AppLocker – Part 1: Application Control Policies
Unlike the Software Restrictions Policies, the AppLocker Application Control Policies are available only in Windows 7 Enterprise and Ultimate editions, and all editions of Windows Server 2008 R2. AppLocker policies build upon the Software Restriction Polices functionality but have additional features which make them far more powerful and useful. One of the main enhancements is the ability to specify which users can run specific applications. Now, rules can be based on file attributes such as, file name, file version, etc. You can create exceptions to rules and assign a rule to a security group or an individual user. The various added features are audit-only mode, policy import and export, rule collection, PowerShell support, custom error messages and a wizard to create multiple rules at once. The Policies are found in the Computer Configuration\Windows Settings\Security Settings\Application Control Policies node.
The first caution worth noting is when you are upgrading computers to Windows 7 with enabled Software Restriction Policies. If you implement AppLocker policies to the upgraded computer, then only the AppLocker rules are enforced. Secondly, AppLocker depends on the Application Identity Service which is set to a Manual startup state by default. Before setting the service to start automatically make sure that the policies are correctly set as incorrect rules may turn your computer unusable. Finally, keep in mind that when DLL rules are used users may experience a reduction in performance as AppLocker checks DLLs when the application is loading.
Creating Default Rules
It is very important to understand the AppLocker rules behavior. If no AppLocker default rules exist and a rule for a specific collection is created, then only the files explicitly allowed in that rule are permitted to run while all others are blocked. For example, if you create an executable rule that allows .exe files in c: \ my apps to run, only executable files located in that path are allowed to run. So pay attention to create an environment where the default policy is set to allow actions and then setting exceptions to a specific collection because AppLocker restricts the execution of any application that is not subject to an allow rule. You can use a combination of allow actions and deny actions but remember that deny rules override allow rules. Briefly, you cannot execute any collection (application, script or installer) that does not fall under an allow rule.
Default rules are created by right-clicking each of the main rules (Executable, Windows Installer and Script) nodes and clicking Create Default Rules. Setting up default rules for each collection will allow default Windows and program files to run as indicated below:
- Allows members of the local Administrators group to run all applications
- Allows members of the Everyone group to run applications that are located in the Windows folder.
- Allows members of the Everyone group to run applications that are located in the Program Files folder.
- Allows members of the Everyone group to run digitally signed Windows Installer files.
- Allows members of the Everyone group to run all Windows Installer files located in %systemdrive%\Windows\Installer.
- Allows members of the local Administrators group to run all Windows Installer files.
- Allows members of the Everyone group to run scripts that are located in the Program Files folder.
- Allows members of the Everyone group to run scripts that are located in the Windows folder.
- Allows members of the local Administrators group to run all scripts.
In the next article (Part 2) we discuss the rules that block applications and the various options available within each category.