AppLocker Configuration
AppLocker is a Windows method that allows you to block certain applications for certain users, such as Task Manager for KioskUser.
Note - Application Identity Service
AppLocker requires the "Application Identity" service to be running.
Part 1: Block Task Manager via AppLocker
Step 1: Open Policy Editor
- Run
secpol.msc.
Step 2: Create Default Rules (Vital)
- Navigate to Application Control Policies > AppLocker > Executable Rules.
- Right-click and select Create Default Rules (prevents you from locking yourself out).
- Also do it for Script Rules. Some of our code counts as an executable, some as scripts.
This is what mine looks like.
Executable Rules
| Action | User | Name/Path | Condition |
|---|---|---|---|
| ✅ Allow | Everyone | C:\Users\Administrator\Miniconda3\* |
Path |
| ✅ Allow | Everyone | C:\projects\* |
Path |
| ✅ Allow | Everyone | (Default Rule) All files located in the Program Files folder | Path |
| ✅ Allow | Everyone | C:\Users\KioskUser\* |
Path |
| ✅ Allow | Everyone | (Default Rule) All files located in the Windows folder | Path |
| 🚫 Deny | EC2AMAZ-GPDFMFQ\KioskUser | C:\Windows\System32\Taskmgr.exe |
Path |
| ✅ Allow | Everyone | C:\scripts\* |
Path |
| ✅ Allow | BUILTIN\Administrators | (Default Rule) All files | Path |
Script Rules
| Action | User | Name/Path | Condition |
|---|---|---|---|
| ✅ Allow | Everyone | C:\scripts\* |
Path |
| ✅ Allow | Everyone | (Default Rule) All scripts located in the Program Files folder | Path |
| ✅ Allow | Everyone | C:\Users\Administrator\Miniconda3\Scripts\* |
Path |
| ✅ Allow | Everyone | %OSDRIVE%\USERS\KIOSKUSER\APPDATA\LOCAL\TEMP\* |
Path |
| ✅ Allow | Everyone | C:\Users\Administrator\Miniconda3\* |
Path |
| ✅ Allow | EC2AMAZ-GPDFMFQ\KioskUser | C:\Users\KioskUser* |
Path |
| ✅ Allow | Everyone | (Default Rule) All scripts located in the Windows folder | Path |
| ✅ Allow | Everyone | C:\Users\Administrator\Miniconda3\condabin\* |
Path |
| ✅ Allow | BUILTIN\Administrators | (Default Rule) All scripts | Path |
Step 3: Create Deny Rule
- Right-click > Create New Rule.
- Action: Deny.
- User: Select the specific Student/User.
- Conditions: Path > Browse Files >
C:\Windows\System32\Taskmgr.exe. - Click Create.
Step 4: Enforce Policy
- Right-click AppLocker (the root node) > Properties.
- Check Configured under Executable rules and set to Enforce rules.
Step 5: Start Service (CMD)
Run this as Admin to ensure the AppLocker engine is on:
sc start AppIDSvc
gpupdate /force
Warning - Start Menu Impact
This will probably make your start menu unusable. You'll have to boot stuff from cmd.exe while it's on.
Looking at Events via Event Viewer
Awesome - Event Viewer Monitoring
This is SUPER helpful to monitor AppLocker.
Here is how to check the AppLocker logs using the Event Viewer GUI:
- Press Win + R, type
eventvwr.msc, and hit Enter. - Navigate to this specific folder tree: Applications and Services Logs > Microsoft > Windows > AppLocker
- Click on EXE and DLL.
- Look for Event ID 8004.
- 8004: Application was blocked.
- 8002: Application was allowed.
The "General" tab in the bottom pane will tell you exactly which file was blocked and which user tried to run it.
Phase Complete
You've completed Phase 6. Your system is now optimized with better DCV performance settings and secure application restrictions.