1
00:00:01,260 --> 00:00:08,380
Let's see how work with application control rules looks and practice will switch to a test Windows 7

2
00:00:08,380 --> 00:00:16,560
operating system like for all administrative operations will be using them see a Microsoft management

3
00:00:16,560 --> 00:00:17,240
console

4
00:00:22,330 --> 00:00:24,940
will Nilus snap in for group policies.

5
00:00:26,110 --> 00:00:31,600
Will use now local group policies but the policies usually are created at a higher level.

6
00:00:32,990 --> 00:00:38,180
For example for all computers of a specified type or for all computers that belong to a given group

7
00:00:38,180 --> 00:00:47,460
of users follow computer configuration Windows settings secure settings to find software restriction

8
00:00:47,460 --> 00:00:56,770
policies and application control policies both mechanisms are available will run a brief demonstration

9
00:00:56,770 --> 00:01:05,700
that will show you how easy it is to control programs run by users using software restriction policies.

10
00:01:05,730 --> 00:01:15,280
The first thing to do is to create a new software restriction policy one click produces several results.

11
00:01:15,320 --> 00:01:21,370
Above all we have now access to default security level configuration.

12
00:01:21,570 --> 00:01:30,360
The default level is unrestricted this level specifies that all users may run all programs we mentioned

13
00:01:30,360 --> 00:01:34,810
before that this level is not the default level that you would like to use in a real environment.

14
00:01:37,320 --> 00:01:43,070
Would be preferable to use a disallowed level which means that users are not allowed to run anything

15
00:01:43,070 --> 00:01:47,740
except for allowed programs.

16
00:01:47,750 --> 00:01:57,110
There's also an intermediate security level basic user which applies to users but not to administrators.

17
00:01:57,220 --> 00:02:02,290
It's a default level that was designed to convince administrators that this mechanism is really efficient

18
00:02:05,110 --> 00:02:06,670
for this demonstration.

19
00:02:06,670 --> 00:02:11,710
Will leave the unrestricted security level and block a specific program that we don't want users to

20
00:02:11,710 --> 00:02:16,780
run to do this go to additional rules.

21
00:02:18,780 --> 00:02:29,440
As you can see there are two rules already path rules that indicate system components there at the unrestricted

22
00:02:29,440 --> 00:02:30,550
security level.

23
00:02:31,600 --> 00:02:38,770
This means that programs that are registered in these locations are always allowed to be run this doesn't

24
00:02:38,770 --> 00:02:40,460
apply to the entire system.

25
00:02:42,550 --> 00:02:45,250
System components however are exempted in this way

26
00:02:48,250 --> 00:02:56,040
will add a new rule because we're thinking of a specific program a specific version of a program.

27
00:02:56,100 --> 00:03:04,200
Let's choose a rule that is as specific as possible a file hash rule a certificate rule might be similarly

28
00:03:04,200 --> 00:03:09,270
efficient but if it's uncertain if a program is signed digitally we shouldn't use it.

29
00:03:11,200 --> 00:03:15,560
If the program is not digitally signed the certificate rule is not going to work.

30
00:03:18,070 --> 00:03:23,380
Since the rule will create will be an exception from a default security level it should be a disallowed

31
00:03:23,380 --> 00:03:30,090
exception one of block all attempts to run the program.

32
00:03:30,100 --> 00:03:33,960
Next you need to identify the program to select it.

33
00:03:33,980 --> 00:03:41,810
You need to possess a copy an administrator must have access rights to a program that is to be blocked.

34
00:03:41,850 --> 00:03:43,780
This could pose some problems at times.

35
00:03:44,740 --> 00:03:50,950
Since this means that a local computer has to have installed programs that are used by all users in

36
00:03:50,950 --> 00:03:53,810
this case we have a copy of such a program.

37
00:03:56,950 --> 00:04:03,690
From now on the indicated file will not run it's been placed in the disallowed mode.

38
00:04:05,030 --> 00:04:07,480
The program is now disallowed.

39
00:04:07,490 --> 00:04:14,420
Unfortunately to exempt another program you need to repeat this procedure.

40
00:04:14,540 --> 00:04:17,360
There's no generalization available.

41
00:04:17,510 --> 00:04:20,960
Let's now enforce the implementation of the rules in this local computer

42
00:04:24,080 --> 00:04:25,040
to do this.

