Windows Server 2008 R2 Powershell Cmdlets (part 2) - AppLocker cmdlets

2/27/2014 2:11:39 AM

2. AppLocker cmdlets

This section will cover the AppLocker cmdlets that can be used to manage AppLocker policies in Windows Server 2008 R2. AppLocker is a new Windows 7 and Windows Server 2008 R2 feature that helps the administrator control how users can access and use files. Before you do anything with any AppLocker cmdlets, even use the get-help cmdlet on them, you must import the AppLocker module. You need to be running Windows 7 or Windows Server 2008 R2 to be able to import the AppLocker module.

The steps needed to import the module are as follows:

Startup PowerShell

Type Import-Module AppLocker

After the cmdlet has finished running, you can check to see if it worked by calling the get-help cmdlet on the AppLocker cmdlets, since if the import is not performed, PowerShell will not be able to find help on them. TypeGet-Help *AppLocker* and hit enter. You should now see a list of the five AppLocker cmdlets (see Figure 10).

Figure 10. The AppLocker cmdlets.

If this did not work and you get an error, then make sure you are running Windows 7 or Windows Server 2008 R2. In addition, you need to make sure you have administrator rights and scripting enabled.

The five AppLocker commands that should appear on your screen are described in Table 7.

Table 7. Windows AppLocker cmdlets
cmdlet NameDescription
New-AppLockerPolicyThis cmdlet creates a new AppLocker policy. It can be created with default values or specific values determined during creation
Get-AppLockerFileInformationThis cmdlet gets the AppLockerFile information for the specified targets
Get-AppLockerPolicyThis cmdlet gets the specified AppLockerPolicy from the local computer or a specific GPO
Set-AppLockerPolicyThis cmdlet sets the AppLockerPolicy for a desired target Group Policy Object
Test-AppLockerPolicyThis cmdlet tests a target against a specific AppLocker policy to determine what execution rights it has

These cmdlets are very straightforward in their use on a basic level but allow some very interesting complexities and applications as well.

As the name implies, the Get-AppLockerFileInformation cmdlet allows you to get the AppLocker file information from a list of files or an event log. For example, you could get all the AppLocker information for all the executable files and scripts in a specific directory. You could also be more specific and get the AppLocker information for a specific script or executable by simply typing Get-AppLockerFileInformation filename. You will get multiple files for your example. Type Get-AppLockerFileInformationDirectory C:\Windows\System32\ -FileType script and hit enter, and you will see how the AppLocker File information is returned. The cmdlet you used is asking for the AppLocker File information for all the scripts in the Windows\System32\ directory. In the output, you can see the file and some of its information, which can include the file path, the publisher, and the file hash (see Figure 11).

Figure 11. File Information for the Scripts in the System32 folder.

This information might not seem very useful to you, but it is important when you use the rest of the cmdlets that require AppLocker File information. For some of them, you will need to pipe on the AppLocker File information, like the New-AppLockerPolicy cmdlet.

The New-AppLockerPolicy cmdlet is used to create new AppLocker rules for a group or user. It requires a list of file information to automatically generate these new rules for you. Let us say you have a directory where you do not want any new .exe files to have the ability to execute, except for the ones that are already there. That way, any new files that are added later can be checked for safety before they are allowed to run. In this example, you will create a new AppLocker Policy to only allow the existing script files in the Windows\System32\ directory to be allowed to run. You will need to use the Get-FileInformation cmdlet to get all the script files currently there and then pass them to the New-AppLockerPolicy cmdlet via the “|” or pipe.

The cmdlet you type is get-AppLockerFileInformationDirectory C:\Windows\System32\ -FileType script | New-AppLockerPolicy –User Everyone XML > ScriptRestrictionPolicy.XML. This first gets all the AppLocker file information for all the scripts in the specified directory, it then uses this to create a new AppLocker Policy file for all the users and writes the policy to the ScriptRestrictionPolicy.XML as you specified.

It will use a default rule type of publisher and then hash, since you did not specify one of your own. If you were to open the newly created ScriptRestrictionPolicy.XML in a text editor, you would be able to see that it contains xml entries for all the files that were returned by the get AppLockerFileInformation –Directory C:\Windows\System32\ -FileType script cmdlet (see Figure 12). If you were to push this policy, only then those scripts would have permission to run by default and others would not be allowed unless you added them to the policy. You could have just as easily created a policy that would allow none to run, except for a specific file as well by simply removing the –Directory and –FileType flags like this Get-AppLockerFileInformation fileToAllow | New-AppLockerPolicyUser Everyone XML > YourNewPolicyName.XML.

Figure 12. Scripts that will be allowed to run with the New Policy.

