Using Software Restriction Policies and AppLocker and When We Need Something More

In a previous blog post I talked about different methods to control user installed applications and when the various options were examined it became clear that whitelisting is going to enable the most flexibility while offering great protection for the organization. In this post I wanted to talk about what we actually have built into Windows and really when we need something beyond what’s provided.

Software Restriction Policies bring a shiver to many IT administrators. First introduced with Windows Server 2003 Group Policy and designed to target Windows XP clients, Software Restriction Policies (SRP) allow an administrator to restrict the execution of various types of application and plug-ins. SRPs are located within a Group Policy Object under Computer ConfigurationPoliciesWindows Settings Security SettingsSoftware Restriction Policies and once you create a new Software Restriction Policy you will understand the shiver, as it’s just not pleasant to administer, not one little bit. While the functionality works just fine, to actually use it we define rules to allow or block through either a hash value which is a cryptographic fingerprint of the file, a certificate that has digitally signed the file, the path of the file or registry or the Internet zone it came from. Imagine trying to initially set this up for a large company. You end up just trying to block the worst programs and we really have the problems I talked about in the first blog post of things getting missed.

Windows 7 Enterprise and Ultimate editions include support for a new technology called AppLocker. AppLocker builds on what SRP allows and gives great features and far better manageability. Fundamentally with AppLocker everything is implicitly blocked and rules are added to allow applications (but rules to block are also possible). The rules are based on attributes derived from the digital signature of the application which means rules can be based on a specific version of an application, name of the application, publisher of the application and filenames giving us a lot more flexibility. The picture below shows creating a rule, I just selected the file from my system and now I can create the rule using the slider to set how specific the rule is, for example if I slide all the way up to Publisher the rule will allow any program of any version from Microsoft Corporation or I could leave at File version level to only allow this specific version of Internet Explorer.