Windows 10: How do I block executables from running using applocker in a corporate / enterprise...

Hello, I am looking for helps blocking executables and unwatned apps from being ran on corporate and field PCs. We have windows pro and enterprise editions and I am looking for what would be the most efficient way of doing this. I have tried configuration profiles in intune which give mixy results with delays in processing the rules. I tried using application control within local security policy on a test PC, and this gave me a few different configurations that I can block the store entirely, but that blocks all of the apps that windows and microsoft publish. This makes things like the camera

:)

 

Applocker not blocking -- Win10Pro, Applocker configured, AppIDsvc run

• OS: Win10Pro
• Applocker: configured blocking of apps and executables
• Applocker rules: set to enforcing
• Service: AppIDSvc is running

I've been trying to get Edge and a couple other utilities blocked on the laptop to keep distractions to a minimum for my child who uses the computer to study.
However, even after rules are defined, and they are set to enforcing as blocked, the apps and executables are still available to them -- even after a reboot.

I have followed the instructions here: https://social.technet.microsoft.com...10itprogeneral
However, there is still no blocking of the apps or the executables.
Thank you for your consideration.

 

Applocker

Sorry, I didn't realise that applocker applies to Enterprise and Education Versions only, as I can't restrict any programs using applocker on Windows 10 Pro, and I don't have any Enterprise or Education versions to test anything on.

Use AppLocker to Allow or Block Executable Files in Windows 10
Use AppLocker to Block Microsoft Store Apps in Windows 10
Quote:
"This tutorial will show you how to use AppLocker to allow or block specified executable (.exe and .com) files to run for all or specific users and groups in Windows 10 Enterprise and Windows 10 Education."

 

AppLocker Allowed Executable Runs Denied DLL

I am testing AppLocker's functionality to assess suitability for protecting a windows application from tampering. My goal is to test the robustness of its rules in the face of DLL hijacking. As a test I have a simple executable compiled from C# that displays
a window and button. When the button is clicked it uses a single DLL dependency to pull the system time and IP and return it as a string. The window then updates with a message stating the returned string. An AppLocker executable rule was added to allow the
executable based on its hash. Additionally, I have generic DLL rules that allow execution of all DLLs in the Windows folder and the Program Files folder. My test executable and its dependency are both in a folder on the desktop (not a valid DLL execution folder).

After ensuring the AppIdSvc is running and doing a gpupdate on the client PC, I was able to run the executable (as expected) but the executable was also able to run its DLL dependency even though the dependency was outside of the Windows/Program Files directories.
This was also the case after I replaced that DLL with a tampered one to ensure it wasn't somehow related to the rule created for the executable and to prove that my executable is actually running that dependency (it is). Even after I added an explicit rule
to deny both the legitimate and tampered DLLs based on their hash, it's still able to run. Reviewing the AppLocker logs I don't see any message saying the DLL was or was not allowed to run (it's as if AppLocker never saw it) even though I am able to see that
the DLL was accessed by the executable in Process Monitor. Other AppLocker logs show that the executable was allowed to run (letting me know my rules are working - I also ran many other AppLocker tests to ensure it is actually running and it was).



Is AppLocker not able to protect the integrity of dependency DLLs based on their hash? Can an allowed executable run ANY DLL? I've read some articles that rundll32 circumvents the DLL rules by being allowed to run from its safe location while loading and
executing DLLs from unsafe locations and may perhaps be the culprit here. Any information is greatly appreciated.