One of the challenges faced by most IT Departments is the concept of control over a user’s desktop / computer. What I mean by this is how does the IT Department allow users to have flexibility in running applications and configuring their work computer while at the same time “locking” down access to applications that should not be run on a work machine. We all know that if a user is allowed full administrator access to their computer, they will install all kinds of “crap” and then ultimately they will call the Help Desk because “all of a sudden”, their computer just stopped working.
One of the technologies that Microsoft introduced with Windows 7 and is still available in Windows 8 is AppLocker. Rather than duplicate the article written by my teammate, Matt Hester, I will just reference his detailed article. Today, Matt Hester posted the final part (19) of the Migration and Deployment Blog Series for the month of February where he talks about Windows 8 AppLocker.
I am including a brief snippet from Matt’s post below. If you want to read the full article, please go directly to Matt’s post.
One of the Technologies we introduced with Windows 7 was AppLocker. AppLocker presented a great new way to control what applications could run on your desktop environments. Now if this sounds familiar to what Software Restriction Policies (SRP) do for your environments, it is important to understand the difference between the two. SRP are still supported and still helps to control applications in your environment. They approach the challenge differently. Fundamentally there are two ways of controlling applications:
While SRP still can be used it did not provide a fine grained way to set up your lists, and maintain an effective SRP was very reactionary. With AppLocker you can create more fine grain policies that survive application updates. AppLocker introduced an audit mode where you can test policies before actually enforcing them. The types of rules and files that you can control with AppLocker are listed below:
Associated file formats
.ps1 .bat .cmd .vbs .js
Windows Installer files
.msi .msp .mst
Packaged apps and Packaged app installers