Windocuments.net

Applocker

Applocker new in Windows Server 2008 R2 and Windows 7 (Enterprise and Ultimate editions), is the replacement for Software Restriction Policies. AppLocker allows you to configure a Denied list and an Accepted list for applications. Applications configured on the Denied list will not run on the system, applications on the Accepted list will.

This makes it possible to protect the operating system against rogue applications that are not supposed to be running on the system.AppLocker allows an administrator to restrict the following types of files from being run: Executable images (.EXE and .COM)

Dynamic-Link Libraries (.DLL and .OCX)

Microsoft Software Installer (.MSI and .MSP) for both install and uninstall

Scripts

Windows PowerShell (.PS1)

Batch (.BAT and .CMD)

VisualBasic Script (.VBS)

JavaScript (.JS)

To use AppLocker, you need:

A computer running a supported operating system to create the rules. Can be a domain controller.

For Group Policy deployment, at least one computer with the Group Policy Management Console or Remote Server Administration Tools installed to host the AppLocker rules.

Computers running a supported operating system to enforce the AppLocker rules that you create.

In Windows Server 2012 and Windows 8, AppLocker behaves differently for packaged apps versus traditional desktop applications. For packaged apps, AppLocker rules will be enforced at both runtime and install time. The difference between both is that at run time the rules will be enforced by the kernel and at install time will be enforced by AppX installer. On Windows 8 the core changes are the capability of creating rules for packaged apps and package apps installers as well as the addition of new file formats.On Windows 8 workstations AppLocker can control installation and execution of all Modern apps. AppLocker has three different kinds of rules to control that. Path rules: based on the Fully Qualified Path Name of the binary being executed.

Hash rules: based on the SHA256 hash of the binary.

Publisher rules: based on the Fully Qualified Binary Name of the binary. The FQBN is composed of four pieces of information Publisher Name, Product Name, File Name, and Version.