43
00:04:25,280 --> 00:04:33,180
Run a command line interface with additional administrative privileges of data security policy computer

44
00:04:33,180 --> 00:04:40,760
security policies are checked at system startup policies that relate to users or check that log on.

45
00:04:40,990 --> 00:04:44,430
Additional checks are performed in about 15 minute intervals.

46
00:04:45,900 --> 00:04:49,350
As you can see below the policies have been successfully updated.

47
00:04:50,190 --> 00:04:53,460
Let's not try to run a program that has been blocked on this computer.

48
00:05:00,320 --> 00:05:04,620
The prompt a message does not stem from an access rights issue.

49
00:05:04,660 --> 00:05:08,370
We have the access rights to run the file.

50
00:05:08,370 --> 00:05:16,270
This however goes against the updated policies our permissions are irrelevant.

51
00:05:16,330 --> 00:05:22,630
We remove the created rule examples and explore the other control technology application control policies

52
00:05:23,620 --> 00:05:29,060
this feature is often referred to simply as Applecore.

53
00:05:29,100 --> 00:05:33,460
Let's start with no rules at.

54
00:05:33,630 --> 00:05:40,500
You can import a security policy prepared on another computer or create default rules default rules

55
00:05:40,500 --> 00:05:45,670
or the three rules that we've mentioned in the theoretical part of this module.

56
00:05:45,670 --> 00:05:51,430
The first rule allows everyone to run applications installed in the Program Files folder.

57
00:05:51,450 --> 00:05:57,520
The second rule allows the system to operate while the third allows administrators to run all applications

58
00:05:57,520 --> 00:06:03,170
and files whether or not you consider the rules necessary is immaterial

59
00:06:06,550 --> 00:06:12,320
noted app blockers default operation employs a concept that was mentioned earlier.

60
00:06:12,380 --> 00:06:17,870
You can create exceptions for specific applications that are allowed to run and not exceptions for applications

61
00:06:17,870 --> 00:06:19,200
that are to be blocked.

62
00:06:21,160 --> 00:06:27,390
The latter concept was implemented in software restriction policies.

63
00:06:27,410 --> 00:06:31,000
Take a look at the plucker rule wizard.

64
00:06:31,020 --> 00:06:36,300
You need to indicate an application and specify if an action for a rule is to allow or deny running

65
00:06:36,300 --> 00:06:37,400
the application.

66
00:06:39,850 --> 00:06:42,910
You also need to select what users the rule will apply to

67
00:06:46,450 --> 00:06:50,590
in our case the rule will apply to all users.

68
00:06:50,590 --> 00:06:55,300
Next you can specify how a program to which the rule will apply will be identified.

69
00:06:56,190 --> 00:07:00,460
We'll select the publisher condition.

70
00:07:00,510 --> 00:07:03,000
Let's see how this rule will work for Internet Explorer

71
00:07:05,610 --> 00:07:09,290
will create a rule that applies to Internet Explorer 9.

72
00:07:09,330 --> 00:07:13,340
This application is a part of the Windows operating system.

73
00:07:13,480 --> 00:07:17,550
The publisher is Microsoft Corp..

74
00:07:17,610 --> 00:07:19,640
You can change the scope of the rule though.

75
00:07:20,920 --> 00:07:27,850
You can apply the rule to the ninth version and all newer versions this way you declare that you don't

76
00:07:27,850 --> 00:07:32,310
trust the earlier versions of Internet Explorer.

77
00:07:32,330 --> 00:07:38,830
You can also apply the rule to all versions of the application move the slider up to make the rules

78
00:07:38,830 --> 00:07:45,590
less specific and reduce the scope to filename by moving the slider you can block all Windows system

79
00:07:45,590 --> 00:07:49,350
components or all files that are digitally signed by Microsoft

80
00:07:52,380 --> 00:07:53,980
as you can see.

81
00:07:54,020 --> 00:07:58,760
Generalization is quite easy and the solution.

82
00:07:58,830 --> 00:08:02,060
This is an advance over the previous control technology.

83
00:08:03,320 --> 00:08:06,320
Additionally you can also create rule exceptions.

84
00:08:07,440 --> 00:08:09,250
We won't create any exceptions.

85
00:08:12,770 --> 00:08:19,080
The rule we created blocks all digitally signed files published by Microsoft.

