Working with Applocker and Filepath Rules

A few days ago, I’ve added some filepath rules concerning new servers put into production to my Applocker GPO.
I decided to quickly check if all the files paths were correct. Manually typing filepath is prone to errors. To detect typos or servers currently being unavailable, I did:


Import-Module -Name "GroupPolicy"
Import-Module -Name "Applocker"

# Read the GPO and store it as an XML object
$GPO = [xml](Get-AppLockerPolicy -Ldap ("LDAP://" + (Get-GPO -Name "Computers Parameters").path) -Domain -XML)

(($GPO.AppLockerPolicy.RuleCollection | Where-Object { $_.Type -eq "Exe"}).FilePathRule) | ForEach-Object {

        $string = $_.Conditions.FilePathCondition.Path

        # Use a regular expression that represents 
        # \\servername\share\* or \\servername\share$\* or
        # \\server.fqdn.domain.suffix\share\* or \\server.fqdn.domain.suffix\share$\*
        $pattern = '^\\\\\b([A-Za-z0-9_\.\-]+)\\\b([A-Za-z0-9_\.\-]+(\$)?)\\\*$'
        if ($string -match $pattern)
                if (Test-Path -Path ($string -replace "\*","") -ErrorAction SilentlyContinue)
                    Write-Host -ForegroundColor Green -Object ($string + " -> ok")
                } else {
                    Write-Host -ForegroundColor Red -Object ($string + " -> not resolved !")
        } else {
            Write-Host -ForegroundColor Yellow -Object ($string + " -> ignored / not verified")

and got the following result displayed
applocker filepath rules


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s