CryptoLocker Group Policy Exceptions

In recent posts (here) I’ve addressed the process of creating Group Policy rules for securing your workstations from attacks like the CryptoLocker ransomware. These rules will prevent random executable files located in your local Application Data folder (AppData) from running.

The vast majority of programs that you may use should not put .exe files in the AppData folder, but every so often we come across an exception. In my case, I tried running Join.Me this morning and was greeted with this pop up window:

image

The process of adding an exception to the Software Restriction Rules we previously created is very straightfoward:

  1. From the server, open up Group Policy Management console
  2. Drill down Your_domain.local –> MyBusiness –> Computers –> SBSComputers

    Modify the XP rule

  3. Right click on the Prevent CryptoLocker XP rule, and click Edit
  4. Drill down Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Software Restriction Policies
  5. Right click on Additional Rules, then click New Path rule… and create a new rule for the exception.
    In my case, my rule looks like this:
    image
  6. Click OK

    Modify the Vista and higher rule

  7. Right click on the Prevent CryptoLocker Vista and higher rule, and click Edit
  8. Drill down Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Software Restriction Policies
  9. Right click on Additional Rules, then click New Path rule… and create a new rule for the exception.
    In my case, my rule looks like this:
    image
  10. Click OK

You may now wait the appropriate time (somewhere around 90 minutes, I believe) for Group Policy changes to be broadcast to all workstations, or, if you are in a hurry:

  1. From the server, open up an elevated command prompt and run: gpupdate /force
  2. Then from your workstation, open up an elevated command prompt and run: gpupdate /force

You may now test out your application

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.