Getting Started with Windows 7 AppLocker

AppLocker is a feature built into Windows 7 Enterprise and Windows 7 Ultimate that helps to lock down the apps that you don’t want being used on your computer system or network. It works in two ways; you can blacklist applications, or whitelist applications.

Whitelisting can be very useful in large network environments as it lets you give a list of allowed applications to all of the users in your network, so they know what they are allowed to use, rather than a huge (and ever growing) list of dangerous applications. In past versions of Windows, you could do something similar with “Software Restriction Policies.” AppLocker makes these policies much easier to manage.

AppLocker not only allows you to avoid malicious applications like viruses, spyware, malware, etc., but it also allows you to protect the business (or corporation, school, or network in general) from unlicensed software. The best way to avoid the use of unlicensed software and costly audits is to stop unlicensed software from running to begin with. This is where AppLocker comes in. Not only that, but keeping a whitelist of applications can greatly affect productivity in the workplace.

A few things have been worked out since the days of using Software Restriction Policies. While AppLocker uses a rule-based structure, these rules have been greatly improved.

For example, you no longer need to worry about managing different versions of software. You can set a rule, for example, to allow Mozilla Firefox, above version 3.0, as long as it is signed by Mozilla. This means, even if the user upgrades the software, as long as the software is legitimate, it can still be run without issue.

With the right rule sets, you can safely deploy updates and even new software without having to build a new rule for each revision.

You can access AppLocker rules in your Local Group Policy Editor. The structure and location is as follows:

  • Computer Configuration
    • Windows Settings
      • Security Settings
        • Application Control Policies
          • AppLocker
            • Executable Rules
            • Windows Installer Rules
            • Script Rules

AppLocker lets you set permissions using two general rule types and exceptions.

The standard rule types are of course, Allow and Deny. Allow rules limit execution to a known whitelist of applications, blocking anything else that tries to execute. Deny rules are the opposite; they allow any application or script to run, as long as they are not on a blacklist of applications.

Essentially, you’ll want to have a combination of “Allow” rules, along with exceptions to the rules to keep your network secure. However, using a combination of both “Allow” and “Deny” rules is also acceptable and accomplishes almost the same thing. It’s up to you to assess which strategy would be the best method of security for your network.

AppLocker Exceptions

Exceptions are interesting in that, they allow you to bypass all or part of a rule set based on the users group. One example would be, if you had the entire Microsoft Office suite allowed for the network, but wanted only some users to access a certain application in the suite. Let’s say you want everyone to be able to use the entire Microsoft Office Suite, but want to disallow use of Messenger by anyone but administrators.

AppLocker exceptions would allow you to create this exception, based on groups you have set up for your network. Since these are based on groups, based on your networks structure, you could allow and disallow certain applications to certain job titles, wings on your building, or any group of users, all within the same rule.

Quick Deployment and Rule Creation in AppLocker

One often forgotten feature of AppLocker is the ability to quickly create application rules based on a pilot machine. If you have a machine that has only applications that are needed to run, you can use AppLocker to create a rule set to whitelist everything on that machine, and block everything else. You’ll obviously need to fine-tune a few rules here and there for upgrades or publisher rules, but even without fine-tuning, this new rule set should be fairly accurate enough to keep your network users safe and productive.

Be careful though to only use a new machine when generating a rule set. You never know when a rogue file may have made its way onto a machine already in use, especially if AppLocker is not yet in place. A good time to generate executable rules automatically would be when setting up a brand new machine within the network. You can set up or image the machine, and before deploying it, immediately create a rule set based on said machine. From then on, only applications that are on the machine will be able to be used.

For a bit of extra control, before saving the automatically generated rules, you can choose to review the files analyzed and rules generated. This will allow you to ensure that there are no rogue applications, and will allow you to work with certain applications to set up special publisher and version control rule sets specific to your network. You can also use this export wizard to generate documentation and rule backups for records or compliance purposes.

Get More Control with AppLocker

AppLocker allows IT administrators to have more control over their network policies, and provides a needed upgrade to the Group Policy Editor. The extra bit of control and ease of use is a breath of fresh air to IT professionals who have been working with complicated rule sets to properly secure their networks in the past.

If your company uses Windows 7, and is not already using AppLocker (or even Application Rules) to secure their network, I would definitely recommend looking into setting up some simplified rule sets within AppLocker to help keep your network of machines safe.

Comments