Tip

How to automate and apply Microsoft Windows 7 AppLocker rules

In part one of this two-part technical tip, we explored application whitelisting features in Microsoft Windows 7 AppLocker, as well as how to define

    Requires Free Membership to View

AppLocker rules. Here, we'll dive into how to automate AppLocker rule generation and how to apply those rules once you have AppLocker up and running.

More Microsoft endpoint
security resources
How to use Microsoft Windows 7 AppLocker for whitelisting applications: Windows 7 AppLocker is Microsoft's latest tool to help organizations block the execution of unwanted applications on endpoints.
Tradeoffs and advantages of network access control with Microsoft NAP: Microsoft NAP's endpoint security policy compliance checks and integration with third-party products make it an attractive option over traditional network access control solutions.

AUTOMATING APPLOCKER RULE GENERATION
When it comes to defining rules for Windows XP/Vista Software Restriction Policies, admins are largely left to fend for themselves. With AppLocker, Microsoft included a couple of wizards to speed rule generation.

To get you started, a create-default rules wizard generates a trio of AppLocker rules that let everyone run executables only in the Windows and Program Files folders, while letting administrators run executables anywhere. These simple rules do not exploit AppLocker benefits; they create a sandbox in which to learn about AppLocker without accidentally locking yourself (an administrator) out.

To get you really rolling, the rule-creation wizard scours an entire reference PC to find all programs (executables, installers and scripts) and proposes a complete collection of AppLocker rules to allow them. Importantly, that collection maximizes program-rule use, falling back to hash rules only for programs without signatures.

You'll have a chance to preview and edit proposed rules before applying them in one fell swoop -- for example, to add exceptions or permit new program installation from network shares. This wizard speeds rule generation, but must usually be run on one of the PCs to be controlled. (Your Windows Server probably does not have a correct or complete set of reference programs.)

EASE INTO APPLOCKER
Due to its disallow-everything-else stance, take AppLocker out for a test drive using the Local Security Policy snap-in on a Windows 7 PC. Before you start, set the AppID service to start manually so you can easily recover from mistakes by rebooting. Begin with a few very broad allow rules, adding narrow deny rules to develop a feel for how AppLocker works -- including accidental lock-me-out mistakes common to whitelisting. You can also set AppLocker to run in audit-only mode, logging what would happen before changing rules to actively allow or deny programs.

Large enterprises will no doubt struggle with AppLocker due to the sheer complexity of whitelisting thousands of users, hundreds of groups, and the dizzying permutations that result from controlling diverse enterprise applications. However, midmarket businesses may find AppLocker easy enough to use -- and effective enough to make that effort worthwhile. A small office might be controlled entirely through local security policies by using the wizard to inventory each PC and fine-tune proposed rules that reflect what's currently installed there. Most midmarket businesses will prefer to apply AppLocker using centrally defined and maintained GPOs.

Lisa Phifer is vice president of Core Competence Inc. She has been involved in the design, implementation and evaluation of networking, security and management products for more than 25 years, and has advised companies large and small regarding security needs, product assessment, and the use of emerging technologies and best practices.

Send comments on this technical tip editor@searchmidmarketsecurity.com.

Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.


This was first published in October 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.