Tactical Advice

AppLocker Advice

Learn how to best employ this Windows feature to lock down desktops.
This story appears in the September 2010 issue of BizTech Magazine.

The AppLocker feature in Microsoft Windows 7 Professional lets administrators control which applications and scripts users can install and load on their computers. This is useful for locking down computers, but AppLocker can be tricky to configure. If you don’t do it right, users might not be able to log on. Here are six tips to ease the process of configuring AppLocker for your environment.

1. Plan Group Policy properly.

AppLocker policies are per-machine Group Policy settings, not per-user settings. This means you should configure AppLocker policies only within Group Policy Objects (GPOs) that are linked to organizational units (OUs) that have computer accounts in them — not user accounts. Consider creating GPOs dedicated to this purpose that contain only AppLocker policy settings. If you decide to do this, you can disable the user configuration settings of these GPOs in the Group Policy Management Console (GPMC) to speed up processing of these policies.

2. Test before deploying.

Always try your AppLocker policies in a test environment before using them in your production network. You wouldn’t want to create a policy, only to discover later that a key application is being blocked from running. When creating AppLocker GPOs for production, disable them until you’ve configured all your AppLocker rules. This will prevent incomplete policies from being applied by Group Policy to computer accounts in the OUs linked to these GPOs. Before you enable the GPOs, configure AppLocker so that it runs in Audit Only enforcement mode, which allows you to use Event Viewer to see the result of applying the policy without actually restricting anything on the target systems.

3. Think “whitelist.”

AppLocker is the successor to Software Restriction Policies (SRP) found in earlier Windows versions. SRP was limited in that it could only be used to blacklist applications or scripts. While AppLocker still allows you to blacklist apps or scripts by creating Deny rules, it also lets you create Allow rules to whitelist which apps or scripts are allowed to be installed or run. Build a whitelist of all apps and scripts that users of the targeted systems should be allowed to install or run.

4. Create default rules first.

Begin configuring an AppLocker policy by creating the default rules, which are needed in order for Windows itself to run on the targeted computers. The default AppLocker rules allow applications and scripts within the Windows and Program Files folders to run, and they also allow the built-in Administrator account to install or run any program or script in any location. Always do this first; if you don’t, Windows won’t run on the computers targeted by the policy.

5. Establish publishing rules.

Create publishing rules whenever possible, because only publishing rules can use digital signatures to specify which programs can run or be installed on a system. If some programs on the targeted systems aren’t digitally signed, your best option is to set up an internal Certification Authority for your environment and sign the files before you install or copy them to the target systems.
If this isn’t feasible, create hash rules for these files instead.

6. Maintain AppLocker policies.

Once you’ve created and deployed AppLocker policies, you’ll need to update them as new or updated versions of applications and scripts are deployed to the targeted systems, or when older applications are no longer allowed to run on these systems.

Mitch Tulloch is lead author of the Windows 7 Resource Kit from Microsoft Press. Learn more about him at his website www.mtit.com.
Sign up for our e-newsletter

Security

Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.