Windows 7 / Security and Privacy


Some IT departments choose to control which applications users can run. Sometimes, administrators simply block specific applications that are known to be problematic. However, client security benefits more when administrators block all applications that IT has not approved.

The benefits of restricting users from running applications that are not approved can be immense. First, the risk of malware is significantly reduced, because Windows would prevent users from running the malware application because it had not been approved by IT. Second, compatibility problems are reduced, because users can only run approved versions of applications. Finally, user productivity is increased by eliminating the possibility that users could run games or other applications that might take time away from their work.

Restricting users from running applications does have significant costs, however, and for many organizations, those costs outweigh the benefits. IT has to test each application and create a rule that allows users to run it. Inevitably, users will be prevented from running legitimate applications, which can reduce their productivity while they wait for IT to approve a new application. Sometimes, users will choose to work around IT by running applications on non-IT computers. Each time an application is updated, IT needs to again test and approve the application.

Windows 7 includes AppLocker, which is an update to Software Restriction Policies, a feature in earlier versions of Windows. With Software Restriction Policies, IT professionals could create rules such as "Trust all content signed by Microsoft," "Trust this single executable file," or "Trust the file at this path." With AppLocker, IT professionals can create more refined rules based on an application's metadata, such as "Trust Microsoft Office if it is signed and the version is greater than" Additionally, AppLocker rules can be assigned on a per-group and per-user basis.

Table lists the differences between Software Restriction Policies and AppLocker

Software Restriction Policies Compared to AppLocker

FeatureSoftware Restriction PoliciesApplocker
ConditionsHash, path, certificate, registry path, and Internet zoneHash, path, and publisher
Rule scopeAll usersAll users, or specific users and groups
Audit-only modeNoYes
Automatically generate rulesNoYes
Policy import and export NoNoYes
Windows PowerShell supportNoYes
Custom error messagesNoYes

AppLocker is available only in Windows 7 Enterprise and Windows 7 Ultimate Editions. You can use Windows 7 Professional Edition to create AppLocker rules, but the rules will not be enforced on the computer running Windows 7 Professional. You must configure the Application Identity service to start for Windows 7 to apply AppLocker rules; by default, it is configured to start manually.

The sections that follow provide more detailed information about how to configure, test, and manage AppLocker.

[Previous] [Contents] [Next]