Windows 7 / Security and Privacy

AppLocker Rule Types

You can create three types of AppLocker rules:

  • Hash rules Similar to the hash rules in Software Restriction Policies, this rule type creates a hash that uniquely identifies an executable. Before running an executable, Windows 7 calculates the hash of the file and compares it to the hash in each hash rule to determine whether the rule applies. The weakness of this rule type is that hash rules must be updated every time an executable file is updated. Therefore, every different version and every new version of an application requires its own hash rule.
  • Path Rules Similar to the path rules in Software Restriction Policies, this rule type identifies executables based on the path. For example, you could create a path rule that allowed the executable at C:\Windows\Notepad.exe to run. This rule type allows an executable to be updated and still run, provided the path does not change.
    However, a malicious user might be able to replace a legitimate executable with a different executable and run it successfully.
  • Publisher Rules Although certificate rules in Software Restriction Policies provide some similar capabilities, publisher rules are more sophisticated because they allow you to create a rule for different combinations of the publisher, product name, file name, and version. Because this metadata is part of the cryptographic calculations used to create the digital signature, the metadata cannot be modified. This rule type identifies executables based on the digital signature and elements of the digital signature.

When creating AppLocker rules, you should always begin by creating the default rules. The default rules allow all files in the Windows folder and the Program Files folder to run, and they allow local administrators to run all programs. Because AppLocker blocks all applications that are not specifically allowed, not enabling the default rules would prevent Windows from running normally.

Use Group Policy settings to configure AppLocker rules. AppLocker is configured using the Computer Configuration\Windows Settings\Security Settings\Application Control Policies\ AppLocker node. Within the AppLocker node, there are subnodes to configure Executable Rules, Windows Installer Rules, and Script Rules. To create the default rules, right-click each subnode within the AppLocker node in the Group Policy Editor and then click Create Default Rules.

The easiest way to generate rules for existing applications is to configure a Windows 7 reference computer with applications required by your organization. Start the Group Policy Editor on that computer (connecting to the domain using the Remote Server Administration Tools, available from the Microsoft Download Center at http://www.microsoft.com/downloads/). Then, follow these steps:

  • Right-click the Executable Rules node and click Automatically Generate Rules. The Automatically Generate Executable Rules page appears.
  • On the Folder And Permissions page select the folder containing the executable files and the group to which the rules will apply, and assign a name to the rule. Then click Next.
  • On the Rule Preferences page, you typically can leave the default settings selected. The default settings create publisher rules for files that are digitally signed, because a digital signature is required for publisher rules. For files that are not digitally signed, the wizard generates hash rules that allow only the specific executable to run. Alternatively, you can choose to use less-secure path rules for files that do not have digital signatures, or you can choose to create hash rules for everything.
    Click Next.
  • On the Review Rules page, click Create.

By default, all publisher rules are created to allow the application to run based on the product name and the current or later file version. Therefore, any application with a digital signature will be able to run, even if it is upgraded to a new version. For example a rule automatically generated for the Microsoft Virtual Machine Additions, an executable file that includes a digital signature. Naturally, you can edit the automatically generated rules if you want to allow only the current version to run.

You can create rules manually by right-clicking the Executable Rules, Windows Installer Rules, or Script Rules node in Group Policy and then clicking Create New Rule. The wizard walks you through the process of identifying your application, choosing whether to allow or block the application, and defining any exceptions to the rule.

Windows 7 clients will not apply both Software Restriction Policies and AppLocker rules within a single Group Policy object (GPO). If you create a single GPO with both Software Restriction Policies and AppLocker rules, Windows 7 computers will apply only the AppLocker rules and will ignore the Software Restriction Policies. Instead, create different GPOs for AppLocker rules and Software Restriction Policies.

[Previous] [Contents] [Next]

In this tutorial:

  1. Windows 7 Client Protection
  2. Understanding the Risk of Malware
  3. User Account Control in Windows 7
  4. UAC for Standard Users
  5. UAC for Administrators
  6. UAC User Interface
  7. Secure Desktop
  8. How Windows Determines Whether an Application Needs Administrative Privileges
  9. How to Control UAC Using Application Properties
  10. How UAC Examines the Application Manifest
  11. UAC Heuristics
  12. UAC Virtualization
  13. UAC and Startup Programs
  14. Compatibility Problems with UAC
  15. How to Configure UAC
  16. Group Policy Settings
  17. Control Panel
  18. Msconfig.exe
  19. How to Configure Auditing for Privilege Elevation
  20. Other UAC Event Logs
  21. Best Practices for Using UAC
  22. AppLocker
  23. AppLocker Rule Types
  24. Auditing AppLocker Rules
  25. DLL Rules
  26. Custom Error Messages
  27. Using AppLocker with Windows PowerShell
  28. Using Windows 7 Defender
  29. Understanding Windows Defender
  30. Automatic Scanning
  31. Real-Time Protection
  32. Windows Defender Alert Levels
  33. Understanding Microsoft SpyNet
  34. Configuring Windows Defender Group Policy
  35. Configuring Windows Defender on a Single Computer
  36. How to Determine Whether a Computer Is Infected with Spyware
  37. Best Practices for Using Windows Defender
  38. How to Troubleshoot Problems with Unwanted Software
  39. Network Access Protection
  40. Forefront