Software restriction policies can be a powerful tool, but they can also require a great deal of administrative overhead. If you elect to disallow all applications except those matching the rules you create, there are many programs in Windows Server 2012 R2 itself that need rules, in addition to the applications you want to install. Administrators must create the rules manually, which can be an onerous chore.
AppLocker, also known as application control policies, is a Windows feature that is essentially an updated version of the concept implemented in software restriction policies. AppLocker also uses rules, which administrators must manage, but the process of creating the rules is much easier, thanks to a wizard-based interface.
AppLocker is also more flexible than software restriction policies. You can apply AppLocker rules to specific users and groups and also create rules that support all future versions of an application. The primary disadvantage of AppLocker is that you can apply the policies only to computers running Windows 7 and Windows Server 2008 R2 or later.

Understanding rule types
The AppLocker settings are located in GPOs in the Computer ConfigurationWindows SettingsSecurity SettingsApplication Control PoliciesAppLocker container, as shown in Figure 6-19.


FIGURE 6-19 The AppLocker container in a GPO
In the AppLocker container, there are four nodes that contain the basic rule types:
Executable Rules Contains rules that apply to files with .exe and .com extensions
Windows Installer Rules Contains rules that apply to Windows Installer packages with .msi and .msp extensions
Script Rules Contains rules that apply to script files with .ps1, .bat, .cmd, .vbs, and .js extensions
Packaged App Rules Contains rules that apply to applications purchased through the Windows Store
Each of the rules you create in each of these containers can allow or block access to specific resources, based on one of the following criteria:
Publisher Identifies code-signed applications by means of a digital signature extracted from an application file. You can also create publisher rules that apply to all future versions of an application.
Path Identifies applications by specifying a file or folder name. The potential vulnerability of this type of rule is that any file can match the rule, as long as it is the correct name or location.
File Hash Identifies applications based on a digital fingerprint that remains valid even when the name or location of the executable file changes. This type of rule functions much like its equivalent in software restriction policies; in AppLocker, however, the process of creating the rules and generating file hashes is much easier.

Creating default rules
When enabled, AppLocker blocks all executables, installer packages, and scripts (except for those specified in Allow rules) by default. Therefore, to use AppLocker you must create rules that enable users to access the files needed for Windows and the system’s installed applications to run. The simplest way to do this is to right-click each of the four rules containers and select Create Default Rules from the shortcut menu.
The default rules for each container are standard rules that you can replicate, modify, or delete as necessary. You can also create your own rules, as long as you are careful to provide access to all the resources the computer needs to run Windows.


To use AppLocker, the Application Identity service must be running. By default, this service uses the manual startup type, so you must start it yourself in the Services console before Windows can apply the AppLocker policies.


Creating rules automatically
The greatest advantage of AppLocker over software restriction policies is the ability to create rules automatically. When you right-click one of the rules containers and select Automatically Generate Rules from the shortcut menu, the Automatically Generate Rules Wizard starts.
After specifying the folder to be analyzed and the users or groups to which the rules should apply, you will see a Rule Preferences page, enabling you to specify the types of rules you want to create. The wizard then displays a summary of its results on the Review Rules page and adds the rules to the container.
Creating rules manually
In addition to creating rules automatically, you can do it manually by using a wizard-based interface you activate by selecting Create New Rule from the shortcut menu for one of the rule containers.
The wizard prompts you for the following information:
Action Specifies whether you want to allow or deny the user or group access to the resource. In AppLocker, explicit deny rules always override allow rules.
User Or Group Specifies the name of the user or group to which the policy should apply.
Conditions Specifies whether you want to create a publisher, path, or file hash rule. The wizard generates an additional page for whichever option you select, enabling you to configure its parameters.
Exceptions Enables you to specify exceptions to the rule you are creating by using any of the three  conditions: publisher, path, or file hash.

This article is a part of 70-410 Installing and Configuring Windows Server 2012 Prep course, more articles in this course are :


Configuring services

Most Windows Server roles and many of the features include services, which are programs that run continuously in the background, ...
Read More

Delegating server administration

As networks grow, so does the number of administrative tasks there are to perform on a regular basis, and so ...
Read More

Using Windows PowerShell Desired State Configuration (DSC)

Desired State Configuration (DSC) is the next phase in the development of Windows Power-Shell, a process that began over a ...
Read More

Planning server storage

A Windows server can conceivably perform its tasks using the same type of storage as a workstation; that is, one ...
Read More

Windows disk settings

Windows Disk Settings Overview When you install Windows Server 2012 R2 on a computer, the setup program automatically performs all ...
Read More

Working with disks

Windows Server 2012 R2 includes tools that enable you to manage disks graphically or from the command prompt. All Windows ...
Read More

Creating folder shares

Sharing folders makes them accessible to network users. After you have configured the disks on a file server, you must ...
Read More

Assigning permissions

Using Windows Server 2012 R2, you can control access to a file server to provide network users the access they ...
Read More

Configuring Volume Shadow Copies

Volume Shadow Copies is a Windows Server 2012 R2 feature that enables you to maintain previous versions of files on ...
Read More

Configuring NTFS quotas

Managing disk space is a constant concern for server administrators, and one way to prevent users from monopolizing storage is ...
Read More

70-410 Installing and Configuring Windows Server 2012 Prep course includes following practice tests:

No posts found.