Submitting your feedback...
Knowledge Base Article
KB00994 - Whitelisting with AppLocker
Product: PI Data Archive
Version(s): All
 

Issue

With the increasing threat of cyber-attacks, it’s important to make sure the data and services on your PI Server are secure. Without a properly implemented security solution, your system may be susceptible to malicious attacks. As these attacks evolve and become more advanced, improving your defense-in-depth security strategy becomes more important. Application whitelisting may be a viable addition to your security strategy.
 

Solution

AppLocker is an application whitelisting security feature from Microsoft that allows users to configure application restriction policies. Unlike traditional "blacklisting" practices, where it’s crucial that virus/malware definitions stay up-to-date, whitelisting maintains a list of items that are explicitly allowed. Using AppLocker, you can define rules for a specific user or group that determine what applications can run on a machine. For special instances, AppLocker provides exceptions to these rules to allow finer control of "least privileges" access to important files and applications.

By its nature, a whitelisting application defaults to preventing unspecified content from running, making it a powerful tool for blocking malware. However, enforcement of whitelisting rules may unintentionally block friendly programs. Therefore, a compelling feature of AppLocker is its ability to run in audit-only mode. In this mode, a violation of the configured enforcement policy is logged in Event Viewer, but the policy itself is not enforced. This makes it ideal for testing a particular whitelisting configuration without risk of impact to your system's operation. Using AppLocker in the audit only mode is a highly recommended first step if you plan on implementing AppLocker’s enforcement capability on your PI System installation.
 
 

Example AppLocker Implementation on a PI Server

The following procedure illustrates an example AppLocker configuration in audit-only mode on a PI Server. We will configure AppLocker's policy to allow published Microsoft and OSIsoft products to run for a domain group called "PI Administrators." Again, we highly recommend that you test ANY new AppLocker configuration in audit only mode and examine the results using Windows Event Logs (see procedure below). 

 

Step
 
Screen Shot
 
Details
 
1.
 

st-widget-{image: 2014-=01-=16 10_40_32-=jkafer-=pi -= Remote Desktop Connection.png}
 
In this step you will configure the Application Identity service.

Open the Windows Services Console
Start > services.msc

Start the "Application Identity" service and ensure "Startup Type" is set to "Automatic"

This service enables AppLocker to determine the identity of an application, along with the attributes of specific files.

With this service inactive, AppLocker will not function.

 
2.
 

st-widget-{image: 2014-=01-=15 09_22_49-=jkafer-=pi -= Remote Desktop Connection.png}
 
In this step you will navigate to the Group Policy Editor and locate AppLocker.

Open the Group Policy Editor:
Start > Run > gpedit.msc

Navigate to AppLocker in Computer Configuration > Windows Settings > Security Settings > Application Control Policies

 
3.
 

st-widget-{image: 2014-=01-=16 10_47_11-=jkafer-=pi -= Remote Desktop Connection.png}
 
In this step, you will set AppLocker to run in Audit only mode.

Right-click on AppLocker and select "properties"

Select the "Enforcement" tab and configure the Executable, Windows Installer, and Script rules to "Audit only" and click "OK."

DLL rules can also be configured in the "Advanced" tab; however, be aware that this could hinder system performance.

 
4.
 

st-widget-{image: 2014-=01-=16 13_50_22-=jkafer-=pi -= Remote Desktop Connection.png}
 
In this step you will configure default rules for AppLocker.

Expand AppLocker, right-click on "Executable Rules," and select "Create Default Rules."

Repeat this for Windows Installer Rules, Script Rules, and Packaged App Rules (Windows Server 2012).

After creating these rules, modify them to only allow PI Administrator(s) to run files located in the Program Files and Windows directories.

 
5.
 
st-widget-{image: 2013-=12-=18 16_35_11-=jkafer-=pi -= Remote Desktop Connection.png}
 
In this step, you will configure a new rule to allow OSIsoft signed software to run.

Right-click on "Executable Rules," and select "Create New Rule…"

Click "Next" and then select the User(s) or Group(s) that you would like this rule to apply to. Under "Action," select "Allow."

Important – OSIsoft recommends only selecting users or groups that will be utilizing PI Software. Using this concept of least privileges will ensure that only authorized users and groups have access to PI data and services.

Browse for a file signed by OSIsoft, LLC. (such as piconfig.exe) Slide the bar up to "Publisher" to allow all signed software for this publisher.
 


Do not configure any exceptions.

Finally, click "Create"

 
6.
 


Repeat steps 4 and 5 to create an additional rule that allows Microsoft signed software to run.
 

 
7.
 


Repeat steps 4 and 5 to create Windows Installer Rules, Script Rules, and Packaged App Rules (Windows Server 2012) for Microsoft and OSIsoft signed products.
 
 

 

Reviewing the Windows Event Logs

After a period of running your PI Server with an AppLocker policy in place, you should review the logs to determine if your policy would have prevented any important software from running. This is a critical step to perform before running ANY AppLocker policy in enforce mode.

1.
 
st-widget-{image: AppLocker -= Event Logs 1.png}
 
Navigate to the Windows Event Viewer AppLocker logs

Start > eventvwr.exe

Event Viewer (local) > Applications and Services Logs > Microsoft > Windows > AppLocker > EXE and DLL

 
2.
 
st-widget-{image: AppLocker -= Event Logs 2.png}
 
Review the logs for warning messages.

In audit only mode, when an application would have been blocked, a Warning is logged.

In audit only mode, when an application would have been allowed to run, an Information message is logged.

 
 

Important Note

Historically, OSIsoft has used differing signature formats to sign software. It may be necessary to configure additional publisher-based rules for OSIsoft-signed software depending on when the installed products were last updated. We highly recommended that you check the AppLocker Event Logs as a diagnostic tool to determine whether you need to enable additional rules.
 

Notes

Article ID: KB00994 Created: 2014-02-11
Article Type: How-To Last Updated: 2017-06-01