Saturday, July 30, 2011

Allowing ClickOnce applications with AppLocker

AppLocker is a great way to stop unwanted applications from your computers (unfortunately it’s requires Windows 7 Enterprise).

We are using to do a (less restrictive) white listing of the software that is allowed on our corporate computers. Combined with the fact that all users have no Administrative privileges and a good anti-virus solution, we have had zero security incidents on our Windows 7 machines.

However, last week we had to deploy a new ClickOnce application that did not had a Authenticode signature. Therefore we were tried to create a hash rule (based on the hash value of the executable) but this failed a day later because the application is still in development and is updated daily.

So, the last resort (for now) was to create a path rule but this didn’t worked well, since the path is different for each user:

User 1:
C:\USERS\Usr1\APPDATA\LOCAL\APPS\2.0\QWXPB19C.LLW\DCE6JZ97.RXQ\PROJTION_D1422C9EE6189E70_0001.0000_7138955B1115EB8D\PROJC.EXE

User 2:
C:\USERS\Usr2\APPDATA\LOCAL\APPS\2.0\ZMBZ82EH.TDG\WHXVWE4L.GZ7\DFKFD23178F_7a251ffffc558391_0002.0000_10ff9c34a357cc30\PROJC.EXE

The solution was to use a path rule that includes everything that is the same for any installation and replacing the rest with “*”:

%OSDRIVE%\USERS\*\APPDATA\LOCAL\APPS\*\PROJC.EXE

Of course, this leaves a hole inside the AppLocker rules because an user could create a sub-folder within \APPS, name the Application PROJC.EXE and could possible execute any application using this trick.

However, this rule is only for now until the program is final when we will use a hash rule again.

No comments:

Post a Comment