Sep 16 2010

AppLocker Advice

Learn how to best employ this Windows feature to lock down desktops.

The AppLocker feature in Microsoft Windows 7 Professional lets administrators control which applications and scripts users can install and load on their computers. This is useful for locking down computers, but AppLocker can be tricky to configure. If you don’t do it right, users might not be able to log on. Here are six tips to ease the process of configuring AppLocker for your environment.

1. Plan Group Policy properly.

AppLocker policies are per-machine Group Policy settings, not per-user settings. This means you should configure AppLocker policies only within Group Policy Objects (GPOs) that are linked to organizational units (OUs) that have computer accounts in them — not user accounts. Consider creating GPOs dedicated to this purpose that contain only AppLocker policy settings. If you decide to do this, you can disable the user configuration settings of these GPOs in the Group Policy Management Console (GPMC) to speed up processing of these policies.

2. Test before deploying.

Always try your AppLocker policies in a test environment before using them in your production network. You wouldn’t want to create a policy, only to discover later that a key application is being blocked from running. When creating AppLocker GPOs for production, disable them until you’ve configured all your AppLocker rules. This will prevent incomplete policies from being applied by Group Policy to computer accounts in the OUs linked to these GPOs. Before you enable the GPOs, configure AppLocker so that it runs in Audit Only enforcement mode, which allows you to use Event Viewer to see the result of applying the policy without actually restricting anything on the target systems.

3. Think “whitelist.”

AppLocker is the successor to Software Restriction Policies (SRP) found in earlier Windows versions. SRP was limited in that it could only be used to blacklist applications or scripts. While AppLocker still allows you to blacklist apps or scripts by creating Deny rules, it also lets you create Allow rules to whitelist which apps or scripts are allowed to be installed or run. Build a whitelist of all apps and scripts that users of the targeted systems should be allowed to install or run.

4. Create default rules first.

Begin configuring an AppLocker policy by creating the default rules, which are needed in order for Windows itself to run on the targeted computers. The default AppLocker rules allow applications and scripts within the Windows and Program Files folders to run, and they also allow the built-in Administrator account to install or run any program or script in any location. Always do this first; if you don’t, Windows won’t run on the computers targeted by the policy.

5. Establish publishing rules.

Create publishing rules whenever possible, because only publishing rules can use digital signatures to specify which programs can run or be installed on a system. If some programs on the targeted systems aren’t digitally signed, your best option is to set up an internal Certification Authority for your environment and sign the files before you install or copy them to the target systems.
If this isn’t feasible, create hash rules for these files instead.

6. Maintain AppLocker policies.

Once you’ve created and deployed AppLocker policies, you’ll need to update them as new or updated versions of applications and scripts are deployed to the targeted systems, or when older applications are no longer allowed to run on these systems.

Mitch Tulloch is lead author of the Windows 7 Resource Kit from Microsoft Press. Learn more about him at his website www.mtit.com.

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT