Udostępnij za pośrednictwem


AppLockerLet..

Last year, one of the areas I was working on was a deployment of AppLocker. In the deployment, we did a lot of upfront planning around identifying applications that were prevalent in the environment and created corresponding rules that would allow the applications to install\execute.

A key area that we focused on was creating a process to handle end-user ‘emergencies’, if the application was a business critical app that somehow missed our initial inventory of allowed software. We needed the ability to unblock an end-user during a work stoppage situation.

One of the nifty features of AppLocker is that they have included several in-box PowerShell Cmdlets (in Windows 7 & Windows 2008 R2) that assist in AppLocker administration. While these Cmdlets worked well, some of the early feedback from our helpdesk\support staff was that they wanted a GUI to assist them in identification and remediation.

With that request, AppLockerLet was born…

We chose the moniker of AppLockerLet, since it was GUI wrapper for AppLocker PowerShell Cmdlets. We wanted to create a GUI that helped the support staff with the following:

1. Assist the helpdesk technician in quickly identifying a denied application and create a corresponding rule to allow the application to install\execute, removing the time spent in deciphering what kind of rule is needed and creating the rule to unblock the end-user’s work stoppage situation.

2. You cannot easily elevate *and* run as a different user from a PowerShell context menu. Since only helpdesk technicians and other support staff have the ability to create local AppLocker rules, they need to launch PowerShell elevated and under their credentials.

The helpdesk technicians are local administrators on the end-users machines and commonly use Remote Assistance (running user the end-user’s context) to troubleshoot & diagnose issues.

What AppLockerLet is and what it does.

Basically it reads from Event Viewer using Get-AppLockerFileInformation to determine which .exe, .dll, .msi or script has been blocked by policy. It’ll then display the list of blocked applications within the UI, allowing the helpdesk or support personal to select and allow the executable or installer via the creation of a local AppLocker rule.

More to come in the next blog post…