Thursday 12 January 2012

AppLocker configuration in Win 7


How to configure AppLocker Group Policy in Windows 7 to Block Third party software.

This blog is all about the new feature of Windows 7 i.e. AppLocker.Through this feature you can block some unwanted software to get installed into your system.This is one of the best feature of windows 7.You can even block some software through Publisher name,by extension and many other ways

AppLocker is a new feature in Windows 7 that allows system administrators to block a particular executable from running on a computer. This is a enhanced version of Software Restriction Policy which did a similar thing in Windows XP/Vista, but it can only block programs based on either a file name, path or file hash. The AppLocker feature takes it a step further and allows administrators block executables based on its digital signature. The benefit of basing this on a digital signature is that you can block programs based on a combination of the version, program name or even vendor name. This means that even if the vendor updates the program with a new version (which happens often with browsers) the AppLocker rules will still apply greatly saving administrative overhead. You can also set the rule based on the program version which means you can set a minimum supported versions that is allowed to run. Another advantage is that AppLocker applies to any program that runs on a computer meaning that no matter where the program is being run from (e.g. USB Memory stick) it will prevent it from running.



Note: You can also use this tutorial to block the running of any other program weather it be from a third-party or even from Microsoft. In this example I show you how to block running Google Chrome on any of your computers in your network however you can just as easily apply the same process to any other browser (e.g. Firefox, Safari).
Step 1. Edit the Group Policy Object that is targeted to the computer you want to apply this policy. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies and then click on “Configure rule enforcement”


Step 2. Under Executable rules tick “Configured” and select the “Enforce rules” option from the pop-down menu then click “OK”.

Step 3. Right click on “Executable Rules” and click on “Create New Rule..”


Step 4. Click “Next”



Step 5. Select “Deny” and then click “Next”

Step 6. Select “Publisher” condition and click “Next”
Note: The “Path” and “File hash” option are the same condition as was available in a software restriction policy that was in Windows XP and Vista.

Step 7. Click on “Browse”

Step 8. Select the “chrome.exe” executable file and click “Open”



Note: Again I have used Chrome as an example you can easily select the executable of any other browsers (including Internet Explorer) here as well if you want to block multiple browsers.


Step 9. In this example we are just going to accept the defaults and click “Next”.
Optional: If you wanted to just block a particular version of browser (or program) or just any version below a certain number tick “Use custom values” and then enter the version number in the “File version” field and select “And Below” from the pop-down menu.



 Step 10: Click “Next”

Step 11: Click “Create”


Step 12: You will now be prompted to create some default rules that ensure that you don’t accidently stop Windows from working. Click “Yes” to this if you don’t already have these rules created.


Step 13 (Optional): If you also want this AppLocker rule to apply computer administrators then right-click on the “BUILTIN\Administrators” rule and click “Delete”




Step 14 (Optional): Click “Yes”

You AppLocker Rules are now setup and should now look like this…

Now there is one more thing you need to do to enable AppLocker on the computer…
Step 15. In the same Group Policy Object you were just editing navigate to Computer Configuration > Policies > Windows Settings > Security Settings > System Services and double click on the “Application Identity” service.
Note: This is the process that scan’s all the file before they are executed to check the name, hash or signature of the executable before it is run. If this is not turned on then AppLocker will simple now work.


Step 16: Tick “Define this policy setting” and tick “Automatic” then click “OK”


The services section should now look like this…


Your all done… Now when the user tries to run an un-approved browser (or program) they will be presented to this dialogue box…


Now if you want to make sure you have covered all the bases below is a an image of the AppLocker rules configured with a few more denied browsers…





Thanks:
Kindly Leave your comment...

or mail me your suggestions @ yogendra.niitvp@gmail.com


Posted by at No comments:

Bit Locker & Bit Locker to Go

     





Introduction to BitLocker and BitLocker To Go: 

The BitLocker feature of Windows 7 is available only in Ultimate and Enterprise edition of Windows 7. This feature enhances the security of the data on your computer by encrypting the entire drive which contains your data and Windows. Once you turn on BitLocker service on a drive, any file that you save on that drive is encrypted automatically. This means that if a computer is stolen, the data cannot be recovered unless the thief also has the password to the system. This helps companies keep sensitive data from falling into the wrong hands when a computer is stolen, and also makes hard drive disposal much easier. 

BitLocker To Go is also a security enhancement mechanism offered by Windows 7 which gives the lockdown treatment to easily-misplaced portable storage devices like external hard drives and USB flash drives. 

