When to Use AppLocker

  • Article

Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012

This topic describes the scenarios and applications in which AppLocker is useful for Windows Server 2008 R2 and Windows 7.

For Windows Server 2012 and Windows 8, see the AppLocker Technical Overview in the Windows Server 2012 TechNet Library.

In many organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. Access control technologies such as Active Directory Rights Management Services (AD RMS) and access control lists (ACLs) help control what users are allowed to access. However, when a user runs a process, that process uses the same level of access to data that the user has. As a result, sensitive information can easily be deleted or transmitted out of the organization because a user knowingly or unknowingly ran malicious software. AppLocker can help mitigate these types of attacks by restricting the files that users or groups are allowed to run.

Software publishers are beginning to create more applications that can be installed by standard users (non-administrators). This type of software deployment can violate an organization's written security policy and circumvent traditional application deployment solutions that allow software to be installed only in controlled locations. By allowing administrators to create rules that allow files to run or deny files from running, AppLocker helps administrators prevent such per-user applications from running.

AppLocker is ideal for organizations that currently use Group Policy to manage their Windows-based computers. Because AppLocker is an additional Group Policy mechanism, administrators should have experience with Group Policy creation and deployment. Organizations that want control over which ActiveX controls are installed or per-user application installations also find AppLocker useful.

Comparing application control functions in Software Restriction Policies and AppLocker

The following table compares the features and functions of the Software Restriction Policies (SRP) feature and AppLocker.

Application control function SRP AppLocker

Scope

SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.

AppLocker policies apply only to Windows Server 2012, Windows Server 2008 R2, Windows 8 and Windows 7 but can be implemented with SRP policies.

Note
Use different GPOs for SRP and AppLocker rules.

User support

SRP allows users to install applications as an administrator.

AppLocker policies are maintained through Group Policy, and only the administrator of the computer can update an AppLocker policy.

AppLocker permits customization of error messages to direct users to a Web page for help.

Policy maintenance

SRP policies are updated by using the Local Security Policy snap-in or the Group Policy Management Console (GPMC).

AppLocker policies are updated by using the Local Security Policy snap-in or the GPMC.

AppLocker supports a small set of PowerShell cmdlets to aid in administration and maintenance.

Policy management infrastructure

To manage SRP policies, SRP uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.

To manage AppLocker policies, AppLocker uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.

Block malicious scripts

Rules for blocking malicious scripts prevents all scripts associated with the Windows Script Host from running, except those that are digitally signed by your organization.

AppLocker rules can control the following file formats: .ps1, .bat, .cmd, .vbs, and .js. In addition, you can set exceptions to allow specific files to run.

Manage software installation

SRP can prevent all Windows Installer packages from installing. It allows .msi files that are digitally signed by your organization to be installed.

The Windows Installer rule collection is a set of rules created for Windows Installer file types (.msi and .msp) to allow you to control the installation of files on client computers and servers.

Manage all software on the computer

All software is managed in one rule set. By default, the policy for managing all software on a computer disallows all software on the user's computer, except software that is installed in the Windows folder, Program Files folder, or subfolders.

Unlike SRP, each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection will be allowed to run. This configuration makes it easier for administrators to determine what will occur when an AppLocker rule is applied.

Different policies for different users

Rules are applied uniformly to all users on a particular computer.

On a computer that is shared by multiple users, an administrator can specify the groups of users who can access the installed software. Using AppLocker, an administrator can specify the user to whom a specific rule should apply.

Additional resources

  • AppLocker Policy Use Scenarios

    This topic lists the various application control scenarios in which AppLocker policies can be effectively implemented.

  • Understanding AppLocker Policy Design Decisions

    This topic lists the design questions, possible answers, and ramifications of the decisions when planning a deployment of application control policies by using AppLocker within a Windows operating system environment.