Understanding Windows 7 AppLocker

Understanding Windows 7 AppLocker

  • Comments 15
  • Likes

Our guest blogger is Daniel Nerenberg. He is an MCT,MCSA,MCSE,MCTS,MVP, STEP Member and an independent consultant based in Montreal. He is also the President of the Montreal IT pro user group. Daniel has written and consulted on the topics of Windows deployment, application virtualization, and Windows infrastructure.

Window 7 RTM has been available for just a few weeks now, but already IT Pros everywhere are diving into great new features. One of the more exciting features introduced in Windows 7 is AppLocker. Many of you know about Software Restriction Policies, they allow you to block the execution of a program by file name or hash calculation. You probably also know how it was a race to block applications in our network with these methods. Users could change the name of the file, or applications updates so frequently that you would constantly need to generate new hash files.

AppLocker works under the premise that it’s easier to allow the applications you want, and block the rest. If you’re running a Windows 7 machine you can see AppLocker by typing gpedit.msc into your search bar and pressing enter.

clip_image002

You can define policies based on executables, Windows installers, and scripts. Creating a new policy is simple. Right-click on any of the 3 categories and click Create New Rule.

clip_image004

You can create a policy to allow or deny an executable. You can also select which groups the rule will apply to.

clip_image006

You can choose to create a rule based on a publisher (the program needs to be signed), a program path, or a file hash (usually a good choice if the program isn’t signed).

clip_image008

For this example I chose publisher. The Rule Wizard uses the information stored application signing certificate to learn about the application. You can adjust what level of information you’ll allow for an application.

clip_image010
In the above example the policy will only allow Internet Explorer 8.0.0.0 and above to run on the computer.

You can use the same steps to create exceptions for specific applications. One of the more convenient features is the ability to automatically generate rules. If you right click on any of the 3 categories and click Automatically Generate Rules you can quickly generate a list of rules based on applications that are already install on the computer (saving you a lot of work to get going with AppLocker!).

clip_image012

In this example, we scan your applications in the Program Files directory and create rules for those programs to run. Perfect for creating a baseline set of rules for applications on a gold image or group policy quickly.

So to summarize, AppLocker allows you from a high level (Publisher) to a granular level (Version) to choose what applications you would like to allow users to run (white listing) rather than creating long lists of what applications they cannot use (black listing).

15 Comments
You must be logged in to comment. Sign in or Join Now
  • 7flavor
    352 Posts

    @Stephen L Rose, but Basic user level introduced in Vista doesn't work for SRP in Professional?

  • danieln
    2 Posts

    So I understand what you’re saying about software restriction policies (SRP) offering the same possible functionality, but keep in mind what would be required. Once you have created the deny all you now have to create a policy to allow each individual application to run. There is a big difference between what is possible to do and what is effective to do.

    With AppLocker you have much more granular control over the certificate policy. You also have a set of tools that allow you to quickly create the required rules to use an allow list philosophy. These are all new features in Windows 7.

  • c3fly
    1 Posts

    Is there a way to import a hash into an AppLocker policy??  In this case, I only have the hash, not the actual executable and I want to deny access to this .exe.

    Thanks!

  • Daniel, I understand what you're saying, i.e. that a whitelist is better than a blacklist, and I agree with that. However, this functionality isn't new to Windows 7; it's been around since Windows XP. For instance, take a look at this article on the Microsoft website:

    technet.microsoft.com/.../bb457006.aspx

    "A more secure approach is to set the default rule to Disallowed and specify only the programs that are known and trusted to run."

    Similarly, you can identify software from a particular publisher in XP, although the SRP uses different terminology for that ("Certificate rule" rather than "Publisher rule"). In other words, both things that you listed as advantages of AppLocker already exist!

    I'm certainly not an expert in SRP or AppLocker, but I do think there are some key advantages to AppLocker.

    1) It supports "audit only" mode. That means that you can set up your rules and keep an eye on Event Viewer to see whether any valid programs would have been blocked before you actually turn on the rules. That's certainly easier than turning on the rules and waiting for error messages to appear.

    2) I haven't been able to get certificate rules working properly in SRP. The trusted publishers are fine for Office macros, but they don't allow extra programs to run. In AppLocker, the publisher rule does the job nicely. This may just mean that I was doing it wrong (rather than the software being broken), but at the very least it's easier to use.

