Configure Applocker

This section describes how to configure the PSMConfigureAppLocker.xml file. Use this reference when you run the applocker script manually.

AppLocker rules

To create a hardened and secure PSM environment, the system must limit the applications that can be launched during a PSM session. To do this, the PSM uses the Windows AppLocker feature, which defines a set of rules that allow or deny applications from running on the PSM machine, based on unique file identities. These rules specify which users or groups can run those applications.

The PSM installation includes an AppLocker script which enables PSM users to invoke internal PSM applications, mandatory Windows applications, and 3rd party external applications that are used as clients in the PSM.

All AppLocker rules are defined in the PSMConfigureAppLocker.xml file in the PSM installation folder > Hardening.

  • If your environment includes executables that must be allowed, in addition to those that are built-in to the PSM installation, such as PSM Universal Connectors executables, you must edit this file to add rules that will allow these executables.

  • If you have connectors deployed using shared universal connector deployment on multiple PSM servers they will be updated automatically in the AppLocker rules. For details, see Deploy Universal Connectors on multiple PSM servers. Associated executables are automatically updated in the AppLocker rules, but DLL dependencies must be added manually.

  • Beginning in version 12.2.4, DLL files are allowed only when located with the allowed executables. If your environment includes DLL files that are not located with the allowed executables, you must add them to the PSMConfigureAppLocker.xml file.

Configure and run the AppLocker script

  1. In the PSM installation folder, remove the read-only permissions from the PSMConfigureAppLocker.xml file.

  2. Merge any changes in the PSMConfigureAppLocker.xml file to the PSMConfigureAppLocker.xml_<date of upgrade>.bak file.

  3. Back up the PSMConfigureAppLocker.xml file and rename the PSMConfigureAppLocker.xml_<date of upgrade>.bak file to PSMConfigureAppLocker.xml.

  1. Run the Hardening stage of the PSM installation with only Run Applocker Rules enabled.

    1. From the CD image, open InstallationAutomation\Hardening\HardeningConfig.XML.

    2. Set Enable = Yes for Run AppLocker rules.

    3. Disable the rest of the steps.

    4. Run the hardening stage:

      Open a PowerShell window and run the following command:

      CD “<CD-Image Path>\InstallationAutomation” .\Execute-Stage.ps1 “<CD-Image Path>\Installation automation\Hardening\HardeningConfig.XML"

Detect blocked DLL files

This section is applicable from version 12.2.4 and higher.

If a connector fails, run the executable related to this connector and rerun the AppLocker script. See Run the Hardening stage of the PSM installation with only Run Applocker Rules enabled.

If the connector is still blocked, do the following:

  1. Open the Windows Event viewer.

  2. Go to Applications and Services Logs\Microsoft\Windows\Applocker\EXE and DLL.

  3. In the left page, right-click EXE and DLL and select clear log…. Select Save and clear to back up the logged events.

  4. Initiate a connection with the relevant connection through the PVWA.

  5. Go back to Applications and Services Logs\Microsoft\Windows\Applocker\EXE and DLL.

  6. in the left pane, right-click EXE and DLL and click refresh.

  7. In the right pane, click Filter Current Log… and under Event Level only select Error and click OK.

  8. Check for Error 8004.

    For example, if the sqlplus.exe DLLs dependencies are not allowed, the following PSM exception appears in the PSM log:

    [12/12/2021 | 19:33:06.608333] | {pid= 2108} | {tid= 3040} | class CPSMBaseException * | PSM\(68) | ::
    | PSMSR009I Privileged Session Manager exception occurred. PSMSR278I [4380081f-4041-44ef-a6ed-992f0ee4e77f] Session component [CommandLineConnectionClient] has stopped. Ending session. (Codes: -1, -1)

    In the Windows Event viewer, the following errors appear:

     

  9. For each blocked dll error found, add a relevant line to the PSMConfigureAppLocker.xml under AllowedApplications in the dll section.

    Replace the AppLocker path variable with the absolute path using the following Powershell command:

    <Libraries Name="UniqueName" Type="Dll" Path=”The Dll path presented in the 8004 error" Method="Hash" />

Repeat the process (steps 1-9) until the connector works properly.