diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 26c73ffcaa..d696520fe5 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -286,7 +286,7 @@ ## [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md) ### [Windows Defender Application Control design guide](windows-defender-application-control/windows-defender-application-control-design-guide.md) -### [Windows Defender Application Control deployment guide](windows-defender-application-control-deployment-guide.md) +### [Windows Defender Application Control deployment guide](windows-defender-application-control/windows-defender-application-control-deployment-guide.md) #### [Deploy WDAC policies](windows-defender-application-control/deploy-windows-defender-application-control-policies.md) ## [Enable HVCI](enable-virtualization-based-protection-of-code-integrity.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-planning-document.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-planning-document.md new file mode 100644 index 0000000000..4f0f43ced7 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-planning-document.md @@ -0,0 +1,379 @@ +--- +title: Create your AppLocker planning document (Windows 10) +description: This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document. +ms.assetid: 41e49644-baf4-4514-b089-88adae2d624e +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +ms.date: 09/21/2017 +--- + +# Create your AppLocker planning document + +**Applies to** + - Windows 10 + - Windows Server + +This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document. + +## The AppLocker deployment design + +The design process and the planning document help you investigate application usage in your organization and record your findings so you can effectively deploy and maintain application control policies by using AppLocker. + +You should have completed these steps in the design and planning process: + +1. [Determine your application control objectives](determine-your-application-control-objectives.md) +2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) +3. [Select types of rules to create](select-types-of-rules-to-create.md) +4. [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) +5. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) + +### AppLocker planning document contents + +Your planning document should contain: + +- A list of business groups that will participate in the application control policy project, their requirements, a description of their business processes, and contact information. +- Application control policy project target dates, both for planning and deployment. +- A complete list of apps used by each business group (or organizational unit), including version information and installation paths. +- What condition to apply to rules governing each application (or whether to use the default set provided by AppLocker). +- A strategy for using Group Policy to deploy the AppLocker policies. +- A strategy in processing the application usage events generated by AppLocker. +- A strategy to maintain and manage AppLocker polices after deployment. + +### Sample template for an AppLocker planning document + +You can use the following form to construct your own AppLocker planning document. + +**Business group**: + +**Operating system environment**: (Windows and non-Windows) + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Contacts

Business contact:

Technical contact:

Other departments

In this business group:

Affected by this project:

Security policies

Internal:

Regulatory/compliance:

Business goals

Primary:

Secondary:

Project target dates

Design signoff date:

Policy deployment date:

+  +**Rules** + + +++++++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Business groupOrganizational unitImplement AppLocker?AppsInstallation pathUse default rule or define new rule conditionAllow or denyGPO nameSupport policy

 

+  +**Event processing** + + +++++++ + + + + + + + + + + + + + + + + + + +
Business groupAppLocker event collection locationArchival policyAnalyzed?Security policy

 

+  +**Policy maintenance** + + +++++++ + + + + + + + + + + + + + + + + + + +
Business groupRule update policyApp decommission policyApp version policyApp deployment policy

 

Planned:

+

Emergency:

+  +### Example of an AppLocker planning document + +**Rules** + + +++++++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Business groupOrganizational unitImplement AppLocker?ApplicationsInstallation pathUse default rule or define new rule conditionAllow or denyGPO nameSupport policy

Bank Tellers

Teller-East and Teller-West

Yes

Teller Software

C:\Program Files\Woodgrove\Teller.exe

File is signed; create a publisher condition

Allow

Tellers-AppLockerTellerRules

Web help

Windows files

+

C:\Windows

Create a path exception to the default rule to exclude \Windows\Temp

Allow

Help desk

Human Resources

HR-All

Yes

Check Payout

C:\Program Files\Woodgrove\HR\Checkcut.exe

File is signed; create a publisher condition

Allow

HR-AppLockerHRRules

Web help

Time Sheet Organizer

C:\Program Files\Woodgrove\HR\Timesheet.exe

File is not signed; create a file hash condition

Allow

Web help

Internet Explorer 7

C:\Program Files\Internet Explorer\

File is signed; create a publisher condition

Deny

Web help

+

Windows files

C:\Windows

Use the default rule for the Windows path

Allow

Help desk

+  +**Event processing** + + +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + +
Business groupAppLocker event collection locationArchival policyAnalyzed?Security policy

Bank Tellers

Forwarded to: AppLocker Event Repository on srvBT093

Standard

None

Standard

Human Resources

DO NOT FORWARD. srvHR004

60 months

Yes, summary reports monthly to managers

Standard

+  +**Policy maintenance** + + +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + +
Business groupRule update policyApp decommission policyApp version policyApp deployment policy

