1 00:00:00,180 --> 00:00:02,160 In this demonstration, I'm going to show you 2 00:00:02,160 --> 00:00:04,610 how to use the Local Group Policy editor 3 00:00:04,610 --> 00:00:08,020 to set up some various configurations for your machine. 4 00:00:08,020 --> 00:00:10,070 We're going to use a Windows 10 workstation 5 00:00:10,070 --> 00:00:11,940 here as our example machine. 6 00:00:11,940 --> 00:00:14,490 And we're going to go and do an application whitelist 7 00:00:14,490 --> 00:00:18,670 and an application blacklist using the Group Policy editor. 8 00:00:18,670 --> 00:00:20,700 To access the Group Policy editor, 9 00:00:20,700 --> 00:00:25,180 we simply need to go and start up the gpedit program. 10 00:00:25,180 --> 00:00:27,800 We'll go ahead and use Edit group policy. 11 00:00:27,800 --> 00:00:29,650 Let me go ahead and make this larger. 12 00:00:31,440 --> 00:00:33,280 You'll see down the left side 13 00:00:33,280 --> 00:00:35,270 all of the various configurations we can do 14 00:00:35,270 --> 00:00:38,320 on a per user or per computer basis. 15 00:00:38,320 --> 00:00:40,610 We're going to start with the per computer basis 16 00:00:40,610 --> 00:00:41,993 with Windows Settings. 17 00:00:44,550 --> 00:00:47,100 Next, we're going to look at the Security Settings. 18 00:00:48,140 --> 00:00:50,060 Under here, we have Account Policies, 19 00:00:50,060 --> 00:00:52,000 which show our Password Policies, 20 00:00:52,000 --> 00:00:53,830 as well as Local Policies, 21 00:00:53,830 --> 00:00:55,170 which allows us to do Auditing, 22 00:00:55,170 --> 00:00:57,370 User Rights, and Security Options. 23 00:00:57,370 --> 00:01:00,460 What I want to focus on here is application control. 24 00:01:00,460 --> 00:01:02,920 So, we're going to go to our Application Control Policies, 25 00:01:02,920 --> 00:01:06,580 which will allow us to create whitelists and blacklists. 26 00:01:06,580 --> 00:01:08,020 Go ahead and hit the down arrow. 27 00:01:08,020 --> 00:01:09,983 You'll see we have AppLocker. 28 00:01:09,983 --> 00:01:11,870 AppLocker will allow us 29 00:01:11,870 --> 00:01:13,594 to create different rules for installers, 30 00:01:13,594 --> 00:01:15,503 for scripts, for packaged apps, 31 00:01:15,503 --> 00:01:17,210 and what we're going to use right now, 32 00:01:17,210 --> 00:01:19,490 which is executable rules. 33 00:01:19,490 --> 00:01:22,210 Underneath the Executable Rules, 34 00:01:22,210 --> 00:01:24,670 you will see we currently have no items listed, 35 00:01:24,670 --> 00:01:26,870 because this is a brand new computer. 36 00:01:26,870 --> 00:01:28,890 I'm going to create a whitelist here 37 00:01:28,890 --> 00:01:31,830 and allow a certain application to be run. 38 00:01:31,830 --> 00:01:35,583 To do that, we simply right click and Create a New Rule. 39 00:01:37,009 --> 00:01:38,910 From here, we are going to be able 40 00:01:38,910 --> 00:01:40,449 to walk through the wizard 41 00:01:40,449 --> 00:01:42,210 and you'll set up your permissions. 42 00:01:42,210 --> 00:01:43,940 Is this going to be an Allow rule? 43 00:01:43,940 --> 00:01:45,430 Meaning it's a whitelist rule. 44 00:01:45,430 --> 00:01:46,530 Or a Deny rule? 45 00:01:46,530 --> 00:01:48,300 Meaning it's a blacklist rule. 46 00:01:48,300 --> 00:01:50,560 In my case, I'm going to create a Deny rule 47 00:01:50,560 --> 00:01:52,493 and I'm going to blacklist a program. 48 00:01:53,440 --> 00:01:54,380 Next, we're going to say 49 00:01:54,380 --> 00:01:55,970 what conditions are going to be met. 50 00:01:55,970 --> 00:01:58,900 Is it based on the person who wrote it, the Publisher? 