Windows 7 / Windows Server 2008 R2: AppLocker

Windows 7 / Windows Server 2008 R2: AppLocker

  • Comments 3
  • Likes

Vista Pearl Happy Monday everyone.  It’s Day Nineteen of our Launch Series, which means that there are only three more days until Windows 7 appears on store shelves!  Today, we’re going to provide a really quick overview of AppLocker, which is a new feature in Windows 7 and Windows Server 2008 R2.  AppLocker replaces the Software Restriction Policies (SRP’s) that many of you are probably familiar with.  With AppLocker, an administrator has the ability to control how users run all types of applications – scripts, excecutables, Windows Installer files (.msi and .msp files) and Dynamic Link Libraries (DLL’s).  Seasoned admins have probably made use of SRP’s in the past, but some of you may be wondering why this is even an issue.

Most of us on the Performance team were IT Administrators at one time or another prior to joining Microsoft.  Believe me when I tell you that we all have our fair share of horror stories.  We’ve all been in environments where end-users have brought in software from home or downloaded some sort of shareware or freeware and installed it on their machine.  In most of these cases, there was no real business need for these apps – let’s face it, is having a “cool” screensaver really a justifiable business application?  Probably not in the vast majority of cases.  Of course, almost inevitably, the software would cause other issues – leading to more helpdesk calls, some fairly angry end-users and of course, some really angry IT folks.  Enter SRP’s, where administrators could create rules and policies to block the installation of some of the more … popular … pieces of unauthorized software.  We’re really not going to get into the workings of Software Restriction Policies – if you need more information, refer to this TechNet Article.

Getting back to AppLocker, there are several enhancements:

  • Ability to define rules based on attributes derived from a file’s digital signature, including the publisher, product name, file name and file version.  SRP supports certificate rules, but they are less granular and are a bit more difficult to define
  • More intuitive enforcement model – only a file specified in an AppLocker rule will be allowed to run
  • Audit-Only enforcement mode that allows administrators to determine which files would be prevented from running if the policy were in effect
  • New interface accessed through an MMC snap-in extension to the Local Policy and Group Policy snap-ins.  The Software Restriction Policies snap-in is still available in Windows 7 / Windows Server 2008 R2 for compatibility reasons.

image

AppLocker requires the Application Identity Service.  This service performs all of the rule conversions for the AppLocker policy.  In order for an AppLocker policy to be evaluated on the system, the services has to be started.  The Application Identity is set to Manual by default.

image

The effects of AppLocker rules may be viewed in the AppLocker Operational event channel in Event Viewer.  Each event in the AppLocker operational log contains the following information:

  • The file affected and the path of the file
  • Whether the file was allowed or blocked
  • The rule type (path, file, hash or publisher)
  • Rule name
  • SID for the user targeted in the rule

image

Something to note – AppLocker rule and Software Restriction Policy rules are completely separate.  You cannot use AppLocker rules to manage pre-Windows 7 systems.  If you define any AppLocker rules in a GPO, only those rules will be applied.  In other words, you should define your AppLocker rules in a separate GPO from your SRP rules to ensure interoperability.

And that’s all for AppLocker.  The resources below have more information.  Tomorrow, Jerry Ciferri will provide a quick overview of Windows Federated Search. 

Additional Resources:

- Dane Smart

Share this post :


Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Which Windows 7 SKU comes with SRP? Does Windows 7 Professional include this? SI Windows 7 Ultimate the only SKU with Applocker plus SRP? Thank you.

  • How can App Locker be applied with Time Segments .. any script

  • I have been using Microsoft's AppLocker for several months now, successfully, and enjoy knowing there is another layer of protection in my PC between me and some zero day malware. I might accidently click on a link or visit a web page that downloads a malicious app, but it won't be allowed to run, because no executables may run from a user directory under AppLocker. I am using Windows 7 Ultimate version. However, Windows 8 does not have AppLocker available in any consumer version; only in the enterprise version is it available. This is truly unfortunate, for the extra protection is valuable. I suggest Microsoft make AppLocker easier to set up initially and include this app with ALL versions of Windows for the PC! This feature could be marketed as a great advantage, which it is! When a person has antivirus and app whitelisting working together it is a stronger defense!