In the example below, I am testing MDOP.XML against a file on a share. Testing can be done by running Test-AppLockerPolicy against specific files. Testing allows us to correct mistakes before we accidently block a needed file. \MDOP.XMLīefore applying our AppLocker rules to a machine (or to a GPO), we will want to test them first. Get-AppLockerFileInformation -Directory \\SHARE\SERVER\Microsoft\MDOP\ -Recurse | New-AppLockerPolicy -RuleType Publisher,Hash -User Everyone -RuleNamePrefix MDOP -XML | Out-File. The results are then exported to the file MDOP.XML. Here is an example that searches the MDOP folder and creates a new AppLocker Policy. We can quickly create rules by using Get-AppLockerFileInformation and piping the output to New-AppLockerPolicy. In the top right, note the ability to filter results! Creating and testing an AppLocker policy To make sorting easier, we can pipe any output to the Out-GridView cmdlet. Though part of the directory path has been removed, you can still see how useful this cmdlet is for planning. This command will recursively search a directory: Get-AppLockerFileInformation –Directory “\\SERVER\SHARE\FOLDER” -Recurse Path locations should not allow standard users to have write access.īy using Get-AppLockerFileInformation, we can scan files or directories to see what rule types will be supported. Hash: More secure than a path rule, inflexible when a program updates.Publisher: Uses the least amount of administrative work and is the most flexible.As the Windows AppLocker Guide points out, individual rules should be built in this order and for these reasons: Files can be grouped by their path, their publisher, or their hash. Our five AppLocker cmdlets Path, publisher, or hashĪppLocker can allow or block applications based on three types of criteria. To start our PowerShell exploration, open PowerShell ISE and type Get-Command -Module AppLocker Don’t let the small number of commands fool you! With the exception of a removal command, they are more than enough to handle the complete policy lifecycle. ![]() The AppLocker module for PowerShell contains five cmdlets.
0 Comments
Leave a Reply. |