Specifically, my issues started when I wanted to create rules for a certain user instead of an entire group.
Here's an example of a dll being blocked from the apps install directory once SBIE takes control(path/program name Xx'd Out)
Here's another example of a dll being blocked from inside an app already sandboxed. (drive x'd out)
- UserData
- RuleAndFileData
PolicyName DLL
RuleId {00000000-0000-0000-0000-000000000000}
RuleName -
RuleSddl -
TargetUser S-1-5-7
TargetProcessId 2080
FilePath XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\MSVCR110.DLL
FileHash
Fqbn O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® VISUAL STUDIO® 2012\MSVCR110.DLL\11.0.51106.01
Normally you could create a rule for 'everyone' or another group and not run into this issue. However with SBIE in the mix, once the app is under its control, it identifies as ANONYMOUS LOGON so if you have rules for specific users like I did, you end up with blocks like those shown above and normally a program that doesn't function correctly if at all.PolicyName DLL
RuleId {00000000-0000-0000-0000-000000000000}
RuleName -
RuleSddl -
TargetUser S-1-5-7
TargetProcessId 3400
FilePath x:\%SANDBOX%\MINECRAFT\USER\CURRENT\APPDATA\ROAMING\.MINECRAFT\VERSIONS\1.10.2\1.10.2-NATIVES-1635160112806\LWJGL.DLL
When attempting to add NT AUTHORITY\ANONYMOUS LOGON via the GUI in AppLocker I was greeted with an alert
"The following object is not from a domain listed in the Select Location dialog box, and is therefore not valid:
NT AUTHORITY\ANONYMOUS LOGON"
This made it 'impossible' to add rules for ANONYMOUS LOGON via the gui. So I thought we couldn't use DLL rules or add other rules for exes etc when needed and still have rules defined per user so I gave up on using AppLocker alongside SBIE. Well, it turns out there is a way! I found a workaround in my setup though I needed a few duplicates so as to retain the original rules and still have seperate ones for ANONYMOUS LOGON...
1) Create similar rules (I used everyone instead of the specific user and I also suggest naming them so they are easily identifiable when looking through the xml)
2) Use the export function of AppLocker and save the policy someplace.
3) Open up the XML and manually replace the existing User SID with the Universal SID of NT AUTHORITY\ANONYMOUS LOGON: (S-1-5-7) in the xml for needed entries.
4) Save the changes (I suggest a different name in case you mess something up so you still have the original to work from or re-import if needed)
5) Re-import the altered ruleset.
6) Be sure to stop/start the AppID Service (or reboot) after importing the altered xml or it may not apply the new ruleset right away and appear not to make a difference.
7) Re-Test your app and re-check the Event Log for any other needed changes.
AppLocker will now handle NT AUTHORITY\ANONYMOUS LOGON and you can set up whatever rules you want, even for specific users, alongside SBIE. The best part is the altered rules can also be edited without losing the SID info or seeing the error again.
How helpful all this will be in general is questionable but it's something I wanted to play with before and finally can thanks to a little manual editing of the exported AL policy.
