What's New in AppLocker

Applies To: Windows 7, Windows Server 2008 R2

What are the major changes?

AppLocker™ is a new feature in Windows® 7 and Windows Server® 2008 R2 that replaces the Software Restriction Policies feature. AppLocker contains new capabilities and extensions that reduce administrative overhead and help administrators control how users can access and use files, such as .exe files, scripts, Windows Installer files (.msi and .msp files), and DLLs.

What does AppLocker do?

Using AppLocker, you can:

  • Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher and file version attributes that are persistent through updates, or you can create rules that target a specific version of a file.

Important

AppLocker rules specify which files are allowed to run. Files that are not included in rules are not allowed to run.

  • Assign a rule to a security group or an individual user.

Note

You cannot assign AppLocker rules to Internet zones, individual computers, or registry paths.

  • Create exceptions for .exe files. For example, you can create a rule that allows all Windows processes to run except Regedit.exe.

  • Use audit-only mode to identify files that would not be allowed to run if the policy were in effect.

  • Import and export rules.

Who will be interested in this feature?

AppLocker can help organizations that want to:

  • Limit the number and type of files that are allowed to run by preventing unlicensed or malicious software from running and by restricting the ActiveX controls that are installed.

  • Reduce the total cost of ownership by ensuring that workstations are homogeneous across their enterprise and that users are running only the software and applications that are approved by the enterprise.

  • Reduce the possibility of information leaks from unauthorized software.

AppLocker may also be of interest to organizations that currently use Group Policy objects (GPOs) to manage Windows-based computers or have per-user application installations.

Are there any special considerations?

  • By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. Administrators should maintain an up-to-date list of allowed applications.

  • Expect an increase in the number of help desk calls initially because of blocked applications. As users begin to understand that they cannot run applications that are not allowed, the help desk calls may decrease.

  • There is minimal performance degradation because of the runtime checks.

  • Because AppLocker is similar to the Group Policy mechanism, administrators should understand Group Policy creation and deployment.

  • AppLocker rules cannot be used to manage computers running a Windows operating system earlier than Windows 7.

  • If AppLocker rules are defined in a GPO, only those rules are applied. To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs.

  • When an AppLocker rule is set to Audit only, the rule is not enforced. When a user runs an application that is included in the rule, the application is opened and runs normally, and information about that application is added to the AppLocker event log.

Which editions include AppLocker?

AppLocker is available in all editions of Windows Server 2008 R2 and in some editions of Windows 7.