BitLocker Drive Encryption can use a Trusted Platform Module (TPM) to validate the integrity of a computer’s boot manager and boot files at startup, and to guarantee that a computer’s hard disk has not been tampered with while the operating system was offline. To encrypt the drive on which you have installed Windows, BitLocker stores its own encryption and decryption key in a hardware device that is separate from your hard disk. Therefore to use BitLocker service on your computer, it must have one of the following:
  • For BitLocker to use the system integrity check provided by a TPM, the computer must have a TPM version 1.2. If your computer does not have a TPM, enabling BitLocker will require you to save a startup key on a removable device such as a USB flash drive.
  • A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS. The BIOS establishes a chain of trust for pre-operating system startup and must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require a TCG-compliant BIOS.
  • The system BIOS (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment.
In order to enable BitLocker Drive Encryption on the operating system drive, your computer's hard disk must meet the following requirements:
  • Your computer’s hard disk must have at least two partitions: the operating system partition and the active system partition. The operating system partition is that partition where you have installed Windows and it will be encrypted. The active system partition is left unencrypted so that the computer can be started, and this partition must be at least 100 MB in size. In Windows 7, by default, the system partition is not assigned a drive letter and is hidden from the user. If your computer does not have a separate, active partition, the required partition is created during BitLocker setup.
  • Both the partitions, the operating system and active system partitions must be formatted with the NTFS file system.
  • The BIOS must be compatible with the TPM or should support USB devices during computer startup.
BitLocker can encrypt the computer’s data drives and removable data drives like external hard drives and USB flash drives. For encryption, a data drive must be formatted by using the FAT, FAT16, FAT32, or NTFS file system and must be at least 64 MB in size. 

BitLocker is similar to EFS, but there are some important differences as shown in the table below: 

BitLockerEFS
Encrypts all files on the drive that Windows is installed on.Encrypts selected files on any drive.
BitLocker is either on or off for all users or groups.Encrypts files associated with the user account that configured EFS. If a computer has multiple users, each can encrypt their own files.
Uses the Trusted Platform Module (TPM), a special chip in some computers that supports advanced security features.Does not require or use any special hardware.
You must be an administrator to turn BitLocker encryption on or off after it is enabled.You do not have to be an administrator to use EFS.

BitLocker Modes: 

  • TPM-only mode - In this mode, the user is unaware that BitLocker is in effect and they do not have to provide a password, PIN, or startup key to start the computer. TPM-only mode is the least secure implementation of BitLocker because it does not require additional authentication.
  • TPM with startup key - This mode requires that a USB device hosting a preconfigured startup key be available to the computer before the computer can boot into Microsoft Windows. If the device hosting the startup key is not available at boot time, the computer automatically enters recovery mode. This mode also provides boot environment protection via the TPM.
  • TPM with PIN - In this mode, the user must enter a PIN before the computer boots. You can configure Group Policy so that it is possible to enter a password containing numbers, letters, and symbols rather than a simple PIN number. If you do not enter the correct PIN or password at boot time, the computer automatically enters recovery mode. This mode also provides boot environment protection through the TPM.
  • TPM with PIN and startup key - This is the most secure option. You can configure this option through Group Policy. When you enable this option, a user must enter a startup PIN and have the device hosting the startup key connected before the computer will boot into Windows 7. This mode also provides boot environment protection through the TPM.
  • Without TPM - This mode provides hard disk encryption but does not provide boot environment protection. This mode is used on computers without TPM chips. You can configure BitLocker to work on a computer that does not have a TPM chip by configuring the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Require Additional Authentication At Startup policy. When you configure BitLocker to work without a TPM chip, you need to boot with a startup key on a USB storage device.
Do I have TPM Hardware: 

Before configuring BitLocker, you will want to know if your computer has TPM hardware. To find out, follow these steps:
  1. Click the Start button, then Control Panel.
  2. Click Security, and then click BitLocker Drive Encryption. (If you do not see BitLoker Drive Encryption as an option, the most likely reason is that you are not running the Ultimate or Enterprise edition of Windows 7).
  3. If the TPM administration link appears in the left pane, your computer has the TPM security hardware. If the link is not there, you will need a removable USB device such as a flash drive to turn on BitLocker and store the BitLocker startup key.
If the TPM Administration link is available, clicking on it will allow you to store TPM recovery information in Active Directory Domain Services (AD DS), clear the TPM, reset the TPM lockout, and enable or disable the TPM. 

Configuring BitLocker: 