Bank Tellers

Planned: Monthly through business office triage

+

Emergency: Request through help desk

Through business office triage

+

30-day notice required

General policy: Keep past versions for 12 months

+

List policies for each application

Coordinated through business office

+

30-day notice required

Human Resources

Planned: Monthly through HR triage

+

Emergency: Request through help desk

Through HR triage

+

30-day notice required

General policy: Keep past versions for 60 months

+

List policies for each application

Coordinated through HR

+

30-day notice required

+  +### Additional resources + +- The AppLocker Policies Design Guide is the predecessor to the AppLocker Policies Deployment Guide. When planning is complete, see the [AppLocker policies deployment guide](applocker-policies-deployment-guide.md). +- For more general info, see [AppLocker](applocker-overview.md). +  +  diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-control-management-processes.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-control-management-processes.md new file mode 100644 index 0000000000..a0b879a4c5 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-control-management-processes.md @@ -0,0 +1,236 @@ +--- +title: Document your application control management processes (Windows 10) +description: This planning topic describes the AppLocker policy maintenance information to record for your design document. +ms.assetid: 6397f789-0e36-4933-9f86-f3f6489cf1fb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +ms.date: 09/21/2017 +--- + +# Document your application control management processes + +**Applies to** + - Windows 10 + - Windows Server + +This planning topic describes the AppLocker policy maintenance information to record for your design document. + +## Record your findings + +To complete this AppLocker planning document, you should first complete the following steps: + +1. [Determine your application control objectives](determine-your-application-control-objectives.md) +2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) +3. [Select the types of rules to create](select-types-of-rules-to-create.md) +4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) +5. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) + +The three key areas to determine for AppLocker policy management are: + +1. Support policy + + Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel know recommended troubleshooting steps and escalation points for your policy. + +2. Event processing + + Document whether events will be collected in a central location, how that store will be archived, and whether the events will be processed for analysis. + +3. Policy maintenance + + Detail how rules will be added to the policy, in which Group Policy Object (GPO) the rules should be defined, and how to modify rules when apps are retired, updated, or added. + +The following table contains the added sample data that was collected when determining how to maintain and manage AppLocker policies. + + +++++++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Business groupOrganizational unitImplement AppLocker?AppsInstallation pathUse default rule or define new rule conditionAllow or denyGPO nameSupport policy

Bank Tellers

Teller-East and Teller-West

Yes

Teller Software

C:\Program Files\Woodgrove\Teller.exe

File is signed; create a publisher condition

Allow

Tellers-AppLockerTellerRules

Web help

Windows files

+

C:\Windows

Create a path exception to the default rule to exclude \Windows\Temp

Allow

Help desk

Human Resources

HR-All

Yes

Check Payout

C:\Program Files\Woodgrove\HR\Checkcut.exe

File is signed; create a publisher condition

Allow

HR-AppLockerHRRules

Web help

Time Sheet Organizer

C:\Program Files\Woodgrove\HR\Timesheet.exe

File is not signed; create a file hash condition

Allow

Web help

Internet Explorer 7

C:\Program Files\Internet Explorer\

File is signed; create a publisher condition

Deny

Web help

+

Windows files

C:\Windows

Use the default rule for the Windows path

Allow

Help desk

+  +The following two tables illustrate examples of documenting considerations to maintain and manage AppLocker policies. + +**Event processing policy** + +One discovery method for app usage is to set the AppLocker enforcement mode to **Audit only**. This will write events to the AppLocker logs, which can be managed and analyzed like other Windows logs. After apps have been identified, you can begin to develop policies regarding the processing and access to AppLocker events. + +The following table is an example of what to consider and record. + + +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + +
Business groupAppLocker event collection locationArchival policyAnalyzed?Security policy

Bank Tellers

Forwarded to: AppLocker Event Repository on srvBT093

Standard

None

Standard

Human Resources

DO NOT FORWARD. srvHR004

60 months

Yes, summary reports monthly to managers

Standard

+  +**Policy maintenance policy** +When applications are identified and policies are created for application control, then you can begin documenting how you intend to update those policies. +The following table is an example of what to consider and record. + +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + +
Business groupRule update policyApplication decommission policyApplication version policyApplication deployment policy

Bank Tellers

Planned: Monthly through business office triage

+

Emergency: Request through help desk

Through business office triage

+

30-day notice required

General policy: Keep past versions for 12 months

+

List policies for each application

Coordinated through business office

+

30-day notice required

Human Resources

Planned: Monthly through HR triage

+

Emergency: Request through help desk

Through HR triage

+

30-day notice required

General policy: Keep past versions for 60 months

+

List policies for each application

Coordinated through HR

+

30-day notice required

+  +## Next steps + +After you have determined your application control management strategy for each of the business group's applications, the following task remains: +- [Create your AppLocker planning document](create-your-applocker-planning-document.md)