AppLocker 1.3
Goodbye Applocker and welcome back SRP – PKI Extensions
Update 01.12.2012: clarified Applocker support on server core installations.
Hello folks! Today I want to share some personal opinions about one Windows whitelisting technology — Applocker, especially about the future.
Why Applocker?
Not all know that this is not something new (as Microsoft promotes), but a next generation of Software Restriction Policies (SRP). SRP is original Microsoft whitelisting technology which was introduced in 2001 (with Windows XP release).
Due to various reasons, SRP didn’t become a popular technology that was used by systems administrators (not talking about home users). Microsoft attempted to make SRP more flexible, user-friendly and simple in configuration and usage.
As the result, we got SRPv2 called Applocker, which was introduced in Windows 7 and Windows Server 2008 R2.
From the first look it was a nice replacement for SRP with some useful additions.
For example, we can export and import rules in XML format, create rule collections, added new useful variables, nice rule creation wizard and built-in security filtering.I successfully used Applocker on my personal computers when I got an access to Windows 7 (previously I used SRP) as a free and powerful malware protection mechanism.
Why not Applocker?
Even though, Microsoft actively promoted Applocker between IT Pros, the technology remained behind the scene, because it was available only in Windows 7 Ultimate and Enterprise editions. This was a bad move, because small business market not always can purchase Enterprise editions and commonly uses Professional edition (a replacement for Vista Business).
Windows 7 Pro has Applocker console where you can create rules and export them, you cannot enforce them. There are no business decisions to limit Applocker to top desktop editions (Ultimate and Enterprise). In small business (SMB) it is easier to keep similar operating systems (say, Windows 7 Pro clients and SBS servers) than for large enterprises.
Thus, it is almost impossible for companies to use Applocker as a unified whitelisting technology, because there are systems which do not support Applocker. And companies have to maintain both technologies — Applocker for modern systems and SRP for other systems. Theoretically. In practice, SRP has better support and sometimes is better than Applocker.
Here is a full list of operating systems that supports Applocker:
- Windows 7 Ultimate, Enterprise
- Windows 8 Enterprise
- Windows Server 2008 R2 (all editions)
- Windows Server 2012 (all editions, except server core installation)
and SRP support:
- Windows XP Professional, MediaCenter
- Windows Vista Business, Ultimate, Enterprise
- Windows 7 Professional, Ultimate, Enterprise
- Windows 8 RT, Professional, Ultimate, Enterprise
- Windows Server 2003 (all editions)
- Windows Server 2008 (all editions)
- Windows Server 2008 R2 (all editions)
- Windows Server 2012 (all editions)
feel the difference. Also Applocker has a serious (in certain cases — blocking) bug: you cannot create path rules for network locations (or mapped drives).
On the other hand, SRP lacks in built-in security filtering, as the result we have to maintain multiple group policy objects (GPO) to allow various software usage scenarios depending on a user permissions.
Also I would to show you a quick table that displays feature support in Applocker and SRP:
| SRP | AppLocker | |
| Rules applies to (in a single GPO): | All users | Specified users and groups |
| Default action level | Unrestricted | Deny |
| Has explicit “Allow” action | ||
| Has explicit “Deny” actions | ||
| Has special action | ||
| Certificate rules | ||
| Publisher rules | ||
| Hash rules | ||
| Network zone rules | ||
| Path rules | ||
| System environment variables | ||
| Special environment variables | ||
| Can read paths from registry | ||
| Audit mode | ||
| Rule collections | ||
| Rule creation wizrd | ||
| Policy export/import | ||
| PowerShell support | ||
| Error messages when application is blocked | ||
| Configurable extension list | ||
| Can control Metro apps |
The table displays the most important features that we may want to see in any whitelisting technology.
Recently I bought a new notebook and installed Windows 8 Pro. I was really disappointed when I noticed, that Applocker is partially supported there (cannot enforce rules). I spend some time to move Applocker rules to SRP.
Conclusion
Windows 8 is second Windows OS generation where we can use Applocker, however technology support is limited again.
Even though, SRP has few disadvantages (comparing with Applocker), better OS support makes more sense and is more decisional than anything else.
I don’t see any chances for Applocker to become a popular whitelisting technology in near future. If you have something to tell about the subject — you are welcome in comments.
Источник: //www.sysadmins.lv/blog-en/goodbye-applocker-and-welcome-back-srp.aspx
10 Best App Lockers for Android You Can Use (2018)
A smartphone is a very personal gadget. We have personal messages and information in the s of messaging & social media apps. Then there are banking apps, where a lot of our sensitive data is stored.
