Lesson 6: Controlling Access to Local Hardware and Applications MOAC 70-687: Configuring Windows 8.1

Overview Exam Objective 2.3: Control access to local hardware and applications Configure application restrictions, including Software Restriction Policies and AppLocker Manage installation of and access to removable devices Configure Assigned Access Lecture notes go here © 2013 John Wiley & Sons, Inc.

Configuring Hardware Restrictions Lesson 6: Controlling Access to Local Hardware and Applications Lecture notes go here © 2013 John Wiley & Sons, Inc.

Controlling Device Installation The Device Installation Restrictions folder in a GPO contains policy settings that enable you to prevent Windows computers from installing and updating device drivers under specific conditions. The policies in the Computer Configuration/Policies/Administrative Templates/System/Device Installation/Device Installation Restrictions folder enable you to specify if or when the computers on your network can install drivers for hardware devices. © 2013 John Wiley & Sons, Inc.

Controlling Device Installation The Device Installation Restrictions policies © 2013 John Wiley & Sons, Inc.

Controlling Removable Storage Access For control over access to specific types of removable storage at the computer level, you can use the policy settings in the Computer Configuration/Policies/Administrative Templates/System/Removable Storage Access folder. For control at the user level, the same policies appear in the User Computer Configuration/Policies/Administrative Templates/System/Removable Storage Access folder. © 2013 John Wiley & Sons, Inc.

Controlling Removable Storage Access The Removable Storage Access policies © 2013 John Wiley & Sons, Inc.

Configuring Application Restrictions Lesson 6: Controlling Access to Local Hardware and Applications Lecture notes go here © 2013 John Wiley & Sons, Inc.

Software Restriction Policies Software restriction policies are Group Policy settings that enable administrators to specify the programs that are allowed to run on workstations by creating rules of various types. © 2013 John Wiley & Sons, Inc.

Software Restriction Policy Rules The software restriction policy rules that you can create include the following: Certificate rules Hash rules Network zone rules Path rules Certificate rules – Identify applications based on the inclusion of a certificate signed by the software publisher. An application can continue to match this type of rule, even if the executable file is updated, as long as the certificate remains valid. Hash rules – Identify applications based on a digital fingerprint that remains valid even when the name or location of the executable file changes Network zone rules – Identify Windows Installer (.msi) packages downloaded with Internet Explorer based on the security zone of the site from which they are downloaded Path rules – Identify applications by specifying a file or folder name or a registry key. The potential vulnerability of this type of rule is that any file can match the rule, as long as it is the correct name or location. © 2013 John Wiley & Sons, Inc.

Creating Rules To create rules: Open a Group Policy object (GPO) and browse to Computer Configuration\Policies\Windows Settings\Security Settings\Software Restriction Policies. Right-click the Software Restriction Polices object. From the context menu, select New Software Restriction Policies. You create new rules of your own in the Additional Rules folder, using the dialog box. © 2013 John Wiley & Sons, Inc.

Software Restriction Policies Creating Rules Software Restriction Policies © 2013 John Wiley & Sons, Inc.

The New Path Rule dialog box Creating Rules The New Path Rule dialog box © 2013 John Wiley & Sons, Inc.

Rule Settings The three possible settings are as follows: Disallowed – Prevents an application matching a rule from running. Basic user – Allows all applications not requiring administrative privileges to run. Allows applications that do require administrative privileges to run only if they match a rule. Unrestricted – Allows an application matching a rule to run. © 2013 John Wiley & Sons, Inc.

Using AppLocker AppLocker, also known as application control policies, is essentially an updated version of the concept implemented in software restriction policies. AppLocker uses rules, which administrators must manage. Process of creating the rules is much easier because of a wizard-based interface. © 2013 John Wiley & Sons, Inc.

