Airlock vs Microsoft AppLocker™

Not all application whitelists are created equal

Microsoft AppLocker™
Performs application control that is heavily reliant on user & folder exemptions to function, often resulting is a decreased level of security.

Airlock Digital
Enforces easily configurable and secure application whitelists, that also apply to administrative users.

User Permissions

Airlock enforces allowlisting on all users including local administrative users and the local Windows SYSTEM account. File executions below the administrative user context such as drivers are checked by the Airlock agent.
AppLocker primarily relies upon user permissions in order to provide security. By default, all domain and local administrative users are exempt from application control. Files executing below the administrative user context (SYSTEM), such as drivers, are not logged or blocked by AppLocker.

Exclusion Management

Airlock - Supports the use of One Time Pad (OTP) codes, which are provided to users in the event they need to run files that would otherwise be blocked. Users are not required to be connected to the company network. Codes temporarily disable allowlisting enforcement (not monitoring) for a defined time period.
AppLocker has no ability to temporarily ‘opt-out’ users from Application Control. Computers must be removed from AppLocker policy while the computer is connected to the organisations network. Sometimes on the computer for changes to take effect.

Ease of Management

Airlock is built with dedicated policy management workflows that are centrally managed via an easy to use web based interface.
AppLocker relies upon group policy management in order to configure and deliver policies to end computers, which does not include a native way to correlate and process events. One way Microsoft makes this process easier is via a github project called ‘AaronLocker’ 1 which leverages an Excel spreadsheet to assist with rule management.

Centralised Logging

Airlock block and allow events are displayed in an easy to view client interface, with all events automatically centrally logged to a web based console. The events are displayed and sorted into a pre-built workflow, facilitating policy management.
AppLocker block and allow events are logged to the local computers Windows Event Log. Customers must then forward these logs to a centralised SIEM (or equivalent) for processing, notification and review in order to gain centralised visibility for policy management.

Bypasses

Airlock Digital services bypasses in the product to ensure the most secure application allowlist is provided. Features such as ‘.NET Assembly Reflection Prevention’ are designed to prevent common methods attackers use to bypass allowlists and load code into memory.
Microsoft states “AppLocker is a defense-in-depth security feature and not a security boundary“2 therefore it is not subject to security servicing when bypasses are found3. Bypass techniques can be easily found on the internet such as the “Ultimate AppLocker ByPass List”4.

Event Troubleshooting

Airlock presents customisable block notifications to users every time a block event occurs. Airlock’s enforcement agent GUI makes reviewing, exporting and troubleshooting application whitelisting activity easy.
AppLocker only presents block messages to users if they attempt to open a file from the explorer shell, not if an application performs a file load request from within an application. Block and allow events are seen by viewing the local computers Windows Event Log.

Feature Improvements

Airlock Digital is on a mission to make allowlisting as practical and intuitive as possible. As a result Airlock delivers regular feature updates driven by our customers. This can be seen on our public roadmap5which is regularly updated.
Microsoft states that “Although AppLocker will continue to receive security fixes, it will not undergo new feature improvements”6 and encourages customers to use Windows Defender Application Control, often resulting in many customers deploying and managing two technologies.

Maturity

Airlock Digital facilitates the implementation of Allowlisting to Maturity Level 3, as defined in the Essential 8 Maturity Model. In particular trusted centralised logging is natively supported, facilitating the most challenging requirement “allowed and blocked executions on workstations and servers are centrally logged”7.
AppLocker supports trusted logging of all file execution events locally, however centrally logging the volume of events generated represents a non-trivial engineering challenge. As a result, achieving compliance with higher levels of maturity in the Essential 8 Maturity Model can be challenging.

Application Libraries (.DLL)

Airlock performs efficient allowlisting on all executable code (including .DLL files), regardless of file type or extension. Airlock’s easy to use workflows make the task of managing tens of thousands of file exceptions easy.
Each application can load several DLLs, and AppLocker must check each DLL before it is allowed to run. Therefore, creating DLL rules might cause performance problems on some computers. Denying some DLLs from running can also create application compatibility problems. As a result, the DLL rule collection is not enabled by default.”8

TLDR; Not all application whitelists provide the same level of security, ensure you understand the limitations

Airlock vs AppLocker is an independent (publication) and is not affiliated with, nor has it been authorized, sponsored, or otherwise approved by Microsoft® Corporation.

References:
https://github.com/microsoft/AaronLocker
https://docs.microsoft.com/en-us/windows/security/threatprotection/windows-defender-application-control/applocker/applocker-overview
https://www.microsoft.com/en-us/msrc/windows-securityservicing-criteria
https://github.com/api0cradle/UltimateAppLockerByPassList
https://airlockdigital.roadmap.space
https://docs.microsoft.com/en-us/windows/security/threatprotection/windows-defender-application-control/wdac-andapplocker-overview
https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model
https://technet.microsoft.com/en-us/library/ee460950(v=ws.11).aspx