AppLocker Policies Deployment Guide

Applies To: Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8

This topic for the IT professional introduces the concepts and describes the steps required to deploy AppLocker™ policies introduced in Windows Server 2008 R2 and Windows 7.

Purpose of this guide

This guide provides steps based on your design and planning investigation for deploying application control policies by using AppLocker. It is intended for security architects, security administrators, and system administrators. Through a sequential and iterative deployment process, you can create application control policies, test and adjust the policies, and implement a method for maintaining those policies as the needs in your organization change.

This guide covers the use of Software Restriction Policies (SRP) in conjunction with AppLocker policies to control application usage. For a comparison of SRP and AppLocker, see Using Software Restriction Policies and AppLocker Policies in this guide. To understand if AppLocker is the correct application control solution for you, see Understand AppLocker Policy Design Decisions.

Prerequisites to deploying AppLocker policies

The following are prerequisites or recommendations to deploying policies:

• Understand the capabilities of AppLocker:

  • AppLocker Technical Overview

  • AppLocker Step-by-Step Guide

• Document your application control policy deployment plan by addressing these tasks:

  • Understand the AppLocker Policy Deployment Process

  • Understand AppLocker Policy Design Decisions

  • Determine Your Application Control Objectives

  • Create List of Applications Deployed to Each Business Group

  • Select Types of Rules to Create

  • Determine Group Policy Structure and Rule Enforcement

  • Plan for AppLocker Policy Management

  • Create Your AppLocker Planning Document

Contents of this guide

This guide provides steps based on your design and planning investigation for deploying application control policies created and maintained by AppLocker for computers running any of the supported versions of Windows listed in Requirements to Use AppLocker. It contains the following topics:

• Understand the AppLocker Policy Deployment Process

• Requirements for Deploying AppLocker Policies

• Using Software Restriction Policies and AppLocker Policies

• Create Your AppLocker Policies

• Deploy the AppLocker Policy into Production

• Maintain AppLocker Policies

Additional resources

• Using Software Restriction Policies to Protect Against Unauthorized Software (https://go.microsoft.com/fwlink/?LinkID=155634)

  This TechNet article is about SRP in Windows XP and Windows Server 2003 and is also applicable to Windows Vista® and Windows Server 2008. It provides an in-depth look at how software restriction policies can be used to fight viruses, regulate which ActiveX controls can be downloaded, run only digitally signed scripts, and enforce that only approved software is installed on system computers.

• Software Restriction Policies

  Windows Server 2003 product help Software Restriction Policies. This collection of topics describes the concepts to understand and the steps to implement and maintain SRP.

  More recent guidance to Administer Software Restriction Policies. This collection contains procedures how to administer application control policies using Software Restriction Policies (SRP).

• AppLocker Overview [Client]

  This topic lists AppLocker documentation resources for the IT professional.