AppLocker Rule Types

You can create three types of AppLocker rules:

• Hash rules Similar to the hash rules in Software Restriction Policies, this rule type creates a hash that uniquely identifies an executable. Before running an executable, Windows 7 calculates the hash of the file and compares it to the hash in each hash rule to determine whether the rule applies. The weakness of this rule type is that hash rules must be updated every time an executable file is updated. Therefore, every different version and every new version of an application requires its own hash rule.
• Path Rules Similar to the path rules in Software Restriction Policies, this rule type identifies executables based on the path. For example, you could create a path rule that allowed the executable at C:\Windows\Notepad.exe to run. This rule type allows an executable to be updated and still run, provided the path does not change.
  However, a malicious user might be able to replace a legitimate executable with a different executable and run it successfully.
• Publisher Rules Although certificate rules in Software Restriction Policies provide some similar capabilities, publisher rules are more sophisticated because they allow you to create a rule for different combinations of the publisher, product name, file name, and version. Because this metadata is part of the cryptographic calculations used to create the digital signature, the metadata cannot be modified. This rule type identifies executables based on the digital signature and elements of the digital signature.

When creating AppLocker rules, you should always begin by creating the default rules. The default rules allow all files in the Windows folder and the Program Files folder to run, and they allow local administrators to run all programs. Because AppLocker blocks all applications that are not specifically allowed, not enabling the default rules would prevent Windows from running normally.

Use Group Policy settings to configure AppLocker rules. AppLocker is configured using the Computer Configuration\Windows Settings\Security Settings\Application Control Policies\ AppLocker node. Within the AppLocker node, there are subnodes to configure Executable Rules, Windows Installer Rules, and Script Rules. To create the default rules, right-click each subnode within the AppLocker node in the Group Policy Editor and then click Create Default Rules.

The easiest way to generate rules for existing applications is to configure a Windows 7 reference computer with applications required by your organization. Start the Group Policy Editor on that computer (connecting to the domain using the Remote Server Administration Tools, available from the Microsoft Download Center at http://www.microsoft.com/downloads/). Then, follow these steps:

• Right-click the Executable Rules node and click Automatically Generate Rules. The Automatically Generate Executable Rules page appears.
• On the Folder And Permissions page select the folder containing the executable files and the group to which the rules will apply, and assign a name to the rule. Then click Next.
• On the Rule Preferences page, you typically can leave the default settings selected. The default settings create publisher rules for files that are digitally signed, because a digital signature is required for publisher rules. For files that are not digitally signed, the wizard generates hash rules that allow only the specific executable to run. Alternatively, you can choose to use less-secure path rules for files that do not have digital signatures, or you can choose to create hash rules for everything.
  Click Next.
• On the Review Rules page, click Create.

By default, all publisher rules are created to allow the application to run based on the product name and the current or later file version. Therefore, any application with a digital signature will be able to run, even if it is upgraded to a new version. For example a rule automatically generated for the Microsoft Virtual Machine Additions, an executable file that includes a digital signature. Naturally, you can edit the automatically generated rules if you want to allow only the current version to run.

You can create rules manually by right-clicking the Executable Rules, Windows Installer Rules, or Script Rules node in Group Policy and then clicking Create New Rule. The wizard walks you through the process of identifying your application, choosing whether to allow or block the application, and defining any exceptions to the rule.

Windows 7 clients will not apply both Software Restriction Policies and AppLocker rules within a single Group Policy object (GPO). If you create a single GPO with both Software Restriction Policies and AppLocker rules, Windows 7 computers will apply only the AppLocker rules and will ignore the Software Restriction Policies. Instead, create different GPOs for AppLocker rules and Software Restriction Policies.