ACSC AppLocker Recommendations
The Australian Cyber Security Centre (ACSC) recognises AppLocker as a valid application control mechanism under the Essential Eight – Application Control strategy.
If Microsoft AppLocker (predecessor to WDAC) is used, ACSC recommends a basic path-based implementation. This ensures only trusted applications installed in standard directories are allowed to execute, while blocking common persistence and execution abuse paths.
Enable AppIDSvc Service
🔹 Why
- AppLocker relies on AppIDSvc to evaluate rules against executables, scripts, MSIs, and packaged apps.
If AppIDSvc is Stopped or Disabled:
- All applications run normally (as if no AppLocker rules exist).
- No audit or enforcement events are generated.
GPO Location: Computer Configuration\Policies\Windows Settings\Security Settings\System Services
Service: Application Identity = Automatic
Create & Apply the Rules
GPO Location: Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies\AppLocker
AppLocker Executable Rules – ACSC Baseline
Allow Rules
- %ProgramFiles%\* → permits any executable installed in Program Files. This covers properly installed business and productivity applications.
- %WinDir%\* → permits any executable in the Windows directory. This ensures the operating system itself can run normally.
Exceptions (Block These Paths)
- %System32%\Microsoft\Crypto\RSA\MachineKeys\* → blocks execution from the MachineKeys folder, which attackers sometimes abuse for persistence or hiding payloads.
- %System32%\spool\drivers\color\* → blocks execution from the printer color profiles directory, another spot attackers have used to stash executables.
- %System32%\Tasks\* & %WinDir%\Tasks\* → blocks executables from the Windows Tasks folders, preventing scheduled task backdoors.
- %WinDir%\Temp\* → blocks execution from the Temp directory, a common drop location for malware.
✅ Summary: These executable rules allow Windows and installed programs to function normally while closing down high-risk directories often exploited for malware persistence and execution.
| Rule Type | Path | Action | Description |
|---|---|---|---|
| Allow | %ProgramFiles%\* | Allow Everyone | Permits executables installed in Program Files. |
| Allow (with Exceptions) |
%WinDir%\* | Allow Everyone | Permits executables in the Windows directory, except in the following high-risk locations. |
| Exception: %System32%\Microsoft\Crypto\RSA\MachineKeys\* | Block | ||
| Exception: %System32%\spool\drivers\color\* | Block | ||
| Exception: %System32%\Tasks\* | Block | ||
| Exception: %WinDir%\Tasks\* | Block | ||
| Exception: %WinDir%\Temp\* | Block |
🔹 AppLocker Windows Installer Rules – ACSC Baseline
These rules control which Windows Installer (.msi, .msp) packages are allowed to run.
Allow Rules
- Microsoft Corporation (Publisher rule) → allows any MSI signed by Microsoft Corporation.
- Microsoft Windows (Publisher rule) → allows any MSI signed specifically by Microsoft Windows.
👉 Together, these rules ensure that trusted Microsoft installers and updates can run, while blocking unsigned or third-party MSI files that could be used to deliver malware.
| Rule Type | Publisher | Action | Description |
|---|---|---|---|
| Allow | CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US | Allow Everyone | Permits Windows Installer packages signed by Microsoft Corporation. |
| Allow | CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US | Allow Everyone | Permits Windows Installer packages signed specifically by Microsoft Windows. |
🔹 AppLocker Script Rules – ACSC Baseline
These rules control script execution (.ps1, .vbs, .cmd, .bat, .js, etc.).
Allow Rules
- %ProgramFiles%\* → permits scripts installed in Program Files.
- %WinDir%\* → permits scripts in the Windows directory.
Exceptions (Block These Paths under %WinDir%\*)
These directories are writable or commonly abused by attackers for persistence and execution:
- %System32%\Com\dmp\* → COM+ crash dumps.
- %System32%\FxsTmp\* → Fax service temporary files.
- %System32%\Microsoft\Crypto\RSA\MachineKeys\* → key storage folder.
- %System32%\spool\drivers\color\* → printer driver profiles.
- %System32%\spool\PRINTERS\* → printer spool directory.
- %System32%\spool\SERVERS\* → print server spool directory.
- %System32%\Tasks\* & %WinDir%\Tasks\* → scheduled task persistence.
- %WinDir%\Registration\CRMLog\* → COM+ registration logs.
- %WinDir%\Temp\* → common malware staging folder.
- %WinDir%\tracing\* → tracing logs.
| Rule Type | Path | Action | Description |
|---|---|---|---|
| Allow | %ProgramFiles%\* | Allow Everyone | Permits scripts installed in Program Files. |
| Allow (with Exceptions) |
%WinDir%\* | Allow Everyone | Permits scripts in the Windows directory, except in these high-risk subfolders. |
| Exception: %System32%\Com\dmp\* | Block | ||
| Exception: %System32%\FxsTmp\* | Block | ||
| Exception: %System32%\Microsoft\Crypto\RSA\MachineKeys\* | Block | ||
| Exception: %System32%\spool\drivers\color\* | Block | ||
| Exception: %System32%\spool\PRINTERS\* | Block | ||
| Exception: %System32%\spool\SERVERS\* | Block | ||
| Exception: %System32%\Tasks\* | Block | ||
| Exception: %WinDir%\Registration\CRMLog\* | Block | ||
| Exception: %WinDir%\Tasks\* | Block | ||
| Exception: %WinDir%\Temp\* | Block | ||
| Exception: %WinDir%\tracing\* | Block |
🔹 AppLocker DLL Rules – ACSC Baseline
DLL (Dynamic Link Library) rules allow you to control which .dll and .ocx files can be loaded by executables.
