A Puppet module which configures applocker on Windows (Application whitelisting). For information about applocker see here
benjaminrobertson-applocker requires the xml-simple ruby gem installed on the Puppet Primary server. Install by running puppetserver gem install xml-simple as root on the Puppet Primary server. If the gem is not installed the module will not work.
Note: When Puppet attempts to enable applocker service for the first time, this error will be seen in the Puppet logs. Error: Cannot enable AppIDSvc, error was: undefined method 'windows' for Puppet::Util:Module Applocker is running regardless of this error.
- Description
- Setup - The basics of getting started with applocker
- Usage - Configuration options and additional functionality
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
benjaminrobertson-applocker configures Windows applocker service. Applocker enforces applications whitelisting.
Warning: Ensure applocker policies are first tested on a non-production host. You can very easily break systems by enforcing strict applocker policies.
I suggest applying applocker policies in 'AuditOnly' mode (modules default). Use Windows event viewer to check for unexpected applocker denies. EventId's
Include applocker module in Puppet manifest.
include applocker
Note: If generating a hash for an executable, you cannot use a standard SHA256 filehash. Microsoft uses Authenticode hash. Generate one by running in powershell.
Get-AppLockerFileInformation .\putty.exe | Format-wide -Property hash -AutoSize
This will print the hash which should look as follows. 0x7537EBDECCA5F65EA98216C23E9441B72269A546B3234F6CF4069C60269FE18F
Set applocker rules using hiera data as follows. Customise as required for your environment.
applocker::exec_applocker_rules:
Exec %windir/%:
ensure: "present" # No longer required. Can leave option in for backwards support
action: "Allow"
conditions:
path: "%WINDIR%\\*"
exceptions:
- '%System32%\Microsoft\Crypto\RSA\MachineKeys\*'
- '%SYSTEM32%\spool\drivers\color\*'
- '%SYSTEM32%\Tasks\*'
- '%WINDIR%\Tasks\*'
- '%WINDIR%\Temp\*'
description: "Allow all users to run apps in windir"
rule_type: "path"
type: "Exe" # Not required, we know its a exe rule. Can leave option in for backwards support
user_or_group_sid: "S-1-1-0"
Exec %%PROGRAMFILES/%:
action: "Allow"
conditions:
path: "%PROGRAMFILES%\\*"
description: "Allow all users to run apps in programfiles"
rule_type: "path"
type: "Exe"
user_or_group_sid: "S-1-1-0"
Exec %OSDRIVE/CHOCO/%:
action: "Allow"
conditions:
path: "%OSDRIVE%\\CHOCO\\*"
description: "Allow all users to run apps in osdrive choco"
rule_type: "path"
type: "Exe"
user_or_group_sid: "S-1-1-0"
Exec %OSDRIVE/temp/%:
action: "Allow"
conditions:
path: "%OSDRIVE%\\temp\\doge\\*"
description: "Allow all users to run apps in osdrive temp"
rule_type: "path"
type: "Exe"
user_or_group_sid: "S-1-1-0"
Exec putty hash:
# ensure: "present"
action: "Allow"
conditions:
- type: "SHA256"
length: "1647912"
file_name: "putty.exe"
hash: "0x6E7F0B23165CDD134DA7E893DEE9422640287B02EAE3CE64AA1EE76AE9ED6512"
rule_type: "hash"
type: "Exe"
user_or_group_sid: "S-1-1-0"
applocker::msi_applocker_rules:
MSI rule MS corp:
ensure: "present"
action: "Allow"
conditions:
publisher: "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
product: "*"
binaryname: "*"
hi_version: "*"
lo_version: "*"
description: "Allow Package app rule Microsoft corporation"
rule_type: "publisher"
