2.7.1 AppLocker (part 1 By Val Bakh. AppLocker, a new type in Group Policies, has been introduced in Windows 7 (and Windows Server 2008 R2) and replaces legacy software restriction policies. Applocker is located within the Group Policy object namespace (GPO). There is nothing else in this folder. Microsoft may add other types of ACPs to future Windows versions, but AppLocker is for now the only ACP.
AppLocker, a computer-specific policy that works only in Windows 7, is only available in the Enterprise and Ultimate editions. AppLocker is available in Windows 7 Professional. It can be configured, but it doesn’t work. The operating system ignores any AppLocker policies in any GPOs that target the computer.
An AppLocker policy can contain four rule collections: executable (Windows Installer), scripts (scripts), and DLL. Each collection can contain zero or more rules of the same type. Each rule specifies the criteria that determine whether files of the corresponding types are allowed to run. Rules can be used to target applications by including conditions such as publisher conditions, path conditions, and file hash conditions. Each rule targets a specific security principal, either a user or group. All applications are allowed to everyone initially, if no AppLocker rules have been created. Once a rule has been created in a collection, only the designated user or group can run the rules’ categories. If the first executable rule you create in a GPO contains a Deny rule then no one can run any applications on the computers targeted by the GPO. You should ensure that rules are configured in a way that the operating system on the targeted computers can work. Microsoft offers optional preconfigured default rules that can be used to prevent accidental lockdowns. The default executable rules enable members of the local Administrators group run any application and standard users can run applications that are located in the Windows/Program Files folders. The Application Identity service must be running in order for the rules to take effect on the targeted computer. This service must be manually started to prevent an accidental lockdown. By default, it is not running. Microsoft recommends that this service be set up to start automatically in at most one of the GPOs that have AppLocker policies. Multiple GPOs can target the same computer, so all AppLocker rules within those GPOs will be combined and implicitly enforced. To set explicit enforcement settings, right-click on the AppLocker node within a GPO and choose Properties. You can set enforcement settings for each rule collection by clicking the Enforcement tab in the AppLocker Property dialog box. Two enforcement options are available for a collection if you enable the Configured option. The rules of the collection will be enforced if you choose the Enforce rules option. If you select the Audit only option, the rules are evaluated. However, the AppLocker log does not record the events. The rules do not affect the ability of users to run applications. Explicit enforcement settings will always prevail over implicit enforcement. Any conflicts between explicit settings that are set in different GPOs will be resolved according to the GPO precedence rules. This was a brief overview of AppLocker’s core functionality. Next month, we’ll be looking at some interesting AppLocker uses scenarios.
