What is Application Control?
Application Control is a tool that can be used to harden a Windows installation, it can be used to define which applications and drivers can and cannot run on a system. Simply put, it is capable of restricting which apps can be launched by end users.
App Control or AppLocker?
Applocker is an older tool which released with Windows 7, App Locker is no longer getting any feature improvements. Primarily it's purpose is similar to that of Application Control and many of times the question is, well which should I use? You should consider sticking with App Locker if:
- You have to apply the same controls to Operating Systems older than Windows 10.
- You need to apply different policies to different users/groups within the same shared device.
- You don't want to apply controls to app files such as drivers and DLLs.
Components of Application Control
Instead of allowing all apps, App Control flips that on it's head, you now have an allowlist of apps. This allow list is defined in application control policies which are written in XML.
Policies
Policies are what define what apps and drivers are trusted, and therefore what is allowed to run. A policy is made up of Policy rules and File Rules.
Policy Rule
A policy rule will govern the options of the policy, such as audit mode, Managed installer etc.
File Rule
A file rule defines how you match files and identify apps and drivers that can run, this may be via a Hash, FileName, Path, SignedVersion, Publisher etc.
Base Policy
Base policies are the crux of application control, they are deployed to devices and can operate independantly without the need for additional policies. Multiple base policies can be deployed to the same device.
Supplemental Policy
These policies must be linked to a base policy and can only contain allow rules. Typically, they are utilised to expand the allow rules for certain devices or groups of users devices.
Templates
Microsoft provide a range of templates that can address common scenarios and should always be used as a starting point. These are stored within %OSDRIVE%\Windows\schemas\CodeIntegrity\ExamplePoliciesand include some of the following:
- Trust Microsoft
- Windows Works
- Smart App control with ISG
Audit mode
By default App Control will deploy in audit mode, this will allow you to review either event viewer or Advanced hunting within Defender to view your logs and see what is being blocked or audited and the desired output. To set audit mode
# The following will set option 3 (Audit mode)
Set-RuleOption -FilePath 'path/to/policy/XML' -Option 3
# The following will remove it, also enter enforced mode
Set-RuleOption -FilePath 'path/to/policy/XML' -Option 3 -Delete
Enforced mode
This mode allows the policy to block apps that do not meet the criteria laid out within the policy. You should only turn this on once you're happy with your policy.
Summary
Application control is a great proactive method to lockdown assets and nullify a lot of unwanted applications on your devices. When done right Application control shouldn't impact your users but should provide goverenance and control over your estate. For links off to the central Microsoft hub for Application Control: