SharePoint AppLocker Setup *Update*

So in the last post we talked about using “AppLocker” as a way to control executable processes from running on servers. Using these rules we were able to “whitelist” and “blacklist” so only those processes needed can run.

Now for a SharePoint Server, as you know everyone has different ways of managing them, different accounts, always using Administrator, separate Install and Farm accounts or just use what is there. This can cause issues when using “AppLocker” as you need to be able to run updates and deploy components on those servers.

So to understand this let’s look at how this process should work. Firstly for SharePoint we should be using something like this for Permissions and Management.

Account Account Permission Account Role
Administrator Domain User/Admin and Local Server Administrator Local Server Administrator full access to everything on the server
Setup Domain User and Local Server Administrator Local Server Administrator full access to everything on the server
Farm Administrator Domain User User Account

This means that anyone who logs into the server as either “Administrator” or the “Setup” account would then be allowed to run really any executable due to the default rule for “Administrators” in the core rule base.

As you can see this rule allows ALL files to be used for the “BUILTIN\Administrators” security group, so creating rules that are specific to security groups can ensure that not every account in the SharePoint Farm that *needs* to be a local Administrator can do what they want.

The following steps would be needed:

  1. Modify the default rule (shown) to be for the local administrator account ONLY
  2. Create other rules for specific accounts such as the SharePoint Setup account which would need local administrator permissions for install and other patching and deployment processes
  3. Create rules for the SharePoint Farm administrator as needed

With specific rules created for the various accounts and security groups you are able to maintain integrity and not allow the Administration accounts to do whatever they want. Just because we don’t trust the developers doesn’t mean we should have Administration access to everything J #justkidding

Liam Cleary

Liam began his career as a Trainer of all things computer-related. He quickly realized that programming, breaking, and hacking was a lot more fun. He spent the next few years working within core infrastructure and security services until he found SharePoint. He is the founder and owner of SharePlicity, a consulting company that focuses on all areas of Technology. His role within SharePlicity is to help organizations implement technology that will enhance internal and external collaboration, document and records management, automate business processes, and of course security controls and protection. He is also a Microsoft MVP focusing on Architecture but also crosses the boundary into Development. He is also a Microsoft Certified Trainer (MCT). His specialty over the past few years has been security in SharePoint and its surrounding platforms. He can often be found at user groups or conferences speaking, offering advice, spending time in the community, teaching his kids how to code, raspberry PI programming, hacking the planet or building Lego robots.

You may also like...