    3) In SRP, you get errors if you try to run programs from the Start menu, even when they're in a trusted location, as described here:

    blogs.technet.com/.../software-restriction-policies-and-powershell-code-signing.aspx

    In AppLocker, that's not a problem.

    Once I've investigated AppLocker in more detail I'll write my own blog entry about it. For now, I'm concerned that a Microsoft blog is giving out misinformation.

  • danieln
    2 Posts

    Hello everyone, first a big thanks for taking the time to read the blog post, and also to the folks who manage the Windows Team Blog for posting my article.

    To reply to some of the previous comments

    newscientist2000:

    Using the publisher condition (when you create the AppLocker Rule) you can specify the version of the software you are allowing, and if you will allow future version or even previous versions. It's very flexible and makes dealing with the scenario you mentioned very easy.

    johnckirk:

    Yes you can also set it up as a block list in that you can create rules that specifically deny software. This can be useful in the event you want to block a particular vendor's software for a particular class of user. (ex: you don't want receptionists installing expensive graphics editing software)

    The idea is that in the majority of scenarios this philosophy of blocking applications will tend to lead to a cat and mouse game, whereby administrators are always chasing after users, trying to block the software download of the day.

    Using the allow list approach typically leads to a lot less administrator overhead, and aching heads ;) In the end, the technology is designed to give you a great set of choices to suite the widest possible set of needs. In this case I think Microsoft did a terrific job!

  • lollht

    AppLocker is available in the the Enterprise SKU and above.

  • 7flavor

    SRP is available in the Windows 7 Professional SKU and above. AppLocker is in the Windows 7 Enterprise SKU and above.

  • omgbbq
    26 Posts

    Can someone point to a site which has some price estimates for a small (maybe 10-20) copies of the Enterprise version?  I've been googling for a while, and I can't even get a ballpark.  AppLocker sounds great, but it sounds like a lot will miss out on it since it's not a part of the Professional edition, unless of course Enterprise is a really good deal.

  • miek
    2 Posts

    This will be in the Enterprise and Ultimate editions only. For a chart of versions and features check this out: en.wikipedia.org/.../Windows_7_editions

  • lollht
    44 Posts

    Is this an Ultimate Extra or will it be in all eight or nine versions of Windows 7?

  • I'm not sure whether the author realises this, but Software Restriction Policies also allow you to operate a whitelist rather than a blacklist. In GPO, go to:

    Windows Settings\Security Settings\Software Restriction Policies\Security Levels

    then right-click "Disallowed" and click "Set as default". Initially, "Unrestricted" is the default.

    Also, a request - if you provide screenshots, could the hyperlinked versions be a bit bigger? I can see why you want small ones in the main body of the article, but it would be nice to get full size dialog boxes in a separate tab, rather than having to squint at something.

  • hitmouse
    96 Posts

    When is the Windows Team Blog going to fix its software? The error below has been recorded for months!! It's hardly a good advertisement for Microsoft services...

    "Sorry, there was a problem with your last request!

    Either the site is offline or an unhandled error occurred. We apologize and have logged the error. Please try your request again or if you know who your site administrator is let them know too."

  • hitmouse
    96 Posts

    It's a pity that you can't use policies to control when Windows Update does its downloads. In some countries ISPs have offpeak billing/download periods (for mine it's 2am-12noon) and it would be very helpful to have Update remain automatic but confine downloads to that period. At present you have to run it fully manually to accomplish this restriction - which is not ideal, especially for unskilled computer users (Windows Update options only allow you to specify install times, not download times.

    Microsoft treated this issue as "not repro"(?!?!) for the Windows 7 beta.

  • Wow thats a long list of achievements "MCT,MCSA,MCSE,MCTS,MVP, STEP Member", title asside Applocker seems like a great idea, certainly easier than blacklisting.

    I guess the real world effectiveness of this method will be how programs which automatically update themselves behave with Applocker rules in place.  Perhaps Applockers configuration will make that easy to deal with, its hard to tell as the screenshots are small?

  • 7flavor
    352 Posts

    Software Restriction Policies (which were implemented through Group Policy) were included in Vista Business and above. Now AppLocker (which is SRPv2 and also implemented thru Group Policy) is not available in Windows 7 Professional SKU. Do Vista Business/XP Pro users lose a feature again after upgrading to Windows 7 Professional? I am concerned especially because Basic user level of SRPv1 doesn't work in any Windows SKU.