Automatically Generating Executable Rules from a Reference Computer

Updated: June 27, 2012

Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012

AppLocker has a new wizard that simplifies creating rules from a user-specified folder. By running this wizard on reference computers and specifying a folder that contains the .exe files for applications that you want to create rules for, you can quickly create AppLocker policies automatically.

The Automatically Generate Rules wizard creates only allow rules. After you create one or more rules in a rule collection, only applications that are affected by those rules are allowed to run. For this reason, always create the default AppLocker rules for a rule collection first.

If you did not create the default rules and are prevented from performing administrative tasks, restart the computer in Safe Mode, add the default rules, delete any deny rules that are preventing access, and then refresh the computer policy.

This scenario includes four primary steps:

  1. Install all of the applications that you want to create rules for on the computer that you plan to use as the reference computer.

  2. Ensure that all of the applications are updated or are the version that you want to create rules for.

Before automatically generating the rules for the folder that you specify, create the default rules. The default rules ensure that the key operating system files are allowed to run for all users. When testing AppLocker, carefully consider how you want to organize rules between linked Group Policy Objects (GPOs). If a GPO does not contain the default rules, then add the rules directly to the GPO or add them to a GPO that links to the GPO that contains the default rules. For this scenario, the default rules create a starting point for planning a more detailed policy. The predefined AppLocker rules are automatically created in the following procedure.

  1. To open the Local Security Policy Microsoft Management Console (MMC) snap-in, Click Start, type secpol.msc, and then press ENTER.

  2. In the console tree, double-click Application Control Policies, and then double-click AppLocker.

  3. Right-click Executable Rules, and then click Create Default Rules.

    Each rule collection has a separate set of default rules.

The default rules allow:

  • All users to run files in the default Program Files folder.

  • All users to run files in the Windows folder.

  • Members of the built-in Administrators group to run all files.

You can re-create the default rules at any time.

  1. Ensure that the Local Security Policy MMC snap-in is open.

  2. In the console tree under Application Control Policies\AppLocker, right-click Executable Rules, and then click Automatically Generate Rules.

  3. On the Folder and Permissions page, click Browse.

  4. In the Browse for Folder dialog box, select the folder that contains the .exe files that you want to create the rules for.

    If you select a folder that contains one or more user profiles, you can create only publisher and hash file rules. Creating path rules to allow .exe files in user profiles may not be secure because users can write any files to their own profile including executable files. A rule that includes user profile folders would allow users to run executable files from their user-writable location.

  5. Type a name to identify the rules, and then click Next. To help sort the rules in the MMC list view, the name that you provide is used as a prefix for the name of each rule that is created.

  6. On the Rule Preferences page, click Next without changing any of the default values. The Rule generation progress dialog box is displayed while the files are processed.

  7. On the Review Rules page, click Create. The wizard closes, and the rules are added to the Executable Rules details pane.

After automatically generating rules based on your preferences, you can edit the rules to make them more or less detailed.

If you created the default rules and then selected the Program Files folder as the source to automatically generate rules, there are one or more extraneous rules in the Executable Rules collection. When you create the default rules, a path rule is added to allow any .exe file in the entire Program Files folder to run. This rule is added to ensure that users are not prevented by default from running applications. Because this rule conflicts with the rules that were automatically generated in the previous step, delete this rule to ensure that the policy is more specific. The name of the default rule is (Default Rule) Microsoft Windows Program Files Rule.

  1. Ensure that the Local Security Policy MMC snap-in is open.

  2. In the console tree under Application Control Policies\AppLocker, click Executable Rules.

  3. In the details pane, right-click (Default Rule) Microsoft Windows Program Files Rule, and then click Delete.

  4. In the AppLocker dialog box, click Yes.

To determine if any applications are excluded from the rule set, enable the Audit only enforcement mode. Using Auditing to Track Which Applications Are Used explains how to enable the rule enforcement mode and how to use the AppLocker log in Event Viewer to determine which files are affected by the policy.

See Also

Community Additions