Software restriction policies can be a powerful tool, but they can also require a great deal of administrative overhead. If you elect to disallow all applications except those matching the rules you create, there are many programs in Windows Server 2012 R2 itself that need rules, in addition to the applications you want to install. Administrators must create the rules manually, which can be an onerous chore.
AppLocker, also known as application control policies, is a Windows feature that is essentially an updated version of the concept implemented in software restriction policies. AppLocker also uses rules, which administrators must manage, but the process of creating the rules is much easier, thanks to a wizard-based interface.
AppLocker is also more flexible than software restriction policies. You can apply AppLocker rules to specific users and groups and also create rules that support all future versions of an application. The primary disadvantage of AppLocker is that you can apply the policies only to computers running Windows 7 and Windows Server 2008 R2 or later.

Understanding rule types
The AppLocker settings are located in GPOs in the Computer ConfigurationWindows SettingsSecurity SettingsApplication Control PoliciesAppLocker container, as shown in Figure 6-19.

AppLocker

FIGURE 6-19 The AppLocker container in a GPO
In the AppLocker container, there are four nodes that contain the basic rule types:
Executable Rules Contains rules that apply to files with .exe and .com extensions
Windows Installer Rules Contains rules that apply to Windows Installer packages with .msi and .msp extensions
Script Rules Contains rules that apply to script files with .ps1, .bat, .cmd, .vbs, and .js extensions
Packaged App Rules Contains rules that apply to applications purchased through the Windows Store
Each of the rules you create in each of these containers can allow or block access to specific resources, based on one of the following criteria:
Publisher Identifies code-signed applications by means of a digital signature extracted from an application file. You can also create publisher rules that apply to all future versions of an application.
Path Identifies applications by specifying a file or folder name. The potential vulnerability of this type of rule is that any file can match the rule, as long as it is the correct name or location.
File Hash Identifies applications based on a digital fingerprint that remains valid even when the name or location of the executable file changes. This type of rule functions much like its equivalent in software restriction policies; in AppLocker, however, the process of creating the rules and generating file hashes is much easier.

Creating default rules
When enabled, AppLocker blocks all executables, installer packages, and scripts (except for those specified in Allow rules) by default. Therefore, to use AppLocker you must create rules that enable users to access the files needed for Windows and the system’s installed applications to run. The simplest way to do this is to right-click each of the four rules containers and select Create Default Rules from the shortcut menu.
The default rules for each container are standard rules that you can replicate, modify, or delete as necessary. You can also create your own rules, as long as you are careful to provide access to all the resources the computer needs to run Windows.

—————–

Note: APPLYING APPLOCKER POLICIES
To use AppLocker, the Application Identity service must be running. By default, this service uses the manual startup type, so you must start it yourself in the Services console before Windows can apply the AppLocker policies.

——————

Creating rules automatically
The greatest advantage of AppLocker over software restriction policies is the ability to create rules automatically. When you right-click one of the rules containers and select Automatically Generate Rules from the shortcut menu, the Automatically Generate Rules Wizard starts.
After specifying the folder to be analyzed and the users or groups to which the rules should apply, you will see a Rule Preferences page, enabling you to specify the types of rules you want to create. The wizard then displays a summary of its results on the Review Rules page and adds the rules to the container.
Creating rules manually
In addition to creating rules automatically, you can do it manually by using a wizard-based interface you activate by selecting Create New Rule from the shortcut menu for one of the rule containers.
The wizard prompts you for the following information:
Action Specifies whether you want to allow or deny the user or group access to the resource. In AppLocker, explicit deny rules always override allow rules.
User Or Group Specifies the name of the user or group to which the policy should apply.
Conditions Specifies whether you want to create a publisher, path, or file hash rule. The wizard generates an additional page for whichever option you select, enabling you to configure its parameters.
Exceptions Enables you to specify exceptions to the rule you are creating by using any of the three  conditions: publisher, path, or file hash.

This article is a part of 70-410 Installing and Configuring Windows Server 2012 Prep course, more articles in this course are :

Understanding Active Directory

Active Directory and its Features: Active Directory is the name given to a collection of services created by Microsoft that ...
Read More

Active Directory GUI Installation

Before we get to the installation, there are a few things to check to make sure the server is ready ...
Read More

Understanding DNS Server

DNS Server is being used too maintain and configure the DNS which is a name resolution service. Public DNS services ...
Read More

Maintaining and configuring DNS Forwarding

The act of DNS forwarding refers to the relaying of a DNS request from one server to another one when ...
Read More

Planning for a server installation

In versions of Windows Server prior to Windows Server 2008 R2, installation planning could be a complex task. You had ...
Read More

Choosing installation options

Many enterprise networks today use servers that are dedicated to a particular role. When a server is performing a single ...
Read More

Upgrading servers

An in-place upgrade is the most complicated form of Windows Server 2012 R2 installation. It is also the lengthiest and ...
Read More

Migrating roles

Migration is the preferred method of replacing an existing server with one running Windows Server 2012 R2. Unlike an in-place ...
Read More

Completing postinstallation tasks

As part of the new emphasis on cloud-based services in Windows networking, Windows Server 2012 R2 contains a variety of ...
Read More

Using Server Manager

The Server Manager tool in Windows Server 2012 R2 is an application that is the most obvious evidence of a ...
Read More
Loading...

70-410 Installing and Configuring Windows Server 2012 Prep course includes following practice tests:

Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 1

Instructions for Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 1 This page shows the instructions for Exam ...
Read More

Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 2

Instructions for Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 2 This page shows the instructions for Exam ...
Read More

Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 3

Instructions for Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 3 This page shows the instructions for Exam ...
Read More

Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 4

Instructions for Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 4 This page shows the instructions for Exam ...
Read More

Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 5

Instructions for Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 5 This page shows the instructions for Exam ...
Read More