Requirements for Deploying AppLocker Policies

Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012

This deployment topic lists the requirements you need to meet before deploying AppLocker policies.

The following requirements must be met or addressed before deploying your AppLocker policies:

  • Your deployment plan

  • Supported operating systems

  • Your policy distribution mechanism

  • Your event collection and analysis system

Your deployment plan

An AppLocker policy deployment plan is the result of investigating what applications are required and necessary in your organization, what applications are optional, and what applications are forbidden. To develop this plan, see AppLocker Policies Design Guide. The following table is an example of the data you need to collect and the decisions you need to make in order to successfully deploy AppLocker policies on Supported operating systems.

Business group Organizational unit Implement AppLocker? Applications Installation path Use default rule or define new rule condition Allow or deny GPO name Support policy

Bank Tellers

Teller-East and Teller-West

Yes

Teller software

C:\Program Files\Woodgrove\Teller.exe

File is signed; create a publisher condition

Allow

Tellers

Web help

Windows files

C:\Windows

Create a path exception to the default rule to exclude \Windows\Temp

Allow

Help desk

Time Sheet Organizer

C:\Program Files\Woodgrove\HR\Timesheet.exe

File is not signed; create a file hash condition

Allow

Web help

Human Resources

HR-All

Yes

Check Payout

C:\Program Files\Woodgrove\HR\Checkcut.exe

File is signed; create a publisher condition

Allow

HR

Web help

Internet Explorer 7

C:\Program Files\Internet Explorer\

File is signed; create a publisher condition

Deny

Help desk

Windows files

C:\Windows

Use the default rule for the Windows path

Allow

Help desk

Event processing policy

Business group AppLocker event collection location Archival policy Analyzed? Security policy

Bank Tellers

Forwarded to: srvBT093

Standard

None

Standard

Human Resources

DO NOT FORWARD

60 months

Yes; summary reports monthly to managers

Standard

Policy maintenance policy

Business group Rule update policy Application decommission policy Application version policy Application deployment policy

Bank Tellers

Planned: Monthly through business office triage

Emergency: request through help desk

Through business office triage; 30-day notice required

General policy: keep past versions for 12 months

List policies for each application

Coordinated through business office; 30-day notice required

Human Resources

Planned: through HR triage

Emergency: request through help desk

Through HR triage; 30-day notice required

General policy: keep past versions for 60 months

List policies for each application

Coordinated through HR; 30-day notice required

Supported operating systems

AppLocker is supported only on the following editions of these operating systems:

Operating system/edition AppLocker policies created and maintained AppLocker policies deployed

Windows Server 2012

Yes

Yes

Windows 8

Yes

Yes

Windows Server 2008 R2 Standard

Yes

Yes

Windows Server 2008 R2 Enterprise

Yes

Yes

Windows Server 2008 R2 Datacenter

Yes

Yes

Windows Server 2008 R2 for Itanium-Based Systems

Yes

Yes

Windows 7 Professional

Yes

No

Windows 7 Ultimate

Yes

Yes

Windows 7 Enterprise

Yes

Yes

Software Restriction Policies are supported on versions of Windows beginning with Windows XP and Windows Server 2003 including the above versions. However, the SRP Basic User feature is not supported on the above operating systems.

Your policy distribution mechanism

AppLocker uses Group Policy management architecture to effectively distribute application control policies. AppLocker policies can also be configured on individual computers by using the Local Security Policy snap-in. You will need a way to distribute the AppLocker policies throughout the targeted business group.

Your event collection and analysis system

Event processing is important to understand application usage. You must have a process in place to collect and analyze AppLocker events so that application usage is appropriately restricted and understood. For procedures to monitor AppLocker events, see:

See Also

Concepts

AppLocker Policies Deployment Guide