Hi all,
I am looking at deploying AppLocker policies to prevent unauthorized software from being executed. I have created a test lab (fully patched W2K8 R2 SP1) for this purpose but have hit the following issues with Publisher rules that I do not understand…
I have a single publisher rule allowing anything signed by…
“Signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US”
…to be executed by ‘everyone’, audit mode.
This worked as expected until closer examination which showed that all files from Microsoft are being allowed as opposed to only those digitally signed files. Is this correct behavior, as TechNet documentation suggests this should not happen?
So for example, the Internet Explorer executable ‘iexplorer.exe’ contains in the file properties a digital signature, timestamped and associated certificate. However, the Management console ‘mmc.exe’ contains no such signature – therefore I am assuming it is NOT signed and would be blocked by the AppLocker publisher rule. This I confirmed by running the ‘signtool.exe’ utility against them which confirms no digital signature in the executable ‘mmc.exe’.
Both are however permitted to run via the publisher AppLocker rule.
If I use the AppLocker console to create a rule and select the mmc.exe, it accepts it as if it is signed. Where is it getting this information from? Every other test on the file seems to suggest it is not signed and AppLocker documentation indicates only signed files can be used for publisher rules.
My main concern is that this opens up a potentially vulnerability to circumvent AppLocker.
Signtool command line output for reference…
C:\Tools>signtool verify /pa "C:\Program Files\Internet Explorer\iexplore.exe"
Successfully verified: C:\Program Files\Internet Explorer\iexplore.exe
C:\Tools>signtool verify /pa c:\windows\system32\mmc.exe
SignTool Error: No signature found.
SignTool Error: File not valid: c:\windows\system32\mmc.exe
Number of errors: 1