51 00:01:58,900 --> 00:02:02,070 Like I can block all programs that were made by Microsoft 52 00:02:02,070 --> 00:02:04,600 or by Adobe, if I wanted to. 53 00:02:04,600 --> 00:02:08,200 Or is it based on Path, a certain file, and folder name? 54 00:02:08,200 --> 00:02:09,950 Or if it's a piece of malware, 55 00:02:09,950 --> 00:02:12,050 you might want to do it based on File hash, 56 00:02:12,050 --> 00:02:14,396 because every file has its own unique hash, 57 00:02:14,396 --> 00:02:17,940 as we'll talk about when we get to hashes and cryptography. 58 00:02:17,940 --> 00:02:20,090 But right now, I'm going to use the Path option 59 00:02:20,090 --> 00:02:23,000 just to show you how this works, for an example. 60 00:02:23,000 --> 00:02:25,210 Next, we're going to find that file. 61 00:02:25,210 --> 00:02:27,540 You can browse and you can block things based 62 00:02:27,540 --> 00:02:30,940 on the folder it sits in or a particular file. 63 00:02:30,940 --> 00:02:32,449 For example, I might want to make it 64 00:02:32,449 --> 00:02:36,800 so that nobody can run any files out of the C drive 65 00:02:36,800 --> 00:02:38,235 and under the Temp folder, 66 00:02:38,235 --> 00:02:40,840 which is underneath the Windows folder. 67 00:02:40,840 --> 00:02:42,723 So, if I go and click down there, 68 00:02:43,670 --> 00:02:47,100 I'll find the Temp folder and then I'll hit okay. 69 00:02:47,100 --> 00:02:49,190 This says that anything that's trying to be run 70 00:02:49,190 --> 00:02:52,760 out of the temporary directory is not going to be allowed. 71 00:02:52,760 --> 00:02:54,290 This is actually a good rule to set up, 72 00:02:54,290 --> 00:02:56,404 because a lot of malware likes to try to run 73 00:02:56,404 --> 00:02:58,430 out of the Temp folder. 74 00:02:58,430 --> 00:02:59,920 Then we'll go ahead and hit next 75 00:02:59,920 --> 00:03:01,130 and you'll see that we have 76 00:03:01,130 --> 00:03:02,464 whatever exceptions we want to do. 77 00:03:02,464 --> 00:03:05,370 Maybe I want to say that I will allow nothing 78 00:03:05,370 --> 00:03:08,836 to run out of the Temp folder except for Microsoft. 79 00:03:08,836 --> 00:03:10,183 I can actually browse through 80 00:03:10,183 --> 00:03:12,950 and find that reference file for Microsoft. 81 00:03:12,950 --> 00:03:14,617 In my case, I'm going to block everything 82 00:03:14,617 --> 00:03:16,537 coming from that Temp folder 83 00:03:16,537 --> 00:03:18,646 and I'm going to give it a rule. 84 00:03:18,646 --> 00:03:21,040 The rule name is going to be 85 00:03:21,040 --> 00:03:26,040 Block Files from running out of temp directory. 86 00:03:26,500 --> 00:03:29,610 This is just used to give you a way to remember 87 00:03:29,610 --> 00:03:31,380 what this rule is used for. 88 00:03:31,380 --> 00:03:34,100 You can now see that by default, 89 00:03:34,100 --> 00:03:36,270 everyone is allowed. 90 00:03:36,270 --> 00:03:38,390 You can now see that by default, 91 00:03:38,390 --> 00:03:40,030 everyone is allowed to let anything run 92 00:03:40,030 --> 00:03:41,760 from the Programs folder. 93 00:03:41,760 --> 00:03:43,210 They can also allow anything to be run 94 00:03:43,210 --> 00:03:45,930 from the Windows folder and they allow all file, 95 00:03:45,930 --> 00:03:48,170 but everyone is being blocked 96 00:03:48,170 --> 00:03:50,540 from running out of the Temp directory. 97 00:03:50,540 --> 00:03:53,400 That's the way we create whitelist and blacklist rules. 98 00:03:53,400 --> 00:03:54,233 In this example, 99 00:03:54,233 --> 00:03:55,238 I showed you a blacklist rule, 100 00:03:55,238 --> 00:03:57,320 but you can go through and play around with it 101 00:03:57,320 --> 00:04:00,360 and do the exact same thing to put whitelist rules 102 00:04:00,360 --> 00:04:02,520 where you deny everything by default 103 00:04:02,520 --> 00:04:04,570 and only allow specific programs 104 00:04:04,570 --> 00:04:06,493 and files that you specify.