In certain environments, it may be necessary to prevent users from opening or running certain applications due to security concerns or licensing limitations. If, for example, you prepare an OS image with certain applications that are licensed for only a subset of your users, you may wish to prevent unauthorized users from launching the application and consuming a license.
To achieve this, itopia recommends the use of Microsoft AppLocker. AppLocker is a built-in feature of recent versions of Windows (8, 10, and Server 2012 R2 and later) that allows administrators to designate block lists or allow lists for the applications that a user can run. AppLocker rules can be defined locally on each server or enforced across multiple servers using Group Policy Objects (GPOs). In this article, we'll explore using a GPO to define AppLocker policies for a Collection Pool.
Detailed information on AppLocker is available from Microsoft.
Configuring AppLocker via Group Policy Object (GPO)
In this example, we will create and enforce an AppLocker policy to prevent members of the HR Active Directory group from running a specific application. You can repeat the relevant parts of these instructions to block multiple applications for one or more sets of users.
Log in to a domain controller with an account that has Domain Admin permissions. You may also use a bastion server that has the Active Directory Remote Server Administration Tools (RSAT) installed.
From the Start menu, expand the Windows Administrative Tools folder and launch Group Policy Management Console.
In the Group Policy Management Console, expand the left-hand tree and select the Group Policy Objects container. Right-click the container and select New.
Provide a descriptive name for the new Group Policy Object. Click OK to create the GPO.
In the right-hand pane, right-click the new GPO and select Edit.
In the GPO Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker.
Expand the AppLocker object, right-click Executable Rules and select Create Default Rules.
The default rules create a set of standard rules that allows all users to run application in the Windows and Program Files directories, and allows administrators to run all programs. This creates the baseline policy, which we can then amend with Deny rules to prevent accessing specific applications.
In an empty area of the right-hand pane, right-click and select Create New Rule...
In the Create Executable Rules wizard, review the information on the initial screen and click Next.
On the Permissions screen, specify the following and click Next:
Actions - Deny
User or group - Click Select and specify the Active Directory user or group for which you wish to prevent access. For our example, we will select the HR Active Directory group
On the Conditions screen, select the method to identify the applications to block. For our example, we will use the Path method, allowing us to specify the file path to the application we wish to block. Refer to Microsoft's documentation for information on other methods.
On the Path screen, provide the path to the executable you wish to block. Using the Browse feature may not work as intended if the application is not available on the Domain Controller or bastion server you are using; in this case, find the exact path to the application on a Session Host (or image) VM and specify it here. Click Next.
NOTE: You may also specify a folder path, which will prevent running any executables in that folder or subfolders.
On the Exceptions screen, click Next. If we were specifying a folder path or a different method of identifying apps, we could create exceptions to the rule for a subset of applications. However, since we are specifying the full path to a single executable, we do not need exceptions.
On the Name and Description screen, you may optionally provide a descriptive name for the rule and, also optionally, a description. Click Create.
In the main Editor window, confirm that the new rule was created.
In order for AppLocker to be enforced, the Application Identity service must be running on the Session Hosts. We can use the Group Policy Object to ensure that this service is running.
In the Editor window, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > System Services. Double-click the Application Identity service to set its startup type.
In the Service Properties window, enable Define this policy setting and select Automatic. Click OK.
All settings in the GPO are automatically saved. We can now link the GPO to the organizational unit (OU) for our Collection Pool to apply the settings to our Session Hosts.
Close the GPO Editor window and return to the main Group Policy Management Console window.
Navigate to the organizational unit for your Collection Pool. Right-click the organizational unit and select Link an Existing GPO...
In the Select GPO window, select the GPO we just created and click OK.
Confirm that the new GPO appears in the list of linked GPOs for the organizational unit.
That's it! We recommend rebooting the Session Hosts to ensure the Application Identity service is started, but it may not be necessary. Your AppLocker policy should be enforced as soon as the Session Hosts read their updated GPO settings, typically within 15-30 minutes.