What is AppLocker feature in Windows 7

[Orton]

Hi,, yesterday i assembled a new PC with the new Windows 7 operating system. I can say that it is the coolest and best operating system yet for me with lots of new features. While exploring i found a feature called AppLocker in my Windows 7. As the name suggest, i can guess that it is something security related but i request you guys to please make me know what exactly is the AppLocker in Windows 7 ? Help appreciated..

[MrChris-]

AppLocker is a new feature of Windows 7 that allows you to restrict program execution via Group Policy. AppLocker provides a simple and powerful structure through three rule types: allow, deny, and exception. Allow rules limit execution of applications to a "known good list" of applications and block everything else. Deny rules take the opposite approach and allow the execution of any application except those on a list of “known bad” applications.

While many enterprises will likely use a combination of allow rules and deny rules, the ideal AppLocker deployment would use allow rules with built in exceptions. Exception rules allow you to exclude files from an allow/deny rule that would normally be included. Using exceptions, you can create a rule to “allow everything in the Windows Operating System to run, except the built-in games.” Using allow rules with exceptions provides a robust way to build a “known good list” of applications without having to create an inordinate number of rules.

[jesse]

AppLocker policies in Windows 7 have other benefits, as well, including separation between different types of execution (namely EXEs, DLLs, and MSI or script hosts). These file types are fit into four buckets called rule collections, and enforcement is configured separately for each. For example, administrators can enable AppLocker checks for executables without enabling checks of script files.

The AppLocker policy is stored under the HKLM\Software\Policies\Microsoft\Windows\SrpV2 key. The policy is stored in an XML format and is translated by the Application Identity (AppID) service. When policy is processed, the appid.sys driver is notified about new policy by the service through the IOCTL_SRP_POLICY and the driver will reload the policy.

The first task when approaching changes to your IT environment is to assess how the environment is currently functioning. Then you can carefully plan and test any changes to ensure they can be implemented smoothly. This is the purpose of the Audit only enforcement mode.

Auditing the enforcement of the App-Locker policy is extremely important. Not only does this let you test a policy before it's enforced, but it also offers you the ability to watch how the policy performs during its lifetime. You'd definitely want to know if a certain set of users needed an application to work at some point. This can be determined by connecting to a system and reviewing the AppLocker audit information to see whether an application lockdown policy was preventing a particular app from running

[Dr. V]

AppLocker provides not only security protections, but also operational and compliance benefits by:-

• Keeping unlicensed software from running in your desktop environment
  
  
• Preventing vulnerable, unauthorized applications from running in your desktop environment, including malware
  
  
• Stopping users from running applications that needlessly consume network bandwidth or otherwise impact the enterprise computing environment
  
  
• Preventing users from running applications that destabilize their desktop environment and increase helpdesk support costs
  
  
• Easing enterprise software deployments and maintenance through effective desktop configuration management
  
  
• Allow users to install and run approved applications and software updates based upon their business needs
  
  
• Helping ensure your desktop environment is in compliance with corporate policies and industry regulations such as PCI DSS, Sarbanes-Oxley, HIPAA, Basel II, and others

[Larry ward]

AppLocker is a new technology in Windows 7 that will be part of the Enterprise SKU, while the legacy Software Restriction Policies will be available in the Business and Enterprise SKUs.

In order to use this Feature, you need to type gpedit.msc into the search box and hit Enter. Now navigate to the following folder:-

Computer Configuration \ Windows Settings \ Security Settings \ Application Control Policies \ AppLocker.

Here you will find overall controls for the applications.The first thing you should do is create the Default Rules. To do so right click on “Executable Rules” and navigate to “Create Default Rules”.

The primary channel for AppLocker events is in the Applications and Service Logs that can be viewed in the Event Viewer (eventvwr.msc) application. In order to view these log entries, look for the EXE and DLL and the MSI and Script logs under the Microsoft\Windows\AppLocker\ event channel. Many different events can be generated, including whether an application was allowed or blocked and whether a policy was applied to a system.