Windows 7 / Security and Privacy

DLL Rules

Dynamic-link libraries (DLLs) store executable code that multiple applications can use. For example, if a developer is creating an application that reads from a database, he might create a DLL that stores the functions that read from the database. Then he can use the same DLL to read from the database using both a Windows client and a Web interface for the database.

By default, AppLocker rules do not apply to DLLs-if an application is allowed to run, it can load any DLL. Typically, this level of security is sufficient. However, AppLocker can be configured to control access to individual DLLs. This makes configuration much more complex, however, and it can significantly reduce performance at run time.

To enforce DLL rules, follow these steps:

  1. In the GPO Editor, right-click the Computer Configuration\Policies\Windows Settings\ Security Settings\Application Control Policies\AppLocker node and then click Properties.
    The AppLocker Properties dialog box appears.
  2. Click the Advanced tab and then select the Enforce DLL Rule Collection check box.
  3. Click OK.

Now the DLL Rules node is visible within the AppLocker node in the GPO Editor. Use this node to define DLL rules. Additionally, you can choose to enforce or audit DLL rules from the Enforcement tab of the AppLocker Properties dialog box.

[Previous] [Contents] [Next]