Understanding AppLocker Rule Condition Types
Updated: June 21, 2012
Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
This topic describes the three types of AppLocker rule conditions.
Rule conditions are criteria that the AppLocker rule is based on. Primary conditions are required to create an AppLocker rule. The three primary rule conditions are publisher, path, and file hash.
To use a publisher condition, the files must be digitally signed by the software publisher, or you must do so by using an internal certificate. Rules that are specified to the version level might have to be updated when a new version of the file is released. For more information about this rule condition, see Understanding the Publisher Rule Condition in AppLocker.
Any file can be assigned this rule condition; however, because path rules specify locations within the file system, any subdirectory will also be affected by the rule (unless explicitly exempted). For more information about this rule condition, see Understanding the Path Rule Condition in AppLocker.
Any file can be assigned this rule condition; however, the rule must be updated each time a new version of the file is released because the hash value is unique to that the version of the file. For more information about this rule condition, see Understanding the File Hash Rule Condition in AppLocker.
Selecting the appropriate condition for each rule depends on the overall application control policy goals of the organization, the AppLocker rule maintenance goals, and the condition of the existing (or planned) application deployment. The following questions can help you decide which rule condition to use.
Is the file digitally signed by a software publisher?
If the file is signed by a software publisher, we recommend that you create rules with publisher conditions. You may still create file hash and path conditions for signed files. However, if the file is not digitally signed by a software publisher, you can:
Sign the file by using an internal certificate.
Create a rule by using a file hash condition.
Create a rule by using a path condition.
Note To determine how many applications on a reference computer are digitally signed, you can use the Get-AppLockerFileInformation Windows PowerShell cmdlet for a directory of files. For example,
Get-AppLockerFileInformation –Directory C:\Windows\ -FileType EXE -recursedisplays the properties for all .exe and .com files within the Windows directory.
- Sign the file by using an internal certificate.
What rule condition type does your organization prefer?
If your organization is already using Software Restriction Policies (SRP) to restrict what files users can run, rules using file hash or path conditions are probably already in place.
Note SRP rules can be applied to computers running Windows Server 2012, Windows Server 2008 R2, Windows 8 and Windows 7, but AppLocker rules cannot be applied to computers running Windows operating systems earlier than Windows 7 and Windows Server 2008 R2.
ConceptsHow AppLocker Works