This document is intended to provide information about application controls for OIT Managed Desktop supported devices.
Table of Contents
Information
In order to meet the EPS control 10.1.2 (Application Control), the OIT Managed Desktop Service will use Microsoft AppLocker through Group Policy when/if the need arises to block an application. The control reads as follows:“Application Control. Enforce an application-Whitelist (allowing access) or application-Blacklist (denying access) administratively within the OS to ensure that “known bad” applications cannot be executed and only “known good” applications can..”
Implementation
Since AppLocker is designed as an allow list, in order to use it as a blocklist tool, we would create a rule for the executable type in question (AppX,exe, dll, script), and "Allow all" for everyone with an exception for the target application. Rules are defined in Group Policy under Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies\AppLocker. An example rule configuration designed to block Notepad is included in the screenshots below. A new GPO would have to be created and linked by the appropriate OU Admin where needed.
Escalation
Any questions on process or content contained in this document should be escalated through the NCSU Help desk and a have an incident assigned to the OIT_DESKTOP_SUPPORT team.
Related Documentation
https://policies.ncsu.edu/rule/rul-08-00-18/#security_controls
Title: Windows Application Control Policy & Process for the OIT Managed Desktop Service
Service: Windows Application Deployment
Template if applicable: NA
Assignment Group(s): OIT_DESKTOP_SUPPORT
Document Owner: OIT_DESKTOP_SUPPORT
Available Priorities: Critical, High, Medium, Low
Keywords: Windows, application control, control, block, deny, applocker, AppLocker, eps, endpoint protection, protection, app control, endpoint protection standard, what is application control, OIT Managed Desktop Service