AppLocker Rule Types
You can create three types of AppLocker rules:
- Hash rules Similar to the hash rules in Software Restriction Policies, this rule type creates a hash that uniquely identifies an executable. Before running an executable, Windows 7 calculates the hash of the file and compares it to the hash in each hash rule to determine whether the rule applies. The weakness of this rule type is that hash rules must be updated every time an executable file is updated. Therefore, every different version and every new version of an application requires its own hash rule.
- Path Rules Similar to the path rules in Software Restriction Policies, this rule type
identifies executables based on the path. For example, you could create a path rule
that allowed the executable at C:\Windows\Notepad.exe to run. This rule type allows
an executable to be updated and still run, provided the path does not change.
However, a malicious user might be able to replace a legitimate executable with a different executable and run it successfully.
- Publisher Rules Although certificate rules in Software Restriction Policies provide some similar capabilities, publisher rules are more sophisticated because they allow you to create a rule for different combinations of the publisher, product name, file name, and version. Because this metadata is part of the cryptographic calculations used to create the digital signature, the metadata cannot be modified. This rule type identifies executables based on the digital signature and elements of the digital signature.
When creating AppLocker rules, you should always begin by creating the default rules. The default rules allow all files in the Windows folder and the Program Files folder to run, and they allow local administrators to run all programs. Because AppLocker blocks all applications that are not specifically allowed, not enabling the default rules would prevent Windows from running normally.
Use Group Policy settings to configure AppLocker rules. AppLocker is configured using the Computer Configuration\Windows Settings\Security Settings\Application Control Policies\ AppLocker node. Within the AppLocker node, there are subnodes to configure Executable Rules, Windows Installer Rules, and Script Rules. To create the default rules, right-click each subnode within the AppLocker node in the Group Policy Editor and then click Create Default Rules.
The easiest way to generate rules for existing applications is to configure a Windows 7 reference computer with applications required by your organization. Start the Group Policy Editor on that computer (connecting to the domain using the Remote Server Administration Tools, available from the Microsoft Download Center at http://www.microsoft.com/downloads/). Then, follow these steps:
- Right-click the Executable Rules node and click Automatically Generate Rules. The Automatically Generate Executable Rules page appears.
- On the Folder And Permissions page select the folder containing the executable files and the group to which the rules will apply, and assign a name to the rule. Then click Next.
- On the Rule Preferences page, you typically can leave the
default settings selected. The default settings create publisher rules for files that are
digitally signed, because a digital signature is required for publisher rules. For files that
are not digitally signed, the wizard generates hash rules that allow only the specific executable
to run. Alternatively, you can choose to use less-secure path rules for files that
do not have digital signatures, or you can choose to create hash rules for everything.
- On the Review Rules page, click Create.
By default, all publisher rules are created to allow the application to run based on the product name and the current or later file version. Therefore, any application with a digital signature will be able to run, even if it is upgraded to a new version. For example a rule automatically generated for the Microsoft Virtual Machine Additions, an executable file that includes a digital signature. Naturally, you can edit the automatically generated rules if you want to allow only the current version to run.
You can create rules manually by right-clicking the Executable Rules, Windows Installer Rules, or Script Rules node in Group Policy and then clicking Create New Rule. The wizard walks you through the process of identifying your application, choosing whether to allow or block the application, and defining any exceptions to the rule.
Windows 7 clients will not apply both Software Restriction Policies and AppLocker rules within a single Group Policy object (GPO). If you create a single GPO with both Software Restriction Policies and AppLocker rules, Windows 7 computers will apply only the AppLocker rules and will ignore the Software Restriction Policies. Instead, create different GPOs for AppLocker rules and Software Restriction Policies.
In this tutorial:
- Windows 7 Client Protection
- Understanding the Risk of Malware
- User Account Control in Windows 7
- UAC for Standard Users
- UAC for Administrators
- UAC User Interface
- Secure Desktop
- How Windows Determines Whether an Application Needs Administrative Privileges
- How to Control UAC Using Application Properties
- How UAC Examines the Application Manifest
- UAC Heuristics
- UAC Virtualization
- UAC and Startup Programs
- Compatibility Problems with UAC
- How to Configure UAC
- Group Policy Settings
- Control Panel
- How to Configure Auditing for Privilege Elevation
- Other UAC Event Logs
- Best Practices for Using UAC
- AppLocker Rule Types
- Auditing AppLocker Rules
- DLL Rules
- Custom Error Messages
- Using AppLocker with Windows PowerShell
- Using Windows 7 Defender
- Understanding Windows Defender
- Automatic Scanning
- Real-Time Protection
- Windows Defender Alert Levels
- Understanding Microsoft SpyNet
- Configuring Windows Defender Group Policy
- Configuring Windows Defender on a Single Computer
- How to Determine Whether a Computer Is Infected with Spyware
- Best Practices for Using Windows Defender
- How to Troubleshoot Problems with Unwanted Software
- Network Access Protection