Exporteren (0) Afdrukken
Alles uitvouwen

AppLocker Technical Overview

Gepubliceerd: februari 2012

Bijgewerkt: oktober 2012

Van toepassing op: Windows 8 Enterprise, Windows Server 2012

This technical overview for the IT professional provides a description of AppLocker™ and can help you decide if you can benefit from deploying AppLocker policies. AppLocker is an application control feature in Windows Server 2012, Windows Server 2008 R2, Windows 8, and Windows 7.

AppLocker helps administrators control which applications and files users can run. These include executable files, scripts, Windows® Installer files, DLLs, Packaged apps and Packaged app installers.

Using AppLocker, you can:

  • Define rules based on file attributes that persist across application updates such as the publisher name (derived from the digital signature), product name, file name and file version. You can also create rules based on the file path and hash.

  • Assign a rule to a security group or an individual user.

  • Create exceptions to rules. For example, you can create a rule that allows all users to run all Windows binaries to run except the Registry Editor (Regedit.exe).

  • Use audit-only mode to deploy the policy and understand its impact before enforcing it.

  • Create rules on a staging server, test them, then export them to your production environment and import them into a Group Policy Object.

  • Simplify creating and managing AppLocker rules by using Windows PowerShell cmdlets for AppLocker.

AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of help desk calls that result from users running unapproved applications. AppLocker addresses the following application security scenarios:

  • Application inventory

    AppLocker has the ability to enforce its policy in an audit-only mode where all application access activity is registered in event logs. These events can be collected for further analysis. Windows PowerShell cmdlets also help you analyze this data programmatically.

  • Protection against unwanted software

    AppLocker has the ability to deny applications from running when you exclude them from the list of allowed applications. Once AppLocker rules are enforced in the production environment any application that is not covered by the allow rules is blocked from executing.

  • Licensing conformance

    AppLocker can help you create rules that preclude unlicensed software from running and restricting licensed software to authorized users.

  • Software standardization

    AppLocker policies can be configured to allow only supported or approved applications to run on computers within a business group. This permits a more uniform application deployment.

  • Manageability improvement

    AppLocker includes a number of improvements in manageability as compared to its predecessor Software Restriction Policies (SRP). Importing and exporting policies, automatic generation of rules from multiple files, audit-only mode deployment and PowerShell cmdlets are a few of the improvements over SRP.

In many organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. Access control technologies such as Active Directory Rights Management Services (AD RMS) and access control lists (ACLs) help control what users are allowed to access. However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. AppLocker can help mitigate these types of security breaches by restricting the files that users or groups are allowed to run.

Software publishers are beginning to create more applications that can be installed by standard users (non-administrators). This could jeopardize an organization's written security policy and circumvent traditional application control solutions rely on the inability of standard users to install applications. By allowing administrators to create an allowed list of approved files and applications, AppLocker helps prevent such per-user applications from running. Since AppLocker can control Dlls it is also useful in controlling installation and running of ActiveX controls.

AppLocker is ideal for organizations that currently use Group Policy to manage their Windows-based computers. Because AppLocker relies on Group Policy for authoring and deployment, experience with Group Policy is helpful.

The following are examples of scenarios in which AppLocker can be used:

  • Your organization's security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users.

  • An application is no longer supported by your organization, so you need to prevent it from being used by everyone.

  • The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.

  • The license to an application has been revoked or is expired in your organization, so you need to prevent it from being used by everyone.

  • A new application or a new version of an application is deployed, and you need to prevent users from running the old version.

  • Specific software tools are not allowed within the organization, or only specific users have access to those tools.

  • A single user or small group of users needs to use a specific application that is denied for all others.

  • Some computers in your organization are shared by people who have different software usage needs.

  • In addition to other measures, you need to control the access to sensitive data through application usage.

AppLocker can help you to protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.

Supported versions

AppLocker policies can only be configured on and applied to computers running the following versions and editions of the Windows operating system:

  • Windows Server 2008 R2 Standard

  • Windows Server 2008 R2 Enterprise

  • Windows Server 2008 R2 Datacenter

  • Windows Server 2008 R2 voor Itanium-systemen

  • Windows 7 Ultimate

  • Windows 7 Enterprise

  • Windows Server 2012 Standard

  • Windows Server 2012 Datacenter

  • Windows 8 Enterprise

noteOpmerking
To create rules for a local computer, the computer must be running Windows 7 Ultimate or Windows 7 Enterprise, or an enterprise-level edition of Windows 8. If you want to create rules for a Group Policy Object (GPO), you can use a computer that is running any edition of Windows 7 or Windows 8, provided that the Remote Server Administration Tools are installed. AppLocker rules can be created on any edition of Windows Server 2008 R2 or Windows Server 2012. While you can create AppLocker rules on computers running Windows 7 Professional, they will not be enforced on those computers. However, you can create the rules on a computer running Windows 7 Professional and then export the policy for implementation on computer running an edition of Windows that does support AppLocker rule enforcement.