Also, we click a ton of personal photos and videos, which are saved in the gallery app of our smartphone.
Un iOS, where you need to be jailbroken to lock apps with Touch ID, Android features a number of cool apps that let you lock apps through a password, PIN, fingerprint scanner or some really unique ways.
While custom ROMs CyanogenMod (read: Lineage OS) and Android builds from various manufacturers come with the app locking feature built-in, most Android users look for app lockers on the Google Play Store. So, if you are looking for app lockers on Android to lock apps with your device’s fingerprint sensor, we have you covered. Here are the 10 best app lockers for Android:
1. AppLock
AppLock is the most popular app locker app on the Play Store, with more than 100 million downloads. The app has certainly earned that, as it’s also the best app locker for Android. With AppLock, you can lock apps as well as various Android toggles WiFi, Bluetooth, mobile data etc.
You can even lock incoming calls or almost any Android element. You can also set up various lock profiles for work, home etc. There are also options to make sure that the app locking triggers at a certain time or location.
AppLock also lets you add a cover a warning message that says “the app has stopped”, which is one of the usual Android warnings.
Moreover, you can choose to hide the app, prevent uninstallation, and set up a delay for re-locking. It also includes a power saving mode, so if you use AppLock, you don’t need to worry about the app draining your device’s battery.
Along with app locking, the app also brings a photo and video vault, and support for plugins. AppLock is certainly a feature rich app and it works flawlessly. The app does include ads but they are rare and of the non-intrusive kind.
Install: (Free, with in-app purchases)
2. Privacy Knight Applock
Privacy Knight, designed by the Alibaba group, is an ad-free and totally free app locker that isn’t very popular but certainly deserves to be.
The app lets you lock apps through different methods PIN/pattern, fingerprint, face tracking or through a disguise cover blow to unlock, shake, or a crash message. Along with apps, you can lock incoming calls with Privacy Knight.
There are options to prevent uninstallation of the app, hide notification preview from apps WhatsApp and secret door to disguise the app as a dialer. Along with that, the app captures photos of intruders that enter the wrong password.
The app also includes additional features a photos & videos vault, the ability to check for privacy issues and clear browser history.Install: (Free)
3. Norton App Lock
Chances are, you have heard of Norton, the popular anti-virus maker. Well, the company offers a pretty good app locker for Android. The Norton App Lock is a very simple app locker which should be a good choice, if you are looking for a free & ad-free app locker that just works.
With Norton App Lock, you can lock apps by fingerprint, PIN or pattern. There aren’t a lot of options here but you can protect it from uninstallation by giving it admin privileges.
There are also options to set a recovery email, along with a sneak peak feature that captures photos of intruders who enter the wrong PIN or pattern 3 times.
Install: (Free)
4. Hexlock App Lock
Hexlock App Lock is a fairly new app locker for Android that has gained a lot of traction due to its beautiful interface and handy features. The app lets you lock apps through fingerprint, with the PIN and pattern as your backup. There are various preset profiles Work, Home, Party, Parental, School etc.
but you can edit these or create your very own profiles. Hexlock lets you automatically enable a profile the WiFi network your device is connected to. Other than that, the app captures photos and saves the location of intruders trying to unlock apps. There are also options to set up uninstall prevention, app re-lock delay and more.
While Hexlock does include non-intrusive ads, you can remove them via an in-app purchase.
Install: (Free, with in-app purchase of $1.30 to remove ads)
5. App Locker: Fingerprint & Pin
App Locker is one of the many app lockers for Android with the “app locker” moniker. The app isn’t very popular and it’s not hard to understand why. It has a pretty outdated UI but if you look past that, it has some really unique features.
Apart from the usual app locking features, App Locker lets you set custom lock settings on a per app basis. So, you can set the primary lock method for an app to fingerprint, while pattern as the primary method for another app. Other than that, the app lets you choose a crash cover, set app re-lock delay and more.
It includes ads but you can remove the ads by purchasing the full version of the app.
Install: (Free, Pro $3.99)
6. Keepsafe App Lock
The Keepsafe App Lock app is the simplest app locker in this list. The app features a gorgeous Material Design UI and packs in support for PIN, pattern and fingerprints. There are options to set delay on when the apps are re-locked, prevent uninstall and hide PIN touches.
If you’d to disable the app temporarily, the app lets you disable it for a few hours. The app is available in a free version but it features ads, however, you can make an in-app purchase to remove ads in the app.
That pretty much sums up the app, I have used the app for quite a while and it’s as simple as it gets and works well.
Install: (Free, with in-app purchase of $1.99 to remove ads)
7. FingerSecurity
FingerSecurity is one of the best app lockers for Android, thanks to its sheer number of features.
