Problem
Windows 7 beta AppLocker publisher rules will not function properly for catalog signed files with an expired certificate chain, including Windows system files
Description
In Windows 7 Beta, AppLocker improperly evaluates the digital signatures of catalog signed binaries (including Windows system binaries), which might lead to unexpected behavior. Timestamping is a method that allows a digital signature to remain valid after the signature’s signing certificate has expired. The Windows system binaries, included in the Windows 7 Beta build, are catalog signed with a digital certificate that expired on 18th December 2008. These Windows binaries’ signatures are timestamped to ensure their validity. However, due to the current incorrect behavior, AppLocker ignores the timestamp on the binaries’ signature and therefore considers these files to be unsigned. As a result, AppLocker publisher rules created for Windows system files will not function properly and might cause the system to behave unexpectedly or even prevent the system from fully booting. To ensure that Windows functions properly, you should create the default AppLocker rules. These rules include a path rule that allows all the files in the Windows directory to run. Because of this problem, you should also not create publisher rules in Windows 7 Beta that deny access to Windows system files since AppLocker will be unable to match the file to a rule.
Resolution
If you have created one or more publisher rules for the Windows system files and cannot boot or login to your system, perform the following steps to recover. If you are in a domain environment and the issue is occurring on a client machine, skip to step 2.
Step 1: Start Windows in safe mode
To start the computer in safe mode in Windows 7 Beta, follow these steps:
1.Restart your computer and start pressing the F8 key on your keyboard.
2.In the Windows Advanced Options menu, select Safe mode, and then press ENTER.
Step 2: Create the default rules
The default rules should be created for each rule collection where you want to enforce rules. There are four AppLocker rule collections in Windows 7 Beta: Executable, Windows Installer, Script, and DLL.
To create the default AppLocker rules for a rule collection, perform the following steps.
Using local computer policy
Note: Perform this procedure on the computer that is being affected by the AppLocker publisher rules.
1.Open the Local Security Policy Microsoft Management Console (MMC) snap-in. To do this:
• Click the Start button, type secpol.msc in the Search programs and files box, and then press ENTER.
2.In the console tree, locate and expand Application Control Policies, expand AppLocker, and then select the relevant rule collection.
3.Right-click the rule collection and then click Create Default Rules.
Using Group Policy
Note: Add the default rules to the GPO from which the affected computer is receiving the AppLocker publisher rules.
1.Open the Group Policy MMC snap-in:
a. Click the Start button, type mmc in the Search programs and files box, and then press ENTER.
b. On the File menu, click Add/Remove Snap-in.
c. Click Add.
d. Under Available Stand-alone Snap-ins, click Group Policy, and then click Add.
e. If you do not want to edit the Local Computer policy, click Browse to locate the Group Policy object that you want. Supply your user name and password if prompted, and then when you return to the Select Group Policy Object dialog box, click Finish.
Note: You can use the Browse button to locate group policy objects linked to sites, domains, organizational units (OU), or computers. Use the default Group Policy Object (GPO) (Local Computer) to edit the settings on the local computer.
f. Click Close, and then in the Add/Remove Snap-in dialog box, click OK.
2.In the console tree, locate and expand Application Control Policies, expand AppLocker, and then select the relevant rule collection.
3.Right-click the rule collection and then click Create Default Rules.
Step 3: Restart Windows and wait for the welcome screen
Windows must now be restarted to apply the changes that you have just completed. On this restart, however, the process that starts the user’s desktop (Explorer.exe) will initially be blocked. As a result, the Welcome screen will appear as Windows starts, but the Login screen will not be displayed. To complete this step, restart the computer, wait for the Welcome screen to appear, and then wait approximately two minutes for a black screen to appear.
Step 4: Restart Windows Normally and Verify the Resolution
Finally, restart the computer normally and verify that Windows is now functioning properly.
