.netdllclrsigningapplocker

AppLocker DLL rules on .NET assemblies

I'm using AppLocker to prevent the standard user from executing anything other than applications signed by us, and some necessary Windows files.

The exe and dll files are signed with our certificate using signtool.exe, and then in AppLocker I have Publisher rules that prevent the user from running anything that hasn't been signed by us.

That worked, but it doesn't stop the signed executable from loading unsigned dll files, which seems like a security risk. I tested by replacing all dll's with unsigned versions, leaving only the signed exe, turned on dll rules that blocked anything that isn't signed by us, and the application ran just fine. EventLog didn't show any potential blocks (I turned on dll rules in Audit mode).

I did some reading, and from what I understand, the reason for this might be that these are not "normal" (Win32) dll's but rather assemblies that are compiled and executed in the CLR, which bypasses AppLocker dll rules?

If that's the case, it seems like the only way to ensure that the dll's are not tampered with is to do assembly signing, giving each assembly a strong name, and this would ensure that the exe only fetches and runs these specific dll's. Is this correct?

Is there any way to make AppLocker dll rules block dll's (assemblies) that are compiled & run by the CLR? If not, then is there any point in even signing assembly dll's?

UPDATE:

Thanks to Maurizio for finding the cause of this issue, which is that Microsoft most likely just broke AppLocker for .NET 4.0, since dll rules work fine on .NET 3.5. He contacted Microsoft, who just recommended using WDAC instead of AppLocker... Quite irresponsible from Microsoft to just quietly break peoples' security policies like that.

Solution

  • We've also seen this behaviour. According to my tests, it works as expected only where the EXE loading the DLL is compiled with .NET 3.5.

    This was my test:

    1. I wrote a simple C# application which dynamically loads a C# library/dll that only calculates the sum between two numbers.
    2. Compiled this app (LoadDLL.exe) against .NET 3.5 and .NET 4.0+ and allowed it by adding a new AppLocker rule.
    3. The Adder.dll (the library which does the addition) was NOT added to the applocker rules so I expected it to be blocked when loaded by LoadDLL.exe

    The outcome was that LoadDLL.exe compiled with .NET3.5 worked as expected - i.e. blocked the loading of the Adder.dll whereas the LoadDLL.exe compiled with .NET4.0+ worked like a charm.

    I think something has changed when .NET4.0 has been introduced which made the DLL collection useless