The feature-rich app lets you lock apps via fingerprint and you can enable the improved protection features to make sure that parts of the app and the app’s data isn’t visible in the recents screen.
There’s also the advanced security option to prevent uninstalls. The app also lets you set a time out, which is the delay in re-locking apps, along with options to theme the fingerprint indicator, and more.
The app is available in a free version but it’s fairly limited. However, you can get the Premium version, which brings more theming options, the ability to change background of the lock page.
It also brings options to set safe locations, detect intruders, set up a fake crash, and more.
Overall, the app definitely packs in a ton of features but in my usage, I did face a few hiccups in performance, so that’s something you should keep in mind.
Install: (Free, with in-app purchase of $1.99 for Premium)
8. AppLock – Fingerprint
AppLock – Fingerprint (yes, that’s the app’s name on the Play Store) is another very popular app locker on Android and deservedly so, because it packs in a ton of great features.
There’s support for fingerprint scanner, PIN, and you can set different passwords for different apps. You can also set up profiles and make sure that the app locks activate at a certain time or the WiFi and Bluetooth connection.
Along with apps, the app locker also lets you lock system settings, the home screen, rotation, and more.
Moreover, there are cool features the ability to hide the app, remotely unlock a phone via SMS, “Observer” which as the name suggests captures photos on failed unlock attempts. AppLock – Fingerprint includes ads but you can remove them through an in-app purchase. Overall, it is the app to get if you love playing with a ton of options.Install: (Free, with in-app purchases)
9. MaxLock
MaxLock is an awesome app locker for rooted Android devices only. That’s sad but if you have a rooted Android device, you get some great features with MaxLock. The app is Xposed Framework, so you obviously need to have Xposed installed on your device.
MaxLock is a totally free and ad-free app that un many app lockers out there, gives performance and battery the priority. The locking methods include fingerprint, PIN, pattern and knock code.
The open-source app includes ton of customization options, fake crash feature, a MasterSwitch to disable it easily, ability to remove thumbnail of apps in the recents window, and more.
There’s a Premium version of the app as well, which you can get via a donation. It brings features I.Mod (grace period for delay in re-locking), logs of failed unlock attempts, and ability to backup/restore locked apps list.
Install: (Free, with donation for Premium features)
10. CM AppLock
Cheetah Mobile, the developers behind the CM AppLock app, does not have a great reputation, all thanks to overwhelming app recommendations in their various apps. Having said that, the CM AppLock is still decent app locker you can use.
The app supports fingerprint unlocking and lets you lock apps and settings WiFi, Bluetooth etc. It also lets you set a delay in re-locking apps and brings the ability to capture a selfie of any intruder when 3 incorrect attempts are made.
Plus, you can choose the background of the lock page from your photos or get one of the themes inside the app. CM AppLock is free and ad-free, so you can try it out.
Install: (Free)
SEE ALSO: 7 Best Lock Screen Replacement Apps for Android
Lock Your Personal Apps with the Best App Lockers for Android
There are a ton of app locker apps on the Play Store but the aforementioned 10 are most certainly the best app lockers you can use on Android.
All of them support the fingerprint scanner and all of them bring some unique features, so you can choose the app that suits you best.
So, try out these app lockers on your Android smartphone and do let us know your thoughts in the comments section below.
Источник: //beebom.com/best-app-lockers-android/
Что такое AppLocker (Windows 10)
- 09/21/2017
- Время чтения: 4 мин
- Соавторы
Область применения
- Windows 10
- Windows Server
В этом разделе для ИТ-специалистов описывается, что такое AppLocker и как его функций отличаются от политик ограниченного использования программ.
AppLocker переводит приложение управления функции и возможности политик ограниченного использования программ. AppLocker содержит новые возможности и расширения, которые позволяют создавать правила чтобы разрешить или запретить выполнение в зависимости от уникальных идентификаторов файлов приложений, а также указывать, какие пользователи или группы могут запускать эти приложения.
С помощью AppLocker, можно сделать следующее.
- Контролировать следующие типы приложений: исполняемые файлы (.exe и .com), сценарии (с расширением js, .ps1, .vbs, этот и .bat), файлы установщика Windows (.mst, MSI-файл и .msp) и DLL-файлов (DLL и соответствующий) и упакованные приложения и установщики упакованного приложения (appx).
- Определение правил на основе атрибутов файлов, извлеченных из цифровой подписи, включая издателя, имя продукта, имя файла и версии файла. Например вы можете создавать правила на основе атрибута “издатель”, которое сохраняется в процессе обновления, или вы можете создать правила для определенной версии файла.
