Tuesday, March 19, 2013

Applocker in RDS on 2012 Doesn't Enforce Path Rules

I was having a hell of time trying to understand why some of my path rules in applocker were not being enforced under our new Remoted Desktop Services server running Windows Server 2012.

Two things

First, Applocker requires the Application Identity service (AppIDSvc) to be running.  It is set to manual by default.  So if you want to use applocker, you have to start it up.  Set it to automatic, and you should be all good.  But  I was still having trouble with some of my rules.

It turns out...

Second, I had several path rules restricting access to certain files/folders.  It turns out that I had simply done a cut/paste of the paths.  This was a no-no for us.  To get the rules to work, you have to browse to the file/folder using their GUI.  Oddly enough, it will replace the path with the environment variable equivalent. So your windows folder, probably C:\windows\, will become %WINDIR% even if you browse directly to it.

Once these two conditions were in place, our rules worked correctly.

Also, while I haven't experimented much with it, I was able to use wildcards in the file names for path rules.  for example server*.* to block servermanager.exe I thought that was pretty cool.

No comments: