Windows 7 AppLocker Executive Overview
Updated: January 20, 2010
Applies To: Windows 7
This topic provides an introduction to AppLocker, which is a new application control feature available in Windows 7 that helps prevent the execution of unwanted and unknown applications within an organization's network while providing security, operational, and compliance benefits.
For a complete view of Windows 7 resources, articles, demos, and guidance, please visit the Springboard Series for Windows 7 on the Windows Client TechCenter.
The software configuration of a typical desktop computer changes from its desired or initial state usually from the installation and execution of non-standard or unapproved software. Users install software from home, Internet downloads, peer-to-peer file sharing, and through e-mail, which results in a higher incidence of malware infections, more help desk calls, and difficulty in ensuring that your desktop computers are running only approved, licensed software. In addition, business productivity decreases. As a result, many organizations want more control over their desktop environment through a variety of lockdown schemes including restricting administrator credentials. Running as a standard, non-administrative user is recommended because it helps limit the configuration changes that can be made in the desktop environment; however, running as a standard user does not prevent the installation or execution of unknown or unwanted software in your organization.
Software Restriction Policies (SRP), in Windows XP and Windows Vista, gave IT administrators a mechanism to define and enforce application control policies. However, SRP could become a management burden in a very dynamic desktop environment where applications were installed and updated on a constant basis because the application control policies predominantly used hash rules. With hash rules, a new hash rule needs to be created every time an application is updated.
Windows 7 AppLocker
Windows 7 addresses the growing desire for application control solutions in the enterprise with the introduction of AppLocker: a simple and flexible mechanism that allows administrators to specify exactly what is allowed to run in their desktop environment. As a result, AppLocker provides not only security protections but also operational and compliance benefits by allowing administrators to:
Prevent unlicensed software from running in the desktop environment if the software is not on the allowed list
Prevent vulnerable, unauthorized applications from running in the desktop environment, including malware
Stop users from running applications that needlessly consume network bandwidth or otherwise affect the enterprise computing environment
Prevent users from running applications that destabilize their desktop environment and increase help desk support costs
Provide more options for effective desktop configuration management
Allow users to run approved applications and software updates based upon policies while preserving the requirement that only users with administrative credentials can install or run applications and software updates
Help to ensure that the desktop environment is in compliance with corporate policies and industry regulations
AppLocker provides a simple and powerful structure through two rule actions: allow and deny. It also provides a means to identify exceptions to those actions. Allow action on rules limits execution of applications to an allowed list of applications and blocks everything else. Deny action on rules takes the opposite approach and allows the execution of any application except those on a list of denied applications. While many enterprises will likely use a combination of allow and deny actions, the ideal AppLocker deployment uses allow actions on rules with built-in exceptions. Exception rules allow you to exclude files from an allow or deny action on a rule that would normally be included. Using exceptions, you can create a rule to "allow everything in the Windows operating system to run, except the built-in games." Using the allow action on rules with exceptions provides a robust way to build an allowed list of applications without having to create an inordinate number of rules.
AppLocker introduces publisher rules that are based upon application digital signatures. Publisher rules make it possible to build rules that survive application updates by being able to specify attributes such as the version of an application. For example, an organization can create a rule to "allow all versions greater than 9.0 of the program Acrobat Reader to run if it is signed by the software publisher Adobe." Now when Adobe updates Acrobat, you can deploy the application update without having to create another rule for the new version of the application.
AppLocker supports multiple, independently configurable policies called rule collections: executable files, installers, scripts, and DLLs. The multiple collections allow an organization to build rules that go beyond the traditional executable-only solutions, providing greater flexibility and enhanced protection. For example, an organization could create a rule to "allow the Graphics security group to run the installer or application from Adobe for Photoshop as long as it is still Adobe Photoshop version 14.*." This allows IT administrators to retain control but allow users to keep their computers up to date based upon their business needs. In addition, each of these policies can be individually placed into an audit-only mode, allowing you to test your rules before they start blocking applications from running and potentially affecting user productivity.
AppLocker rules can be associated with a specific user or group within an organization. This provides specific controls that allow you to support compliance requirements by validating and enforcing which users can run specific applications. For example, you can create a rule to "allow users in the Finance security group to run the finance line-of-business applications." This blocks everyone who is not in the Finance security group from running finance applications (including administrators) but still provides access for those that have a business need to run the applications.
AppLocker provides a robust experience for IT administrators through new rule creation tools and wizards. For example, IT administrators can automatically generate rules by using a test reference computer and then importing the rules into a production environment for widespread deployment. The IT administrator can also export a policy to provide a backup of the production configuration or to provide documentation for compliance purposes. Your Group Policy infrastructure can be used to build and deploy AppLocker rules as well, saving your organization training and support costs.
AppLocker is a new technology available in Windows 7 Enterprise and Windows 7 Ultimate. In addition, AppLocker is available in Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, and Windows Server 2008 R2 for Itanium-Based Systems. Software Restriction Policies is also available in these same editions.
Your desktop environment is not only one of your top productivity tools, but it also represents a significant investment. You need tools that allow users to run the applications they need to be productive while providing effective defenses against unknown and unwanted software.
Windows 7 addresses the need for application control solutions in the enterprise with the introduction of AppLocker: a simple and flexible mechanism that allows administrators to specify exactly what is allowed to run in their desktop environment. As a result, AppLocker provides not only security protections but also operational and compliance benefits. In addition, AppLocker can be administered by using well-known and proven tools and techniques, allowing your IT resources to concentrate on aligning your IT infrastructure with your dynamic business requirements.