Using AppLocker in Win7

Posted By: Adam Bomb | Feb 25th, 2009 @ 9:31 AM | 23,241 Views | 7 Comments
Paul Cooke took time out to give me a tour and demo of AppLocker.
AppLocker is a new feature in Windows7 that allows you to manage what applications are allowed to run on a managed machine with multiple techniques, including white listing and black listing applications.  It goes way beyond what is available today using Software Restriction Policies.
One of the slick features is the ability to use a machine as a reference - configure a machine with just the apps you want users to run, and AppLocker will automatically build a policy from that machine you can deploy across your org.  Very Cool.
Tags: applocker, Windows 7
Rating:
2
1
#Feb 28th, 2009 @ 2:38 AM
pokeystuff
pokeystuff
I thought you could already create a Certificate (Publisher in App Locker) Rule using existing Software Restriction Policies???

The rules you can create in SRPs are, Certificate, Path, Hash and Internet Zone. So I am still trying to find what is so special here... It does seem simplified and easier but is that really all.

Cheers.
#Mar 4th, 2009 @ 11:45 AM
AdamBomb
AdamBomb
I asked Paul about your question, here was his reply:

Certificate rules in SRP allow you to trust all software signed by a specific publisher; however, AppLocker gives you much greater flexibility. When creating publisher rules, you can not only trust the publisher, but you can also drill down to the product level, the executable level, and even the version. For example, with SRP, you can create a rule that affectively reads “Trust all content signed by Microsoft”. With AppLocker, you can create a rule that says “Trust the Office 2007 Suite if it is signed by Microsoft and the version is greater than 12.0.0.0”. Take a look and really start playing and you will find a lot of differences between SRP and AppLocker, enjoy…

#Mar 5th, 2009 @ 3:42 AM
pokeystuff
pokeystuff
Thanks for that.. I'll check them out.

Cheers.
#Mar 6th, 2009 @ 12:25 AM
myxiplx
myxiplx
Well, it sounds great, but I'm really concerned about how easy this is going to be to work with.

I love the fact that there's an audit mode so I can discover what software is in use, but from everything I've seen and read, there are only two possible ways I can create a rule for an item.  I can either install the software I want to authorize on my network admin computer, or I can install the remote server administration tools on the client machines that have the software installed.

One of the suggestions I've read from Microsoft (and which is mentioned in the video) is that I create template machines, and use those to configure AppLocker rules before deploying them to our network.

The problem is that simply doesn't scale as an admin model when it's applied to existing networks.  We have over 143 applications in use on this network, on no fewer than 34 separate departmental setups.  And that's not even counting the 120+ utilities we have on the IT computers to help us manage the network.

There is absolutely no way I'm going to install another 143 applications on this computer.  Nor do I feel particularly inclined to create model clients for 34 separate departments.  We already have group policy objects in place to deploy most of our software, and scripts for the few items that are tricky (namely DirectX and .NET 3.5).  That work has already been done, why on earth would I want to repeat it?

Also, if I do go through the process of manually configuring all these programs, what if I miss one program?  Instead of being able to simply authorise it, I have to rebuild a spare machine with the template for that department, install the remote admin tools on that computer, and then authorise it.

Contrast this to other programs I've seen, such as Winternals Protection Manager (now owned by Microsoft).  You had the ability to react instantly to alerts from users, and immediately authorise that program.  If AppLocker has an audit mode, that should log *all* the information the server needs for me to be able to create rules based on any audited application.  There should be no need to do *anything* on the clients.  Authorising a blocked program should be as simple as browsing to the alert on the server, right-clicking on it and creating a rule.

In short, if I'm going to run an AppLocker server, I want to be able to administer it from the server.  Not from the clients.
#Mar 6th, 2009 @ 12:35 AM
myxiplx
myxiplx
Oh, and another point.

If I get an alert to say an application has been blocked, for the love of god, don't make me browse to the executable each time in addition to all the above.

When the alert already has the full path to the application logged, and the machine name it came from, there is absolutely no reason for me to jump through so many hoops to configure these rules.  That's exactly the kind of donkey work computers were invented to do.
#Apr 24th, 2009 @ 2:57 PM
ryancapp
ryancapp
One solution that I can think of would be to run RSAT on the admin computer while accessing the application files over SMB in order to scan and create rules for them. It should take considerably less time than installing all 143+ applications first.
#May 6th, 2009 @ 4:30 PM
Caliga
Caliga
If im seeing this correctly, which I hope I am, microsoft is providing the more tech-savvy amoung us the ability to prevent anything from executing that we dont want to.. so in theory, this means no virus/malware/adware/spyware can execute either?

I may be incorrect in my understanding of applocker, but am I right in saying that this will make the computer extremely secure against these threats? Its wishful thinking, as theres always an exploit or backdoor of some description. I'd just like it if one of the more well informed members out there could clarify this for me :]

Im now installing Windows 7 x64 RC1 on my PC, let's just say i'm rather excited :]
Microsoft Communities