The next cmdlet, Test-AppLockerPolicy cmdlet is a very useful straightforward tool. It lets the administrator check the AppLocker Policy in a few different ways. You can check if users in a group are allowed to run an application, you can check if a list of applications can be run by a group of users and you can check to see which files a specific user is not allowed to execute. You are going to use the Test-AppLockerPolicy cmdlet to see how the policies you created earlier would impact the existing files and new files before you push the AppLocker Policies. You can test the ScriptRestrictionPolicy you created before that was supposed to create a policy for the existing scripts. You pick one of the scripts to test with the Test-AppLockerPolicy cmdlet (see Figure 12). You pick the first one, WINRM.CMD, and type Test-AppLockerPolicyXMLPolicy.\ ScriptRestrictionPolicy.XMLPath C:\Windows\System32\WINRM.CMD to see if the policy will allow it like it is supposed to, and you see that it does (see Figure 13).

Figure 13. Testing the Policy.

You now check to see that the policy is also restricting new scripts as it is supposed to by creating a new file and calling it “EvilMaliciousScript.CMD.” You then test it to see if it can be run by typing Test-AppLockerPolicyXMLPolicy.\ScriptRestrictionPolicy.XMLPath C:\Windows\System32\EvilMaliciousScript.CMD and hitting enter. The result shows you that your policy is working. It is restricting it because it is not the one specified in your XML policy file (see Figure 14).

Figure 14. Restricting New Scripts.

Now that you understand how to test AppLocker policies, you move on to another helpful cmdlet called the Get-AppLockerPolicy cmdlet. This cmdlet gets the AppLocker policy from either a specific GPO or from the effective AppLocker policy on the computer. To get the effective AppLockerPolicy on your local computer, you simply type Get AppLockerPolicyEffective and hit enter. In this way, you can also get a local or domain AppLockerPolicy with their corresponding flags of – local or –domain or even specify a specific GPO to get the policy from using the Lightweight Directory Access Protocol (LDAP) path of the GPO and the –ldap flag. Get-AppLockerPolicy can either return an AppLockerPolicy object or an XML-formatted string. So, if you wanted to write the local policy to an XML file, you simply add another flag to the command like this Get-AppLockerPolicyLocalXML > Local.XML. This will then write the AppLockerPolicy to the file you specified Local.XML.

The final piece in the puzzle is the Set-AppLockerPolicy cmdlet. The Set AppLockerPolicy lets the administrator set an AppLockerPolicy for a specific Group Policy Object (GPO). You either need to furnish an LDAP path or it will default to the local GPO. So, once you have an AppLockerPolicy that you have tested and are sure you want to push, you can use the Set-AppLockerPolicy cmdlet to do so. So, assuming you were ready to set the local AppLockerPolicy to the ScriptRestrictionPolicy.XML AppLocker Policy you created earlier with the New-AppLockerPolicy cmdlet, you would simply type Set-AppLockerPolicyXMLPolicy C:\Windows\ System32\ScriptRestrictionPolicy.XML and be done with it. One flag of interest is the –Merge flag. If the Merge flag is included, then the new AppLocker Policy you are setting is merged with the old one. If the –Merge flag is not there, then the old AppLockerPolicy is replaced with the new one you are setting. Going back to your ScriptRestrictionPolicy, you could create new AppLocker policies for any new scripts you wanted to allow to run and then use Set-AppLockerPolicy cmdlet with the –Merge flag to add them to the existing local AppLockerPolicy.

  •  Windows Server 2008 R2 : PowerShell V2 feature focus - Installing Powershell, Introduction to Powershell Scripting
  •  Windows Server 2008 R2 : PowerShell V2 feature focus - Introduction to Powershell
  •  Installing Windows 8 on startup VHD files (part 3) - Starting the system from the VHD, Removing VHD installations
  •  Installing Windows 8 on startup VHD files (part 2) - Creating the VHD during the installation by using DiskPart
  •  Installing Windows 8 on startup VHD files (part 1) - Creating a VHD from an existing installation
  •  Windows 8 : Upgrading or migrating from a previous version of Windows (part 4) - Migrating user data
  •  Windows 8 : Upgrading or migrating from a previous version of Windows (part 3) - Using an external hard disk or USB flash drive, Using the User State Migration Tool
  •  Windows 8 : Upgrading or migrating from a previous version of Windows (part 2) - Using removable media, Using a network connection
  •  Windows 8 : Upgrading or migrating from a previous version of Windows (part 1) - Running the Setup Wizard , Configuring your account
  •  Installing Windows 8 on a new or formatted system (part 3) - Installing Windows 8 with Windows To Go
    Top 10
    3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
    3 Tips for Maintaining Your Cell Phone Battery (part 1) - Charge Smart
    OPEL MERIVA : Making a grand entrance
    FORD MONDEO 2.0 ECOBOOST : Modern Mondeo
    BMW 650i COUPE : Sexy retooling of BMW's 6-series
    BMW 120d; M135i - Finely tuned
    PHP Tutorials : Storing Images in MySQL with PHP (part 2) - Creating the HTML, Inserting the Image into MySQL
    PHP Tutorials : Storing Images in MySQL with PHP (part 1) - Why store binary files in MySQL using PHP?
    Java Tutorials : Nested For Loop (part 2) - Program to create a Two-Dimensional Array
    Java Tutorials : Nested For Loop (part 1)
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS