Edit AppLocker permissions for the local users

A tip in order to be able to edit the AppLocker permissions for the local users.

 You have AppLocker in your domain and you don't know on the change the permissions for your local users?! Here is how I proceed in order to be able to do it.  

First you need to edit AppLocker locally on a server (secpol.msc) the way we want to edit permissions then we export the result in XML by right clicking on AppLocker. In my case I had to give back administrative rights to a local user in order for him to user cmd.exe, powershell.exe and powershell_ise.exe. Once we have the export we can start working with it.

We retrieve the SID of the local user we want, we create a XML file based on which we exported by using the command 'ADD-CONTENT' and finally we import our XML file in order to apply those modifications. The script is in PowerShell.

#Get the SID of the local user 

$objUser = New-Object System.Security.Principal.NTAccount("BladeLogicRSCD")

$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])

 

#Creation of the XML file and assignement of the user's SID in the XML 

cd c:\

NEW-ITEM -name AppLockerBMC -itemtype directory -force

cd c:\AppLockerBMC

NEW-ITEM –name AppLockerBMC.xml –itemtype file –force | OUT-NULL

ADD-CONTENT –path AppLockerBMC.xml '<AppLockerPolicy Version="1">'

ADD-CONTENT –path AppLockerBMC.xml '<RuleCollection Type="Dll" EnforcementMode="NotConfigured" /> '

ADD-CONTENT –path AppLockerBMC.xml '  <RuleCollection Type="Exe" EnforcementMode="Enabled"> '

$var ='    <FileHashRule Id="47654b2a-f001-48dc-a7ff-8f799df2dbf6" Name="cmd.exe, cmd.exe" Description="" UserOrGroupSid="'+ $strSID.Value +'"  Action="Allow">'  

ADD-CONTENT –path AppLockerBMC.xml $var 

ADD-CONTENT –path AppLockerBMC.xml '      <Conditions> '

ADD-CONTENT –path AppLockerBMC.xml '        <FileHashCondition> '

ADD-CONTENT –path AppLockerBMC.xml '          <FileHash Type="SHA256" Data="0x5F98965FF2650B89586176B38F007CA13A9E525E877DDCCBCDCE0A90408672D5" SourceFileName="cmd.exe" SourceFileLength="345088" /> '

ADD-CONTENT –path AppLockerBMC.xml '          <FileHash Type="SHA256" Data="0xCFC5937B4DB3A1D5718FE144B621D50B0A337854AB3F5E2DF152B62627F6FD4A" SourceFileName="cmd.exe" SourceFileLength="302592" /> '

ADD-CONTENT –path AppLockerBMC.xml '          <FileHash Type="SHA256" Data="0x74AA17A49D9BFFDF0AFF46FA420E1B96EE4CA55CD03D5785735EC5C9C284CEBE" SourceFileName="powershell.exe" SourceFileLength="473600" /> '

ADD-CONTENT –path AppLockerBMC.xml '          <FileHash Type="SHA256" Data="0x2B7891194D6D994421E3EE2B887463819BAE1B746C6043BA3B46D7927BF093EC" SourceFileName="powershell.exe" SourceFileLength="452608" /> '

ADD-CONTENT –path AppLockerBMC.xml '          <FileHash Type="SHA256" Data="0x6A0452FDDC7B16F0A2501111885B346AB2D01478170ACCFD7908999AADE85A60" SourceFileName="powershell_ise.exe" SourceFileLength="204800" /> '

ADD-CONTENT –path AppLockerBMC.xml '          <FileHash Type="SHA256" Data="0xFDA36E18C40D3572116096F2468F508DFEB7595BFFC8BEB1D9658E35BF60C47C" SourceFileName="powershell_ise.exe" SourceFileLength="200704" /> '

ADD-CONTENT –path AppLockerBMC.xml '        </FileHashCondition> '

ADD-CONTENT –path AppLockerBMC.xml '      </Conditions> '

ADD-CONTENT –path AppLockerBMC.xml '    </FileHashRule> '

ADD-CONTENT –path AppLockerBMC.xml '  </RuleCollection> '

ADD-CONTENT –path AppLockerBMC.xml '  <RuleCollection Type="Msi" EnforcementMode="NotConfigured" /> '

ADD-CONTENT –path AppLockerBMC.xml '  <RuleCollection Type="Script" EnforcementMode="NotConfigured" /> '

ADD-CONTENT –path AppLockerBMC.xml '</AppLockerPolicy> '

 

#Import of the XML file locally

import-module applocker

Set-AppLockerPolicy -XmlPolicy .\AppLockerBMC.xml

Détails