Understanding Rule Types The AppLocker settings are located in Group Policy objects in the Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies\AppLocker container. The AppLocker container in a GPO In the AppLocker container, there are four nodes that contain the basic rule types, as follows: Executable Rules Windows Installer Rules Script Rules Packaged app Rules Executable Rules – Contains rules that apply to files with .exe and .com extensions Windows Installer Rules – Contains rules that apply to Windows Installer packages with .msi and .msp extensions Script Rules – Contains rules that apply to script files with .ps1, .bat, .cmd, .vbs, and .js extensions Packaged app Rules – Contains rules that apply to applications purchased through the Windows Store. © 2013 John Wiley & Sons, Inc.

Understanding Rule Types The AppLocker container in a GPO © 2013 John Wiley & Sons, Inc.

Creating Default Rules To use AppLocker, you must create rules that enable users to access the files needed for Windows and the system’s installed applications to run. The simplest way to do this is to right-click each of the three rules containers and select Create Default Rules from the context menu. © 2013 John Wiley & Sons, Inc.

Creating Default Rules The default AppLocker Executable Rules © 2013 John Wiley & Sons, Inc.

Creating Rules Automatically When you right-click one of the three rules containers and select Create Rules Automatically from the context menu, an Automatically Generate Rules Wizard appears. After specifying the folder to be analyzed and the users or groups to which the rules should apply, a Rule Preferences page appears. The wizard then displays a summary of its results in the Review Rules page and adds the rules to the container. © 2013 John Wiley & Sons, Inc.

Creating Rules Automatically The Folders and Permissions page of the Automatically Generate Executable Rules Wizard © 2013 John Wiley & Sons, Inc.

Creating Rules Automatically The Rule Preferences page of the Automatically Generate Executable Rules Wizard © 2013 John Wiley & Sons, Inc.

Creating Rules Manually You can create rules manually using a wizard. To start the wizard, select Create New Rule from the context menu for one of the three rule containers. The wizard prompts you for: Action User or group Conditions Exceptions Action – Specifies whether you want to allow or deny the user or group access to the resource. In AppLocker, explicit deny rules always override allow rules. User or group – Specifies the name of the user or group to which the policy should apply Conditions – Specifies whether you want to create a publisher, path, or file hash rule. The wizard generates an additional page for whichever option you select, enabling you to configure its parameters. Exceptions – Enables you to specify exceptions to the rule you are creating, using any of the three conditions: publisher, path, or file hash. © 2013 John Wiley & Sons, Inc.

Configuring Assigned Access Assigned Access is a Windows 8.1 feature that enables you to configure a Windows 8.1 system to function as a kiosk, running a single application in a protected environment. It is now possible, in Windows 8.1, to associate a local user account with a single Windows app, so that the app launches when the user logs on to the system. Once in that app, the user cannot launch another app. The system also suppresses all notifications, and disables all of the key combinations, gestures, and shortcuts that provide access to the underlying system components. © 2013 John Wiley & Sons, Inc.

Configuring Assigned Access To use Assigned Access, you create a local account specifically for that purpose, and you associate it with an app that you have already installed. There are two important limitations to this feature, however, as follows: Local accounts only – You must use a local account, created solely for use with Assigned Access. You cannot use a domain account. Modern apps only – You can only use Modern apps – either purchased from the Windows Store or sideloaded – with Assigned Access. © 2013 John Wiley & Sons, Inc.

Configuring Assigned Access The Managed other accounts page © 2013 John Wiley & Sons, Inc.

Configuring Assigned Access The Set up an account for assigned access page © 2013 John Wiley & Sons, Inc.

Lesson Summary Using Group Policy, you can restrict user access to removable storage devices on their workstations Software restriction policies are Group Policy settings that enable administrators to specify the programs that are allowed to run on workstations by creating rules of various types. AppLocker is a new feature in the Windows 8 Enterprise and Ultimate editions that enables administrators to create application restriction rules much more easily. © 2013 John Wiley & Sons, Inc.

Copyright 2013 John Wiley & Sons, Inc.. All rights reserved. Reproduction or translation of this work beyond that named in Section 117 of the 1976 United States Copyright Act without the express written consent of the copyright owner is unlawful. Requests for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc.. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.