SV-226045r569184_rule
V-226045
SRG-OS-000370-GPOS-00155
WN12-00-000018
CAT II
10
Configure an application whitelisting program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
Configuration of whitelisting applications will vary by the program. AppLocker is a whitelisting application built into Windows Server 2012.
If AppLocker is used, it is configured through group policy in Computer Configuration >> Windows Settings >> Security Settings >> Application Control Policies >> AppLocker.
Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link:
https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
This is applicable to unclassified systems; for other systems this is NA.
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
If an application whitelisting program is not in use on the system, this is a finding.
Configuration of whitelisting applications will vary by the program.
AppLocker is a whitelisting application built into Windows Server 2012. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules.
If AppLocker is used, perform the following to view the configuration of AppLocker:
Open PowerShell.
If the AppLocker PowerShell module has not been previously imported, execute the following first:
Import-Module AppLocker
Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system:
Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml
This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review.
Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link:
https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
V-226045
False
WN12-00-000018
This is applicable to unclassified systems; for other systems this is NA.
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
If an application whitelisting program is not in use on the system, this is a finding.
Configuration of whitelisting applications will vary by the program.
AppLocker is a whitelisting application built into Windows Server 2012. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules.
If AppLocker is used, perform the following to view the configuration of AppLocker:
Open PowerShell.
If the AppLocker PowerShell module has not been previously imported, execute the following first:
Import-Module AppLocker
Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system:
Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml
This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review.
Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link:
https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
M
4217