Windows question - is anyone managing Applocker with Ansible?

321 views
Skip to first unread message

N. Bailey

unread,
Aug 17, 2016, 5:34:55 AM8/17/16
to Ansible Development
Hi ansible-devel,

Quick question for anyone running Ansible on Windows: has anyone used Ansible to configure Applocker? It's a security/hardening/audit tool for Windows, replacing Software Restriction Policies.

The natural way to deploy/manage it would be with group policy, but I'm running it on servers outside a domain, so I wanted an Ansible solution instead. Can't see any playbooks or modules out there so far about it, but there's a fairly neat set of powershell cmdlets to do it. I was planning on writing a module to do it, but I thought I'd ask stick my head up and check that this isn't a solved problem already :)

Thanks,
Nikki

Trond Hindenes

unread,
Aug 20, 2016, 2:08:01 PM8/20/16
to Ansible Development
pretty sure that's not solved yet. 

Based on this: https://p0w3rsh3ll.wordpress.com/2015/04/02/configure-applocker-with-desired-state-configuration/ you could take that DSC thing and run it thru my DSC-To-Ansible resource converter (https://github.com/trondhindenes/AnsibleDscModuleGenerator) but it would of course only be compatible with nodes running Powershell V5.

N. Bailey

unread,
Aug 23, 2016, 9:23:43 AM8/23/16
to Trond Hindenes, Ansible Development
Oh, nice! Thanks for the link, that's a really cool concept.

After a bit of hunting around, I'd been thinking the same way as the blogger you linked to - that writing (or templating) an XML file and importing that is much neater than using their Powershell for making rules. So I suspect that a lot of the work involved in making AppLocker hands-off way is really in figuring out all the UUIDs and SIDs and so on you need for a valid XML AppLocker ruleset.

Really, the main piece I'm missing is a way to import an applocker policy from a local file - there's already Ansible solutions for 'grab this file from remotely' or 'template this onto the target host with these parameters', and for 'manage the state of this service' (for AppIDSvc). I'll let the internet know how it goes.

Cheers,
Nikki




--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Development" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-devel/kslynu8JLGk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-devel+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages