The first thing you will have to do to get your server ready to deal with Applocker is to reconfigure the Application Identity Service. You are going to want to set that to start up automatically and of course actually start the service. The Application Identity Service is the one responsible for reading the Applocker rules, watching the applications that you launch, logging events, and most importantly blocking applications that are not allowed.
Within a Group Policy Object is where you will actually configure Applocker. I have set this up in the Computer Configuration, drilled down to Windows Settings, Security Settings, Application Control Policies, and then Applocker. Expanding this right now gives me some information but since I have never configured it on this computer before I am going to need to actually get it going.
Now the trick with servers is that it is unlikely that every single server you have is running the exact same application. So, configuring Applocker in Group Policy, which is where Microsoft tends to push you, might not be the right way. Now Microsoft really only pushes that way because that is how most people are going to configure Group Policy for client computers. Now for servers it is just as legitimate to drill down to the Local Security Policy. You can have a unique Applocker configuration for every one of your servers.
The first thing you will do is configure rule enforcement. This will allow us to configure rules on Executables and Windows Installer, even if you are just configuring Windows Installer Rules that’s fantastic because it is going to help prevent people from installing additional software. You can also configure script rules. In the Advanced tabs you can enable the DLL rule collection, but Microsoft does not really recommend it and neither do I. There are so many DLL’s in Windows that trying to get Applocker to look at every single one of them and control it can really put a hit on performance.
You can say Audit Only or Enforce Rules. Audit only is a good starting point, it means no applications will actually be blocked but Applocker will still create event log entries as if it was blocking. And so you can see what it would do but it is not actually going to do anything. Once you configure that and get it ready to go you are ready to start configuring your Executable Rules.
That is where you will come down in here and create a new rule, or, and this is the one that really makes Applocker unique from software restriction polices (its predecessor), Automatically Generate Rules. The first thing are going to want to do is create default rules. This will automatically create rules to allow anything that is Program Files folder and that is one you may or may not want to keep. It is designed to get you up and running quickly without breaking your server, if something can get into the program files folder then it is going to run. So it might defeat the purpose of locking down your sever.
All files in the Windows folder. That makes easy to running and then anything run by the built in administrators group. Again if the goal is to lock down the server against other administrators installing things without your knowledge you are probably going to want to remove that rule. Automatically generating rules, really just scans a particular folder and then looks for executables that are in that folder and then creates rules to allow all of them. You can do that as quick way of getting up and running.
Once all of this is configured and you set it for Audit Only, you can drill into the Event Viewer in here Under the logs, we will drill down until we actually find the Applocker Log, now it has not created anything so there is no log her yet but you will eventually see an Applocker log under here and that is where it will start logging everything. That is where it will start telling you which applications it would have blocked. Once you are satisfied that it is not generating blocks for anything you want to run you go back and reconfigure that policy, this rule enforcement to actually enforce rules instead of being in audit only mode.