86
00:08:19,250 --> 00:08:24,350
The last feature will show is generating a set of rules for applications located in a specific folder

87
00:08:24,710 --> 00:08:32,350
that are known to be trustworthy will automatically generate rules.

88
00:08:32,570 --> 00:08:39,840
The generator rules will apply to the CIS internal suite user folder several programs are contained

89
00:08:39,840 --> 00:08:41,370
in the folder.

90
00:08:41,370 --> 00:08:43,320
We won't create a rule for each of them.

91
00:08:44,760 --> 00:08:47,150
We'll indicate what rules are to be created.

92
00:08:49,080 --> 00:08:54,630
If we're lucky and it turns out that the folder contains digitally signed files we can create a publisher

93
00:08:54,640 --> 00:08:56,030
will.

94
00:08:56,130 --> 00:09:00,190
This would be the best option.

95
00:09:00,210 --> 00:09:05,710
You can also select to always create file hash rules.

96
00:09:05,850 --> 00:09:08,750
There can be many such rules.

97
00:09:08,860 --> 00:09:16,120
You can generalize them using the method just shown which will automatically reduce their number analysis

98
00:09:16,120 --> 00:09:18,170
of the folder is completed.

99
00:09:18,250 --> 00:09:22,900
It turns out that the total number of rules is 56 publish rules and one file hash rule

100
00:09:28,170 --> 00:09:29,980
when you select a hash rule list.

101
00:09:30,060 --> 00:09:38,080
You can see that it's a generalized file hash rule it applies to multiple files a single rule and relates

102
00:09:38,080 --> 00:09:41,800
to all non signed files that can be run.

103
00:09:42,040 --> 00:09:47,880
We have successfully generated a set of rules exceptions that allow some operations to be performed

104
00:09:51,690 --> 00:09:53,000
earlier in the presentations.

105
00:09:53,010 --> 00:09:57,930
We blocked the ability to install applications that we correctly did not consider to be necessary as

106
00:09:57,930 --> 00:10:00,190
standard components used in our network.

107
00:10:01,580 --> 00:10:06,270
Now we'll work with the type of rules called Windows Installer rules.

108
00:10:06,430 --> 00:10:13,940
Remember that MSIE files are used for installation.

109
00:10:14,010 --> 00:10:17,200
Let's try to create a new rule.

110
00:10:17,290 --> 00:10:22,460
Pay attention to the fact that you can create default rules for all types.

111
00:10:22,460 --> 00:10:26,120
Now we also could create default rules.

112
00:10:26,180 --> 00:10:31,480
This would allow users to install digitally signed files or files that are located in the installer

113
00:10:31,490 --> 00:10:40,230
folder administrators would be able to install anything assume that the first two rules don't meet our

114
00:10:40,230 --> 00:10:41,290
requirements.

115
00:10:42,290 --> 00:10:43,880
Because of this will remove them

116
00:10:48,440 --> 00:10:54,060
now only administrators can install files will create a new rule now

117
00:10:57,120 --> 00:11:02,230
will explicitly deny installing programs were also blocked from installing in the previous example.

118
00:11:04,490 --> 00:11:11,380
Like before this will be a file hash rule you need to specify a file or a folder that contains more

119
00:11:11,380 --> 00:11:12,460
than one file.

120
00:11:14,900 --> 00:11:16,980
You should provide a name for the rule.

121
00:11:17,330 --> 00:11:19,240
It's also good to describe it.

122
00:11:19,310 --> 00:11:25,900
However we won't do this in the presentation we have successfully created a rule that explicitly denies

123
00:11:25,910 --> 00:11:31,300
anyone including administrators the right to run a specified installation file.

124
00:11:33,870 --> 00:11:38,460
You'll have to start the previously mentioned service and potentially reboot the computer to put this

125
00:11:38,460 --> 00:11:39,780
rule into effect.

126
00:11:42,710 --> 00:11:48,700
The service application identity is designed to identify software.

127
00:11:48,860 --> 00:11:55,870
It stopped at the moment will switch the service into automatic startup mode and start it.

128
00:11:56,110 --> 00:12:01,900
After applying these rules and a reboot we can be sure that the defined policy really works in a local

129
00:12:01,900 --> 00:12:04,100
computer or a computer group.

130
00:12:04,150 --> 00:12:06,490
If the rules pertain to more than one machine.