What is Applocker?
Applocker allows you to prevent programs from executing on desktop machines, through central administration. It is one of the many new features of Windows 7, although it is only included in the Enterprise version of the OS.
It is similar to the “Software Restriction Policies” (SRP) from previous incarnations of Windows but much improvement with more power and greater flexibility.
How does it work?
There are 3 kinds of rules available with Applocker:
Path Rules: Allows you to restrict program execution to certain directory paths, such as Program Files etc but is only effective if users are unable to install their own applications. Monitoring and tracking allowed folders can be time consuming and difficult.
Hash Rules: Uses cryptographic hashes of executables to identify them. Very secure but can be time consuming as the hash must be updated after any updates to the program.
Publisher Rules: Identify applications based on digital signatures issued by the publisher. While these are similar to “Certificate Rules” in SRP, they are more sophisticated. You can restrict execution to the:
Publisher (I.e. Microsoft)
Product name (such as Office 2007)
File name (office2007.exe)
File version (184.108.40.206 for example)
All 3 rules can be applied to:
Installer Files (.bat, .cmd etc)
System Libraries (.dll etc)
and all three rules allow the creation “exceptions” such as:
“Allow Publisher “Microsoft” except file name mediaplayer.exe”
In the Windows 7 deployment I’m working on, and I’m sure many, many more, AppLocker is if great interest to System Administrators. It’s ability to block programs will lead not only to increased security but could also be used for increased productivity-particularly in schools.
You can see Microsoft’s Paul Cooke talking about AppLocker here.
For a great look at the technical aspects of using and setting up Applocker-head over to 4Sysops here.