Windows 7 / Security and Privacy

AppLocker

Some IT departments choose to control which applications users can run. Sometimes, administrators simply block specific applications that are known to be problematic. However, client security benefits more when administrators block all applications that IT has not approved.

The benefits of restricting users from running applications that are not approved can be immense. First, the risk of malware is significantly reduced, because Windows would prevent users from running the malware application because it had not been approved by IT. Second, compatibility problems are reduced, because users can only run approved versions of applications. Finally, user productivity is increased by eliminating the possibility that users could run games or other applications that might take time away from their work.

Restricting users from running applications does have significant costs, however, and for many organizations, those costs outweigh the benefits. IT has to test each application and create a rule that allows users to run it. Inevitably, users will be prevented from running legitimate applications, which can reduce their productivity while they wait for IT to approve a new application. Sometimes, users will choose to work around IT by running applications on non-IT computers. Each time an application is updated, IT needs to again test and approve the application.

Windows 7 includes AppLocker, which is an update to Software Restriction Policies, a feature in earlier versions of Windows. With Software Restriction Policies, IT professionals could create rules such as "Trust all content signed by Microsoft," "Trust this single executable file," or "Trust the file at this path." With AppLocker, IT professionals can create more refined rules based on an application's metadata, such as "Trust Microsoft Office if it is signed and the version is greater than 12.0.0.0." Additionally, AppLocker rules can be assigned on a per-group and per-user basis.

Table lists the differences between Software Restriction Policies and AppLocker

Software Restriction Policies Compared to AppLocker

FeatureSoftware Restriction PoliciesApplocker
ConditionsHash, path, certificate, registry path, and Internet zoneHash, path, and publisher
Rule scopeAll usersAll users, or specific users and groups
Audit-only modeNoYes
Automatically generate rulesNoYes
Policy import and export NoNoYes
Windows PowerShell supportNoYes
Custom error messagesNoYes

AppLocker is available only in Windows 7 Enterprise and Windows 7 Ultimate Editions. You can use Windows 7 Professional Edition to create AppLocker rules, but the rules will not be enforced on the computer running Windows 7 Professional. You must configure the Application Identity service to start for Windows 7 to apply AppLocker rules; by default, it is configured to start manually.

The sections that follow provide more detailed information about how to configure, test, and manage AppLocker.

[Previous] [Contents] [Next]

In this tutorial:

  1. Windows 7 Client Protection
  2. Understanding the Risk of Malware
  3. User Account Control in Windows 7
  4. UAC for Standard Users
  5. UAC for Administrators
  6. UAC User Interface
  7. Secure Desktop
  8. How Windows Determines Whether an Application Needs Administrative Privileges
  9. How to Control UAC Using Application Properties
  10. How UAC Examines the Application Manifest
  11. UAC Heuristics
  12. UAC Virtualization
  13. UAC and Startup Programs
  14. Compatibility Problems with UAC
  15. How to Configure UAC
  16. Group Policy Settings
  17. Control Panel
  18. Msconfig.exe
  19. How to Configure Auditing for Privilege Elevation
  20. Other UAC Event Logs
  21. Best Practices for Using UAC
  22. AppLocker
  23. AppLocker Rule Types
  24. Auditing AppLocker Rules
  25. DLL Rules
  26. Custom Error Messages
  27. Using AppLocker with Windows PowerShell
  28. Using Windows 7 Defender
  29. Understanding Windows Defender
  30. Automatic Scanning
  31. Real-Time Protection
  32. Windows Defender Alert Levels
  33. Understanding Microsoft SpyNet
  34. Configuring Windows Defender Group Policy
  35. Configuring Windows Defender on a Single Computer
  36. How to Determine Whether a Computer Is Infected with Spyware
  37. Best Practices for Using Windows Defender
  38. How to Troubleshoot Problems with Unwanted Software
  39. Network Access Protection
  40. Forefront