- Назначение правил группе безопасности или определенному пользователю.
- Создание исключений из правил. Например можно создать правило, позволяющее все процессы Windows для выполнения за исключением редактор реестра (Regedit.exe).
- Использование режима только аудита для развертывания политики и определения ее влияния до непосредственного применения.
- Импорт и Экспорт правил. Импорт и экспорт влияет на политику в целом. Например при экспортировать политику, все правила из одного из коллекции правил экспортируются, включая параметрах принудительного применения для коллекции правил. При импорте политики, будут перезаписаны все условия в существующую политику.
- Упростить создание и управление ими правила AppLocker с помощью командлетов Windows PowerShell.
AppLocker позволяет снизить административные расходы и помогает сократить расходы на управление вычислительными ресурсами путем снижения числа звонков в службу поддержки, возникающие в результате неутвержденных приложений пользователями
Сведения о AppLocker поддерживает сценарии управления приложения см. в разделе сценариев использования политики AppLocker.
Какие возможности отличаются друг от друга политик ограниченного использования программ и AppLocker?
Отличия
В следующей таблице сравниваются AppLocker для политик ограниченного использования программ.
| Области действия правила | Все пользователи | Определенному пользователю или группе |
| Заданные условия для правила | Хэш файла, путь, сертификат, путь реестра и зона Интернета | Хэш файла, путь и “издатель” |
| Заданные типы правил | Определяют уровни безопасности:
| Разрешающих и запрещающих |
| Действие правила по умолчанию | Без ограничений | Неявный запрет |
| Режиме только аудита | Нет | Да |
| Мастер для создания нескольких правил за один раз | Нет | Да |
| Импорт и экспорт политик | Нет | Да |
| Коллекции правил | Нет | Да |
| Поддержка Windows PowerShell | Нет | Да |
| Настраиваемые сообщения об ошибках | Нет | Да |
Отличия функции управления приложения
В следующей таблице сравниваются функции управления приложениями AppLocker и политик ограниченного использования программ (SRP).
| Области операционной системы | Политики SRP могут применяться для всех операционных систем Windows, начиная с WindowsXP и Windows Server 2003. | Политики AppLocker применяются только к языкам, поддерживаемым выпуски и версии операционной системы, указанных в Необходимые условия для использования AppLocker. Однако эти системы можно также использовать исправлений безопасности.Примечание.Используйте различные объекты групповой политики для правил SRP и AppLocker. |
| Поддержка пользователей | SRP позволяет пользователям устанавливать приложения от имени администратора. | Политики AppLocker являются независимыми через групповую политику, а только администратор устройства можно обновить политики AppLocker.AppLocker позволяет настройки сообщений об ошибках, чтобы направлять пользователей на веб-страницу для получения справки. |
| Политики обслуживания | Политики SRP обновляются с помощью оснастки локальной политики безопасности или консоли управления групповыми политиками (GPMC). | Политики AppLocker обновляются с помощью оснастки локальной политики безопасности или консоль управления групповыми Политиками.AppLocker поддерживает небольшой набор командлетов PowerShell для упрощения администрирования и обслуживания. |
| Политики управления инфраструктуры | Для управления политиками SRP, SRP использует групповой политики в домене и оснастки Локальная политика безопасности для локального компьютера. | Для управления политиками AppLocker, AppLocker использует групповой политики в домене и оснастки Локальная политика безопасности для локального компьютера. |
| Блокировать вредоносные сценарии | Правила для блокирования вредоносные сценарии предотвращает все сценарии, которые связаны с помощью сервера сценариев Windows запуск, за исключением тех, которые получают цифровую подпись в вашей организации. | Правила AppLocker можно управлять в следующих форматах: .ps1, .bat, этот, .vbs и .js. Кроме того можно задать исключения, чтобы разрешить запуск определенных файлов. |
| Управление Установка программного обеспечения | SRP можно предотвратить установку все пакеты установщика Windows. Он позволяет MSI-файлы, имеющих цифровую подпись в вашей организации для установки. | Коллекции правил установщика Windows — это набор правил, созданных для типов файлов установщика Windows (.mst, MSI и .msp) позволяет контролировать установку файлов на клиентские компьютеры и серверы. |
| Управление всех программ на компьютере | Программное обеспечение осуществляется в наборе одно правило. По умолчанию политики для управления программное обеспечение на устройстве запрещает все программное обеспечение на устройстве пользователя, за исключением программное обеспечение, которое устанавливается в папку Windows, папку Program Files или вложенных папок. | В отличие от SRP каждой коллекции правил AppLocker функционирует как разрешенного списка файлов. Для запуска будет разрешено только файлы, которые указаны в коллекции правил. Эта конфигурация упрощает для администраторов определить, что произойдет при применении правила AppLocker. |
| Разные политики для разных пользователей | Правила применяются одинаково для всех пользователей на конкретном устройстве. | На устройстве, которое будет совместно использоваться несколькими пользователями администратор может указать группы пользователей, которые могут получать доступ к программным обеспечением. С помощью AppLocker, администратор может указать пользователя, которому следует применять правила. |
Статьи по теме
- Технический справочник по AppLocker
Отправьте отзыв о следующем:
Этот продукт
Источник: //docs.microsoft.com/ru-ru/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker
The OnePlus App Locker Feature Can Be Easily Bypassed
The software flavor found on OnePlus phones is known as OxygenOS. It adds a couple of nifty feature on top of stock Android without deviating too far from what you would expect on a Google device.
