I had a customer who had a problem with controlling per user installation programs such as Google Chrome, Spotify, Dropbox etc.

The RDS servers was locked down and Windows Installer service was disabled. But that didn’t prevent Google Chrome from installing. The way Google Chrome and other per user installations works is that it is a kind of extracting file, so if the user is allowed to run an executable file they’ll be able to install them.

So I investigated serveral option such as Software restriction policies and AppLocker. Software restriction policies aren’t as flexible as AppLocker and in ny case it wouldn’t work as the RDS hosts are 2012 R2.

Here is a short step-by-step on what I did to enable it and what did to monitor the use of AppLocker.

– Creating the list of allowed executable using AppLocker

  • On your Domain Controller start Group Policy Management.
  • Find your GPO for RDS Session Hosts and edit it.
  • Right click Executable files and click Create Default Rules.
    image
  • This will create the following default allow entries so the users will be able to application installed in Program Files and Windows Folder.
    SNAGHTML9bf4cc0
  • To add addional files right click Executable Rules and choose Create New Rule.
    image
  • Click  Next.
    image
  • Click  Next.
    image
  • Choose File Hash and Click  Next.
    image

  • Click Browse, type in the path to the executable and select the executable and click Open.  Click  Next.
    SNAGHTML9cb5eb8
  • Click  Create.
    image
  • You should now be able to see the application in the allowed list.
    SNAGHTML9ce60bd

Enabling AppLocker Auditmode and starting required services on RDS hosts.

  • In the same GPO as previous do the following.
  • Right click AppLocker and choose Properties.
    image
  • Click Configured from the dropdown select Audit only.
    image
  • Goto Computer Configuration – Policies – Windows Settings – Security Settings – System Services and click Application Identity.
    image
  • Select Define this policy setting and set it to Automatic. Click Ok.
    image
  • On your RDS Hosts do a GPUPDATE /force /target:Computer from an elevated command prompt.
  • Login with a normal user on the RDS environment.
  • In the eventlog on the RDS hosts the user logs into find the following log file Exe and DLL under Application and Services Logs – Microsoft – Windows – AppLocker.
    Here you be able to see how the policies would have effected the users if the policies had been inforced.
    As the example shows Chromesetup.exe aren’t allowed to run.
    SNAGHTML9db221e
  • Go through the log and write down all files being blocked that should be white listed and add them to the allow list.

 

Enabling enforcement of AppLocker policies.

  • In the same GPO as previous do the following.
  • Right click AppLocker and choose Properties.
    image
  • Choose Enforce rules from the dropdown menu. Click OK.
    image
  • On your RDS Hosts do a GPUPDATE /force /target:Computer from an elevated command prompt.
  • Login with a normal user and try to start for example Google Chrome installation.
  • Now the users gets an failed message telling them that application has been blocked and they need to contact the administrator.
    image

 

Feel free to write any comments below Smile

 

Author

hca
Hans Christian Andersen
Cloud Solution Architect – EG a/s
Linkedin
Twitter