type: "Msi"
user_or_group_sid: "S-1-1-0"
MSI rule MS corp windows:
ensure: "present"
action: "Allow"
conditions:
publisher: "CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
product: "*"
binaryname: "*"
hi_version: "*"
lo_version: "*"
description: "Allow Package app rule Microsoft corporation (Windows)"
rule_type: "publisher"
type: "Msi"
user_or_group_sid: "S-1-1-0"
applocker::appx_applocker_rules:
Packaged app MS corp:
ensure: "present"
action: "Allow"
conditions:
publisher: "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
product: "*"
binaryname: "*"
hi_version: "*"
lo_version: "*"
description: "Allow Package app rule Microsoft corporation"
exceptions:
- publisher: "CN=Louis, O=Robertson, C=AU"
product: "*"
binaryname: "*"
lo_version: "*"
hi_version: "3.0.0.0" # Note this needs to be in format x.x.x.x
- publisher: "CN=doge, O=coin, C=AU"
product: "*"
binaryname: "*"
lo_version: "*"
hi_version: "*"
rule_type: "publisher"
type: "Appx"
user_or_group_sid: "S-1-1-0"
Packaged app MS corp windows:
ensure: "present"
action: "Allow"
conditions:
publisher: "CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
product: "*"
binaryname: "*"
hi_version: "*"
lo_version: "*"
description: "Allow Package app rule Microsoft corporation (Windows)"
rule_type: "publisher"
type: "Appx"
user_or_group_sid: "S-1-1-0"
applocker::script_applocker_rules:
Script %WINDIR/%:
action: "Allow"
conditions:
path: "%WINDIR%\\*"
exceptions:
- '%SYSTEM32%\Com\dmp\*'
- '%SYSTEM32%\FxsTmp\*'
- '%System32%\Microsoft\Crypto\RSA\MachineKeys\*'
- '%SYSTEM32%\spool\drivers\color\*'
- '%SYSTEM32%\spool\PRINTERS\*'
- '%SYSTEM32%\spool\SERVERS\*'
- '%SYSTEM32%\Tasks\*'
- '%WINDIR%\Registration\CRMLog\*'
- '%WINDIR%\Tasks\*'
- '%WINDIR%\Temp\*'
- '%WINDIR%\tracing\*'
description: "Allow scripts in the windir directory"
rule_type: "path"
type: "Script"
user_or_group_sid: "S-1-1-0"
Script %PROGRAMFILES/%:
action: "Allow"
conditions:
path: "%PROGRAMFILES%\\*"
description: "Allow scripts in the programfiles directory"
rule_type: "path"
type: "Script"
user_or_group_sid: "S-1-1-0"
Script powershell hash:
action: "Allow"
description: "random test powershell script"
conditions:
- type: "SHA256"
length: "20"
file_name: "powerfulshell.ps1"
hash: "0x2057696D8662313670D36C3A3C8009FB038C8732C40C65275F158F63AAAD1629"
rule_type: "hash"
user_or_group_sid: "S-1-1-0"
applocker::dll_applocker_rules:
DLL %PROGRAMFILES/%:
action: "Allow"
conditions:
path: "%PROGRAMFILES%\\*"
description: "Allow dll in the programfiles directory"
rule_type: "path"
type: "Dll"
user_or_group_sid: "S-1-1-0"
DLL %WINDIR/%:
action: "Allow"
conditions:
path: "%WINDIR%\\*"
exceptions:
- '%SYSTEM32%\spool\drivers\color\*'
- '%SYSTEM32%\Tasks\*'
- '%WINDIR%\Tasks\*'
- '%WINDIR%\Temp\'
- '%System32%\Microsoft\Crypto\RSA\MachineKeys\*'
description: "Allow dll in the programfiles directory"
rule_type: "path"
type: "Dll"
user_or_group_sid: "S-1-1-0"
Applocker rules can be enabled or disabled by setting Enum['Enabled','AuditOnly'] for the following parameters.
- executable_rules
- msi_rules
- dll_rules
- script_rules
- packaged_app_rules
- Developed on Puppet Enterprise 2021.7.6 and Windows 2019
- Expected to work with all modern versions of Puppet and Windows.
If you find any issues with this module, please log them in the issues register of the GitHub project. Issues
Module was developed with PDK. Unit tests only pass on Windows system. eg pdk test unit.
PR glady accepted :)