Threats and Countermeasures Guide: Application Control Policies

Applies To: Windows 7, Windows Server 2008 R2

This security policy reference topic for the IT professional describes the security considerations for the application control policy settings that are managed by AppLocker™, including vulnerabilities, countermeasures, and potential impact in Windows Server® 2008 R2 and Windows® 7.

Application Control Policies settings

The increased use of networks and the Internet in daily business computing means that it is more likely than ever that an organization's users will encounter malicious software. Application control policies can help organizations protect themselves because they provide another layer of defense against viruses, Trojan horses, and other types of malicious software.

Application control policies specify which programs are allowed to run on the local computer and which are not.

You can configure the Application Control Policies settings in the following location within the Group Policy Management Console (GPMC):

Computer Configuration\Windows Settings\Security Settings\Application Control Policies

Vulnerability

Computer networks are used to collaborate in many different ways, such as email, instant messaging, and peer-to-peer applications. As these collaboration opportunities increase, so does the risk from viruses, worms, and other forms of malicious software. Email and instant messaging can transport unsolicited malicious software, which can take many forms such as Windows executable files, macros in word processing documents, and script files.

Viruses and worms are often transmitted in email messages, and they frequently include social engineering techniques that trick users into performing an action that activates the malicious software. The amount and variety of forms that malicious software can take make it difficult for users to know what is safe to run and what is not. When activated, malicious software can damage content on a hard disk drive, flood a network with requests to cause a denial-of-service (DoS) attack, send confidential information to the Internet, or compromise the security of a computer.

Countermeasure

Create a sound design for your application control policies on end-user computers in your organization, and then thoroughly test the policies in a lab environment before you deploy them in a production environment.

Potential impact

A flawed application control policy implementation can disable necessary applications or allow malicious or unintended software to run. Therefore, it is important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies.

Additional References

For a listing of documentation about application control policies in Windows Server 2008 R2, see AppLocker in the Windows Server Technical Library.