Tactical Advice

Windows AppLocker’s Lockdown Limitations

Learn the cans and can’ts of this Windows authorization and prevention program.
Windows AppLocker’s Lockdown Limitations

Windows AppLocker is a feature of Windows 7 and Windows Server 2008 R2 that lets administrators control what types of programs are allowed to run on users’ PCs. AppLocker can be centrally managed by configuring Group Policy and has several benefits, including preventing users from installing unauthorized applications and preventing certain kinds of malware from installing in an environment. AppLocker can also help organizations ensure compliance with government or industry sector security requirements.

Companies that need tips on how to plan and implement AppLocker effectively can consult an earlier BizTech story, which outlines a few best practices. But a lot of IT shops still have some confusion about what AppLocker can and can’t do. The following points briefly explore the limits of AppLocker by describing five things that AppLocker can’t do.

AppLocker Can't: Deal with 16-Bit Apps

Some organizations are still relying on legacy 16-bit applications. While it’s best to migrate business functions away from 16-bit programs as soon as possible, cost considerations and an “if it ain’t broke, don’t try to fix it” attitude can cause organizations to try and get one more mile out of these legacy programs.

If you’re using the 32-bit version of Windows 7, then AppLocker can’t be used to prevent installation of specific 16-bit programs. However, because 16-bit programs are actually loaded by NTVDM.EXE, AppLocker can be used to block execution of these programs by locking down NTVDM.EXE. But then keep in mind that 16-bit programs won’t be able to run on the system, including those needed to run your business. If using the 64-bit version of Windows 7, then obviously this isn’t an issue because 16-bit programs can’t run on this platform.

AppLocker Can't: Hold the WSF Scripts

AppLocker can be used to prevent certain kinds of scripts from running on users’ PCs. Specifically, it can control the execution of:

  • VBScript (.VBS)
  • JavaScript (.JS)
  • Windows PowerShell (.PS1)
  • batch scripts (.BAT)
  • Windows command line scripts (.CMD)

But what about Windows Script File (.WSF)? Unfortunately AppLocker rules can’t be used to control .WSF scripts. It also can’t be used to lock down macros and other Active content embedded within Word documents or Excel spreadsheets.

AppLocker Can't: Control Arbitrary File Extensions

AppLocker also can’t lock down arbitrary file extensions such as .PL, for Perl scripts. Therefore, an AppLocker rule cannot be created to block execution of Perl scripts, but it can be used to block installation or execution of a specific Perl script interpreter, if needed.

The reason .PL scripts can’t be blocked is because of how AppLocker works. It’s the responsibility of the script interpreter to call in to AppLocker before running a script to make sure any AppLocker policies are enforced. For example, if you create an AppLocker policy to block execution of .VBS scripts, it’s the responsibility of the VBScript interpreter (VBSCRIPT.DLL) to call in to AppLocker before running a .VBS file to ensure the policy is enforced.

Similarly, Windows batch files (.BAT) run within the context of the Windows Command Host (CMD.EXE), and it’s the responsibility of this Command Host to call in to AppLocker before running a batch file to make sure AppLocker rules are enforced. Third-party Perl script interpreters, however, generally aren’t designed to use AppLocker application programming interfaces, so that’s why an AppLocker rule can’t be created to block .PL scripts from running on computers.

AppLocker Can't: Handcuff Local Admins

AppLocker cannot lock down PCs if the users of those PCs have local administrator privileges on those machines. As Figure 1 illustrates, the Local Group Policy Editor on a Windows 7 machine can be used to configure AppLocker rules at the Local Group Policy Object level. If the computer is domain-joined and Group Policy is applied, the domain-based AppLocker policy and local AppLocker policy are both applied in an additive fashion.

AppLocker can be configured at the local security policy level

Figure 1: AppLocker can also be configured at the local security policy level on each Windows 7 computer.

The bottom line is, local admins rule their systems, and they can circumvent any security controls instituted at the domain level. Fortunately, with User Account Control, users of Windows 7 computers no longer need to be local admins on their machines in order to perform work-related tasks. So if you haven’t upgraded your PCs from Windows XP to Windows 7, consider making users standard users instead of local admins in the upgraded environment.

AppLocker Can't: Keep a Handle on All Virtual Machines

Think of Windows 7 as a kind of matryoshka doll — those wooden Russian nesting dolls that open to reveal smaller dolls inside. The allusion here is to Windows Virtual PC, which allows a separate virtual Windows environment to run, such as Windows XP Mode, as a guest on your host machine (a Windows 7 PC).

But what if AppLocker policies are being applied to a host computer? Will those policies automatically be applied to a guest such as Windows XP Mode, which is running within a host environment?

The answer is no, they won’t. AppLocker policies applied to a host machine won’t automatically be applied to any virtual machines running on the host. However, if the guest operating system is joined to the same Active Directory domain, then Group Policy, and therefore AppLocker policies, can also be applied to the guest (but may not, depending on how the administrator has configured it).

To learn more about AppLocker, go to the Windows Server TechCenter Library on Microsoft TechNet.

Sign up for our e-newsletter

About the Author

Mitch Tulloch

Mitch Tulloch

Mitch Tulloch is a Microsoft Most Valuable Professional and lead author of the Windows 7 Resource Kit from Microsoft Press. You can follow him on Twitter at @MitchTulloch or friend him on Facebook at http://www.facebook.com/mitchtulloch.

Security

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
Tools to Maintain Mobile Sec... |
Far-flung devices pose serious challenges, but a variety of technologies can help protect...

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...
The Value of Converged Infra... |
Improvements in security, management and efficiency are just a few of the benefits CI can...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
The Tools That Power Busines... |
Ever-evolving analytic software can greatly improve financial institutions’ decision-...
XP-iration Date: Today Is th... |
It’s officially lights out for Windows XP as an operating system. Here’s how the world is...