What Is AppLocker?

  • Article

Applies To: Windows 7,Windows Server 2008 R2

AppLocker is a new feature in Windows 7 and Windows Server 2008 R2 that provides access control for applications. Today, organizations face a number of challenges in controlling which applications can run. These challenges include controlling:

  • The packaged and custom applications to which the user should have access.

  • Which users should be allowed to install new software.

  • Which versions of applications should be allowed to run and for which users.

To meet these challenges, AppLocker gives administrators the ability to control how users run all types of applications, including executable files, scripts, Windows Installer files (.msi and .msp), and dynamic-link libraries (DLLs).

AppLocker and software restriction policies

AppLocker is the next version of the Software Restriction Policies (SRP) feature. The Software Restriction Policies snap-in is included on computers running Windows 7 for compatibility purposes.

AppLocker includes the following new enhancements:

  • You can define rules based on attributes derived from a file's digital signature, including the publisher, product name, file name, and file version. SRP supports certificate rules, but they are less specific and more difficult to define.

  • Only a file that is specified in an AppLocker rule is allowed to run. After a rule is created for a rule collection, if an application is not included in a rule, the application is not allowed to run.

  • The user interface is accessed through a new Microsoft Management Console (MMC) snap-in extension to the Local Group Policy Editor and the Group Policy Management Console (GPMC).

  • AppLocker PowerShell cmdlets allow administrators to manage AppLocker rules in the PowerShell console.

  • An Audit only enforcement mode allows administrators to easily determine which files would be prevented from running if the policy were in effect.

Note

AppLocker does not include the following SRP rule types: Internet Zone rules, per-machine rules, and registry path rules.

Important

AppLocker rules are separate from SRP rules and cannot be used to manage computers running versions of Windows earlier than Windows 7. The two policies are also separate, and if AppLocker rules are defined in a Group Policy object (GPO), only those rules are applied to a computer running Windows 7.

Who should use AppLocker?

AppLocker is ideal for organizations that currently use Group Policy to manage their Windows-based computers. Because AppLocker is an additional Group Policy mechanism, administrators need to be comfortable with Group Policy creation and deployment. Organizations that want to control which ActiveX® controls are installed and per-user installations of applications will also find AppLocker useful.

AppLocker requirements

These steps are for testing only. This guide should not be the only resource you use to deploy AppLocker.

The following are the hardware and software requirements for using AppLocker:

  • To create AppLocker policies, you need a computer that is running Windows Server 2008 R2, Windows 7 Ultimate, Windows 7 Enterprise, or Windows 7 Professional and that has the Remote Server Administration Tools (RSAT) installed. To download RSAT, see Remote Server Administration Tools for Windows 7. Windows 7 Professional can be used to create the rules, but the rules cannot be enforced on computers that are running Windows 7 Professional. The computer can also be a domain controller.

  • To deploy AppLocker policies, you need at least one computer with the GPMC or RSAT installed to host the AppLocker rules.

  • To enforce AppLocker policies, you need computers that are running Windows Server 2008 R2, Windows 7 Ultimate, or Windows 7 Enterprise.