Software restriction policies can be a powerful tool, but they can also require a great deal of administrative overhead. If you elect to disallow all applications except those matching the rules you create, there are many programs in Windows Server 2012 R2 itself that need rules, in addition to the applications you want to install. Administrators must create the rules manually, which can be an onerous chore.
AppLocker, also known as application control policies, is a Windows feature that is essentially an updated version of the concept implemented in software restriction policies. AppLocker also uses rules, which administrators must manage, but the process of creating the rules is much easier, thanks to a wizard-based interface.
AppLocker is also more flexible than software restriction policies. You can apply AppLocker rules to specific users and groups and also create rules that support all future versions of an application. The primary disadvantage of AppLocker is that you can apply the policies only to computers running Windows 7 and Windows Server 2008 R2 or later.
Understanding rule types
The AppLocker settings are located in GPOs in the Computer ConfigurationWindows SettingsSecurity SettingsApplication Control PoliciesAppLocker container, as shown in Figure 6-19.
FIGURE 6-19 The AppLocker container in a GPO
In the AppLocker container, there are four nodes that contain the basic rule types:
– Executable Rules Contains rules that apply to files with .exe and .com extensions
– Windows Installer Rules Contains rules that apply to Windows Installer packages with .msi and .msp extensions
– Script Rules Contains rules that apply to script files with .ps1, .bat, .cmd, .vbs, and .js extensions
– Packaged App Rules Contains rules that apply to applications purchased through the Windows Store
Each of the rules you create in each of these containers can allow or block access to specific resources, based on one of the following criteria:
– Publisher Identifies code-signed applications by means of a digital signature extracted from an application file. You can also create publisher rules that apply to all future versions of an application.
– Path Identifies applications by specifying a file or folder name. The potential vulnerability of this type of rule is that any file can match the rule, as long as it is the correct name or location.
– File Hash Identifies applications based on a digital fingerprint that remains valid even when the name or location of the executable file changes. This type of rule functions much like its equivalent in software restriction policies; in AppLocker, however, the process of creating the rules and generating file hashes is much easier.
Creating default rules
When enabled, AppLocker blocks all executables, installer packages, and scripts (except for those specified in Allow rules) by default. Therefore, to use AppLocker you must create rules that enable users to access the files needed for Windows and the system’s installed applications to run. The simplest way to do this is to right-click each of the four rules containers and select Create Default Rules from the shortcut menu.
The default rules for each container are standard rules that you can replicate, modify, or delete as necessary. You can also create your own rules, as long as you are careful to provide access to all the resources the computer needs to run Windows.
Note: APPLYING APPLOCKER POLICIES
To use AppLocker, the Application Identity service must be running. By default, this service uses the manual startup type, so you must start it yourself in the Services console before Windows can apply the AppLocker policies.
Creating rules automatically
The greatest advantage of AppLocker over software restriction policies is the ability to create rules automatically. When you right-click one of the rules containers and select Automatically Generate Rules from the shortcut menu, the Automatically Generate Rules Wizard starts.
After specifying the folder to be analyzed and the users or groups to which the rules should apply, you will see a Rule Preferences page, enabling you to specify the types of rules you want to create. The wizard then displays a summary of its results on the Review Rules page and adds the rules to the container.
Creating rules manually
In addition to creating rules automatically, you can do it manually by using a wizard-based interface you activate by selecting Create New Rule from the shortcut menu for one of the rule containers.
The wizard prompts you for the following information:
– Action Specifies whether you want to allow or deny the user or group access to the resource. In AppLocker, explicit deny rules always override allow rules.
–User Or Group Specifies the name of the user or group to which the policy should apply.
– Conditions Specifies whether you want to create a publisher, path, or file hash rule. The wizard generates an additional page for whichever option you select, enabling you to configure its parameters.
– Exceptions Enables you to specify exceptions to the rule you are creating by using any of the three conditions: publisher, path, or file hash.
This article is a part of 70-410 Installing and Configuring Windows Server 2012 Prep course, more articles in this course are :
70-410 Installing and Configuring Windows Server 2012 Prep course includes following practice tests: