I was working with Desired State Configuration and wondered why a custom DSC resources hasn’t been published yet for Applocker.
Bitlocker has already its experimental DSC resource. Why Applocker doesn’t have one?
I also wondered what it really takes to configure Applocker with PowerShell Desired State Configuration.
First a quick disclaimer is required:
- Do not apply this on your servers/workstations if you don’t understand what Applocker does.
- The deny rules are just examples. I don’t have anything against these software editors.
- Yes, I know that’s not the most secure Applocker configuration as the example below mixes both a very permissive (default) whitelist and a very specific blacklist.
Let’s also quickly examine the Applocker requirements:
Applocker rules can be imported from/exported to a XML file using the GUI or using the cmdlets of the built-in Applocker module (it exists since PowerShell version 2.0 on Windows 7).
XML seems to better way to go although the Applocker policy can be found in the registry under the HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 key.
The applocker policy depends on the ‘Application Identity’ service to be enforced.
Based on the above light requirements, it seems that built-in DSC resources would actually make it and allow to deploy an Applocker policy locally.
To configure Applocker, I need first to export the Applocker policy to XML and dump its indented representation to a file.
To solve the indentation issue, I’ve used the Format-XML function written by Jeffrey Snover that you can find on this page.
function Format-XML ([xml]$xml, $indent=2)
$StringWriter = New-Object System.IO.StringWriter
$XmlWriter = New-Object System.XMl.XmlTextWriter $StringWriter
$xmlWriter.Formatting = "indented"
$xmlWriter.Indentation = $Indent
Format-XML ([xml](Get-AppLockerPolicy -Effective -Xml)) -indent 2 |
Out-File -FilePath ~/Documents\Applocker-pol.xml -Encoding ascii
The second step consists in creating the file locally with the XML content thanks to the built-in File DSC resource.
To decide whether to apply the policy, I’ll export the current effective Applocker policy and compare it to the XML file.
Once the Applocker policy is applied, I’ll start the required service.
Here is what the DSC configuration looks like to deploy locally an Applocker policy.
It only takes a service, a file, a script resource and less than 5 seconds to deploy an Applocker policy locally. 😎
If I apply it one more time, we can see that all the tests performed are skipped as my system is already in the desired state.
If I open the local group policy editor, we can see the following:
The above configuration was just for testing purposes, right 😉
Here’s how to achieve the exact opposite, i.e., clear the local Applocker policy and stop the required service.
Let’s remove the existing Applocker local policy for the 1rst time:
Again, applied one more time, we can see that all the tests performed are skipped as my system is already in the desired state.
Nice, isn’t it? DSC and PowerShell bring more than just automation! I love it 😀