I recently started using the OnePlus 5 as a daily driver myself, and despite the controversies I think it’s a great upgrade for any fans of the Google Nexus line. With that being said, I scrutinize every new device I receive for every minor aspect I or dis.
While digging around in the OxygenOS settings, I came across the OnePlus App Locker feature which locks apps that you choose behind your pin/password/fingerprint.
Left: XDA Labs Hidden by App Locker. Right: XDA Feed Hidden by the App Lock Feature.
I’m generally a fan of third-party solutions to feature requests since they aren’t forced on you and usually offer more features than a first-party solution.
In the case of an app lock, though, I much prefer an integrated solution such as the OnePlus App Locker as they are supposed to be harder to kill (thus more secure) as well as faster (since they don’t rely on Accessibility Services or read from the Usage Statistics API).
I was shocked, however, to find that the OxygenOS app lock feature could be easily bypassed.The above demonstration was performed on a OnePlus 5 running OxygenOS 4.5.8
Admittedly, I’m not treating this as some major security flaw or anything as this feature is mostly used when you want to share your phone with someone (hopefully someone you already trust).
If you’re relying on this feature, then that means you’re handing your phone over already unlocked to someone, so it’s not as if this bypass gets around your phone’s main security measures the password/pin/fingerprint or other encryption measures or factory reset protection.
Still, a flaw is a flaw, and if someone me, who isn’t a security researcher, could find this then anybody could.
OnePlus App Locker Bypass Explanation
As shown in the video above, I have hidden the XDA Feed application behind the app lock feature. As expected, I cannot open the app without entering my password.
If I attempt to go to Settings –> Security & fingerprint –> App locker, I am prompted to enter my password.
But when I go back to the home screen and tap on a mysterious app icon for an app I made called “OnePlus App Locker Bypass”, it opens the App Locker settings page where I can freely disable any existing app locks.
Accessing the OxygenOS App Locker feature normally requires password/PIN input
Anyone should be able to replicate this process on their OnePlus device running OxygenOS if they have a launcher such as Nova Launcher installed (that would be a ton of people) or any other application that can launch activities.
Since the app lock feature is most ly used by people who only want to hide certain sensitive applications (such as a super secret gallery app containing totally family friendly pictures) while showing off their shiny new phone, it’s unly that most people would think to hide their launcher app.
Furthermore, since there’s no way to hide the package installer behind an app lock, one could also install a bypass app my own to get around the OnePlus App Locker.
If you’re using Nova Launcher and are curious how to do this, it’s simple. Just add an activity shortcut to “App Locker” which is found under “Dashboard.” Simply tapping on this shortcut will launch the App Locker settings without it asking for your password.
OxygenOS App Locker Settings Activity
I am not really sure why the App Locker settings doesn’t ask for password entry when the activity is launched from a third-party app. One way to solve this would be to simply make the activity an unexported activity so it cannot be accessed from any other app.The AndroidManifest.xml file of com.oneplus.security, part of which is reproduced above, shows that indeed the activity for the OnePlus App Locker feature is an exported activity. Adding android:exported=false to the activity label should solve this problem, I believe.
OnePlus is Aware, will Fix in OxygenOS Update
We notified the OxygenOS team of this issue and they have acknowledged it in the following statement:
We are aware of this issue, and we will be fixing it in an upcoming OTA.
If you are using the App Lock feature right now and want to make sure that nobody can bypass it, I recommend that you add any launcher and browser apps on top of your existing app locks.
This issue, in my opinion, doesn’t detract from the software experience of the OnePlus 5, but let this be a reminder that any security measure might potentially have a hole in it.
Thankfully this time, the security hole is a rather minor one.
Источник: //www.xda-developers.com/oneplus-app-locker-bypass/