Interoperability considerations

AppLocker policies that contain Executable, Dll, Windows Installer and Script rules can be applied to computers running the supported editions of Windows Server 2008 R2, Windows Server 2012, Windows 7, and Windows 8. AppLocker policies that contain rules for Packaged apps as well as Packaged app installers can also be applied to computers running the supported editions of Windows Server 2008 R2, Windows Server 2012, Windows 8, and Windows 7. However, the Packaged app rule collection will only be enforced on computers running the supported editions of Windows Server 2012 and Windows 8.

Differences in functionality between versions

The following table lists the differences by operating system version for each of the major features in or functions of AppLocker:

 

Feature/function Windows Server 2008 R2 and Windows 7 Windows Server 2012 and Windows 8

Ability to set rules for Packaged apps and Packaged app installers.

No

Yes

AppLocker policies are maintained through Group Policy, and only the administrator of the computer can update an AppLocker policy.

Yes

Yes

AppLocker permits customization of error messages to direct users to a Web page for help.

Yes

Yes

Ability to work in conjunction with software restriction policies (using separate GPOs).

Yes

Yes

AppLocker supports a small set of PowerShell cmdlets to aid in administration and maintenance.

Yes

Yes

AppLocker rules can control the listed file formats.

  • .exe

  • .com

  • .ps1

  • .bat

  • .cmd

  • .vbs

  • .js

  • .msi

  • .msp

  • .dll

  • .ocx

  • .exe

  • .com

  • .ps1

  • .bat

  • .cmd

  • .vbs

  • .js

  • .msi

  • .msp

  • .mst

  • .dll

  • .ocx

  • .appx

For information comparing application control functions in Software Restriction Policies and AppLocker, as well as using the two features together, see Use AppLocker and Software Restriction Policies together.

AppLocker policies can only be configured on and applied to computers running on the supported versions and editions of the Windows operating system, Group Policy is required to distribute Group Policy Objects that contain AppLocker policies. See Versions, interoperability, and differences in functionality in this topic for more information.

AppLocker rules can be created on domain controllers.

The ability to author rules for Packaged apps and Packaged app installers is not available on Windows Server 2008 R2 and Windows 7.

AppLocker is included with enterprise-level editions of Windows. You can author AppLocker rules for a single computer or for a group of computers. For a single computer you can author the rules using the Local Security Policy editor (secpol.msc) and for a group of computers you can author the rules within a Group Policy Object using the Group Policy Management Console. (The GPMC is only available on Windows client computers by installing the Remote Server Administration Tools and installing the Group Policy Management feature on Windows servers).

Windows PowerShell can used to manage AppLocker on Server Core installations using the AppLocker cmdlets and, if administered within a GPO, the Group Policy cmdlets. For more information, see the AppLocker PowerShell Command Reference.

You can administer AppLocker policies using a virtualized instance of Windows provided it meets all the system requirements listed above. You can also run Group Policy in a virtualized instance. However, you do risk losing the policies you created and maintain if the virtualized instance is removed or fails.

Application control policies specify which programs are allowed to run on the local computer and which are not.

The amount and variety of forms that malicious software can take make it difficult for users to know what is safe to run and what is not. When activated, malicious software can damage content on a hard disk drive, flood a network with requests to cause a denial-of-service (DoS) attack, send confidential information to the Internet, or compromise the security of a computer.

The countermeasure is to create a sound design for your application control policies on end-user computers in your organization, and then thoroughly test the policies in a lab environment before you deploy them in a production environment. AppLocker can be part of your application control strategy because you can control what software is allowed to run on your computers.

A flawed application control policy implementation can disable necessary applications or allow malicious or unintended software to run. Therefore, it is important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies.

For additional information about specific security issues, see Security Considerations for AppLocker in the Windows Server Technical Library.

When using AppLocker to create application control policies, you should be aware of the following security considerations:

  • Who has rights to set AppLocker policies?

  • How do you validate that policies are enforced?

  • What events should I audit?

For reference in your security planning, the following table identifies the baseline settings for a client computer with the AppLocker feature installed:

 

Setting Default value

Accounts created

None

Authentication method

Not applicable

Management interfaces

AppLocker can be managed using an MMC snap-in, Group Policy Management, and PowerShell

Ports opened

None

Minimum privileges required

Administrator on the local computer; domain admin or any set of privileges that allow you to create, edit and distribute Groepsbeleidsobjecten.

Protocols used

Not applicable

Scheduled Tasks

Appidpolicyconverter is put in a scheduled task to be run on demand.

Security Policies

None required. AppLocker creates security policies.

System Services required

Application Identity service (appidsvc) runs under LocalServiceANdNoImpersonation

Storage of credentials

None

Policy maintenance is divided into the following topics:

  • Administering policies

  • Monitoring application usage

  • Optimizing performance

  • Troubleshooting issues

For information about how to perform the procedures for each task for Windows Server 2008 R2 and Windows 7, see AppLocker Operations Guide. For procedural information related to Windows Server 2012 and Windows 8, see Administering AppLocker.

Vindt u dit nuttig?
(1500 tekens resterend)
Bedankt voor uw feedback

Community-inhoud

Weergeven:
© 2014 Microsoft