Determining Your Application Control Objectives

Veröffentlicht: August 2009

Letzte Aktualisierung: Juli 2010

Betrifft: Windows 7, Windows Server 2008 R2

This topic explains the decisions you need to make to determine what applications to control and how to control them by using Software Restriction Policies and AppLocker.

AppLocker is very effective for organizations with application restriction requirements whose environments have a simple topography and the application control policy goals are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is to achieve a detailed level of control on the desktop computers that they manage for a relatively small number of applications.

There are management and maintenance costs associated with a list of allowed applications. In addition, the purpose of application control policies is to allow or prevent employees from using applications that might actually be productivity tools. Keeping employees or users productive while implementing the policies can cost time and effort. Lastly, creating user support processes and network support processes to keep the organization productive are also concerns.

Use the following table to develop your own objectives and determine which application control feature best addresses those objectives.


Feature or Function Software Restriction Policies (SRP) AppLocker


SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.

AppLocker policies apply only to Windows Server 2008 R2 and Windows 7 but can be in the same GPO as SRP policies.

For information about supported editions, see Requirements to Use AppLocker (

End-user support

SRP uses the Basic User security level, which allows the user to install applications as an administrator when given permission.

If you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running Windows 7 or Windows Server 2008 R2.

AppLocker policies are maintained through Group Policy and only the administrator of the computer can update an AppLocker policy. There is no support for the Basic User security level.

AppLocker permits customization of end-user error messages to direct the user to a Web help system.

Policy maintenance

Both SRP and AppLocker policies are updated through the Local Security Policy snap-in or through the Group Policy Management Console (GPMC).

Both SRP and AppLocker policies are updated through the Local Security Policy snap-in or through the GPMC.

AppLocker supports a small set of Windows PowerShell™ cmdlets to aid in administration and maintenance.

Policy management infrastructure

Both SRP and AppLocker use Group Policy for domain management.

Both SRP and AppLocker use Group Policy for domain management.

Block malicious scripts

The rules for blocking malicious scripts prevent all scripting files associated with the Windows Script Host from running, except those that are digitally signed, such as by an IT certificate.

AppLocker rules can control the following file formats: .ps1, .bat, .cmd, .vbs, and .js. If a rule collection lists a file with these file types, the file will run. In addition, you can set exceptions so that files you want to prevent from running cannot run.

Manage software installation

SRP can prevent all Windows Installer packages from installing.

The Windows Installer rule collection is a set of rules created for Windows Installer file types of .msi and .msp to allow you to control the installation of files on client computers and servers through Group Policy or locally through the Local Security Policy snap-in.

For information about the capabilities of Software Restriction Policies, see Software Restriction Policies Technical Reference (

For information about the capabilities of AppLocker, see AppLocker Technical Overview (