By default, DLL rules are not enabled — you must turn on the DLL rule collection in AppLocker Properties (as shown in your screenshot).
Allow Rules
- %ProgramFiles%\* → permits DLLs located in Program Files.
- %WinDir%\* → permits DLLs in the Windows directory.
Exceptions (Block These Paths under %WinDir%\*)
These writable or risky folders are excluded to prevent attackers from planting malicious DLLs:
- %System32%\Microsoft\Crypto\RSA\MachineKeys\* → key storage directory.
- %System32%\spool\drivers\color\* → printer driver color profiles.
- %System32%\Tasks\* & %WinDir%\Tasks\* → scheduled task persistence paths.
- %WinDir%\Temp\* → common malware staging folder.
Why this matters:
Enabling DLL rules ensures that only trusted DLLs from standard OS and application directories are loaded, while blocking execution from directories commonly abused for DLL hijacking or persistence.
Enabling DLL Rules
To enable DLL rule enforcement, right-click “AppLocker”, select “Properties“, go to the “Advanced” tab, and check “Enable the DLL rule collection“.
| Rule Type | Path | Action | Description |
|---|---|---|---|
| Allow | %ProgramFiles%\* | Allow Everyone | Permits DLLs located in Program Files. |
| Allow (with Exceptions) |
%WinDir%\* | Allow Everyone | Permits DLLs in the Windows directory, except in the following high-risk subfolders. |
| Exception: %System32%\Microsoft\Crypto\RSA\MachineKeys\* | Block | ||
| Exception: %System32%\spool\drivers\color\* | Block | ||
| Exception: %System32%\Tasks\* | Block | ||
| Exception: %WinDir%\Tasks\* | Block | ||
| Exception: %WinDir%\Temp\* | Block |
🔹 AppLocker Packaged App Rules – ACSC Baseline
Packaged app rules apply to Universal Windows Platform (UWP) apps and installers (e.g., apps from the Microsoft Store).
Allow Rules
- Publisher: Microsoft Corporation
- CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Allows packaged apps signed by Microsoft Corporation.
Publisher: Microsoft Windows
- CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Allows packaged apps signed specifically by Microsoft Windows.
👉 Together, these rules ensure that only Microsoft-signed Store apps and core Windows packaged apps are permitted.
All other packaged apps are blocked unless explicitly whitelisted.
| Rule Type | Publisher | Action | Description |
|---|---|---|---|
| Allow | CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US | Allow Everyone | Permits Microsoft Corporation-signed packaged apps and installers. |
| Allow | CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US | Allow Everyone | Permits Microsoft Windows-signed packaged apps and installers. |
🔹 AppLocker Enforcement Modes
Once you’ve created AppLocker rules, you must decide how they will operate:
1. Audit Mode
What it does:
- Rules are evaluated but not enforced.
- Applications, scripts, DLLs, or installers that would normally be blocked are still allowed to run.
- Every “would-be block” is logged in Event Viewer → Applications and Services Logs → Microsoft → Windows → AppLocker.
When to use:
- Testing phase → confirm rules won’t break business applications.
- Helps build an allowlist by monitoring what software is actually used.
Event IDs:
- 8003–8007 → log entries for each rule collection (executables, installers, scripts, DLLs, packaged apps).
2. Enforced Mode
What it does:
- Rules are actively enforced.
- Anything not allowed by the rules will be blocked from executing.
- Block events are also logged in Event Viewer.
When to use:
- After rules have been tested in Audit Mode.
- For production enforcement of application control.
Event IDs:
- 8004, 8006 → enforcement block events.
Right click on “Applocker” then select “Properties” then under configure choose your enforcement in my cast I am going to Enforce All rules.
🔹 Final Summary – AppLocker and ACSC Recommendations
AppLocker is a powerful Windows feature that enforces application control, one of the ACSC’s Essential Eight strategies. By controlling which executables, scripts, installers, DLLs, and packaged apps can run, organisations can prevent unauthorised or malicious software from executing.
- Application Identity service (AppIDSvc) must be enabled for rules to work.
- Default rules provide a safe baseline but should be strengthened with ACSC’s recommended path and publisher rules.
- Executable, Script, Installer, DLL, and Packaged App rules together create a comprehensive control set.
- Exceptions under %WinDir% target high-risk directories commonly abused for persistence and malware execution.
- Rules can be deployed in Audit Mode (log only) to safely test policies before switching to Enforced Mode (actively block).
✅ Best Practice:
- Start with Audit Mode to identify legitimate applications.
- Refine rules based on logs and operational needs.
- Transition to Enforced Mode for strong protection.
- For higher security environments, enable DLL rules after careful testing.
By implementing AppLocker with ACSC’s recommended configuration, even on Windows Pro editions, you establish a robust baseline of application control that helps mitigate ransomware, malware, and unauthorised software risks while progressing toward Essential Eight maturity.
Source:
Australian Cyber Security Centre (ACSC),
Implementing Application Control, available at
cyber.gov.au