Follow these steps to configure BitLocker:
  1. Open the BitLocker Drive Encryption control panel following the instructions in the section directly above. This screen presents a list of all the drive partitions under Help protect your files and folders by encrypting your drives. You can choose the drive that you want to encrypt with BitLocker. Let’s suppose you choose drive D.
  2. Select the Turn On BitLocker link next to the volume description of drive D.
  3. Select the method you want to use to unlock your protected drive. You can choose between password unlocking, unlocking using a smart card or you can also select to unlock automatically. Let’s suppose you choose to unlock with password. Then select Use a password to unlock this drive checkbox, enter the password and click Next.
  4. On the How do you want to store your recovery key page, select an appropriate option. If you select print the key, you can take out the printout. If you select to store it on a file you’ll get the key in a file with xps extension. Selecting the option to store the key on a USB drive, you need to insert the drive and will get the key on that. Click Next.
  5. On Encrypt the drive page, click Start Encrypting. It encrypts your drive.
  6. You can now manage your encrypted drive from BitLocker Drive Encryption page, mentioned in Step no. 2. For drive D, you’ll observe certain options next to your BitLocker controlled drive: Turn Off BitLocker andManage BitLocker. You can change or remove the password, or can also change the method to unlock the encrypted drive to Smart Card unlocking.
If you selected Use a password to unlock this drive, when you try to access your drive, you will receive a password prompt to unlock the drive. If you selected the smart card option, you will be prompted to insert the smart card. 

Configuring BitLocker To Go: 

  1. Connect the USB drive for which you want to enable BitLocker Encryption.
  2. Click Start, then click Control Panel.
  3. Click System and Security, then click BitLocker Drive Encryption. This screen presents a list of all the drive partitions and the connected USB flash drive under Help protect your files and folders by encrypting your drives.
  4. Click the Turn On BitLocker link option next to the volume description for the USB drive. It starts the initialization process of BitLocker Drive Encryption.
  5. Select the method you want to use to unlock your protected drive. You can choose between password unlocking or unlock using a smart card. Lets suppose you choose to unlock with password. Then select Use a password to unlock this drive checkbox, enter the password and click Next.
  6. On How do you want to store your recovery key page, select an appropriate option. If you select print the key, you can take out the printout. If you select to store it on a file you’ll get the key in a file with xps extension, and prompts you for the location to save the file. Click Next.
  7. On Encrypt the drive page, click Start Encrypting. It encrypts your drive.
  8. You can now manage your encrypted drive from BitLocker Drive Encryption page, mentioned in Step no. 3. For your encrypted USB flash drive, you’ll observe certain options next to your BitLocker controlled drive: Turn Off BitLocker and Manage BitLocker. You can change or remove the password, or can also change the method to unlock the encrypted drive to Smart Card unlocking.
BitLocker Data Recovery Agents: 

Data Recovery Agents are special user accounts that can be used to recover encrypted data. You can configure such an account to recover BitLocker-protected drives if the recovery password or keys are lost. Data Recovery Agents can be used across an entire organization, meaning that you can recover all BitLocker-encrypted volumes using a single account rather than having to recover a specific volume’s recovery password or key. 

Before a data recovery agent can be configured for a drive, you must add the data recovery agent to Public Key Policies\BitLocker Drive Encryption in either the Group Policy Management Console (GPMC) or the Local Group Policy Editor. You must also enable and configure the Provide the unique identifiers for your organization policy setting to associate a unique identifier to a new drive that is enabled with BitLocker. An identification field is a string that is used to uniquely identify a business unit or organization. Identification fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker will only manage and update data recovery agents when an identification field is present on a drive and is identical to the value configured on the computer. 

To assign a BitLocker identification field to a BitLocker-protected drive follow given steps:
  1. Log on as an administrator to the computer where you want to assign the identification field.
  2. Click Start, type cmd in the Search programs and files box.
  3. At the command prompt, type the following command, replacing [drive letter] with the BitLocker-protected drive's identifier (for example, E:): manage-bde -SetIdentifier [drive letter]
  4. The Manage-bde command-line tool will set the identification field to the value specified in the Provide the unique identifiers for your organization Group Policy setting.
  5. After the value has been set, Manage-bde will display a message informing you that the drive identifier has been set.
To configure an identification field:
  1. Click BitLocker Drive Encryption in the GPMC or Local Group Policy Editor under Computer Configuration\Administrative Templates\Windows Components, to show the policy settings.
  2. Double-click the Provide the unique identifiers for your organization policy setting in the details pane.
  3. Click Enable. In BitLocker Identification Field, enter the identification field for your organization. This would be the identifier configured in the steps above.
  4. Click OK to apply and close the policy setting.
To configure a data recovery agent:
  1. Open GPMC or the Local Group Policy Editor.
  2. In the console tree under Computer Configuration\Windows Settings\Security Settings\Public Key Policies, right-click BitLocker Drive Encryption.
  3. Click Add Data Recovery Agent to start the Add Recovery Agent Wizard. Click Next.
  4. On the Select Recovery Agents page, click Browse Folders, and select a.cer file to use as a data recovery agent. After the file is selected, it will be imported and will appear in the Recovery agents list in the wizard. Multiple data recovery agents can be specified. After you have specified all the data recovery agents that you want to use, click Next.
  5. The Completing the Add Recovery Agent page of the wizard displays a list of the data recovery agents that will be added to the Group Policy. Click Finish to confirm the data recovery agents, and close the wizard.

















Posted by at No comments:
Subscribe to: Posts (Atom)