From 649923b82f23a733167b223b21601fb5acb18f7f Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 20 Jul 2016 12:01:02 -0700 Subject: [PATCH] task# 7619482 --- windows/keep-secure/security-considerations-for-applocker.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/keep-secure/security-considerations-for-applocker.md b/windows/keep-secure/security-considerations-for-applocker.md index f7c0df0eab..0fc2aa0bc5 100644 --- a/windows/keep-secure/security-considerations-for-applocker.md +++ b/windows/keep-secure/security-considerations-for-applocker.md @@ -40,6 +40,8 @@ AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Window AppLocker rules either allow or prevent an application from launching. AppLocker does not control the behavior of applications after they are launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must thoroughly examine each application before allowing them to run by using AppLocker rules. >**Note:**  Two flags that illustrate this condition are `SANDBOX_INERT`, which can be passed to `CreateRestrictedToken`, and `LOAD_IGNORE_CODE_AUTHZ_LEVEL`, which can be passed to `LoadLibraryEx`. Both of these flags signal AppLocker to circumvent the rules and allow a child .exe or .dll to be loaded. + +You can block the Windows Subsystem for Linux by blocking LxssManager.dll   ## Related topics