = Get-AppLockerEvent -ADGroup MyServerGroup -SkipAppDataTemp -SkipNormalUsers -SkipPSScriptPolicyTest -FileType 'EXE and DLL'
The functions display a handy progressbar with information on how many are completed, in progress, or queued.
In conclusion, AppLockerAdmin module makes it easier to audit and administer AppLocker in an enterprise environment. Hopefully this can be an aid in your AppLocker adventure.