Managing Windows 8 native applications (part 3) - Controlling applications by using AppLocker

Controlling applications by using AppLocker

First introduced in Windows 7, AppLocker is an application control feature that prevents unauthorized applications from being executed on Windows computers. In essence, through the use of AppLocker, an organization effectively whitelists authorized, secure applications and reduces the risk that an unauthorized application will introduce malware into the environment. As a Windows 8 administrator, it’s not likely that you will be exposed to AppLocker on a regular basis. However, because the feature is a core security function that is in use in many organizations, a discussion of this topic is included in this section.

Understand that AppLocker is primarily a Group Policy management tool for Windows domains and has a complex interrelationship with Software Restriction Policies, so implementation of this feature requires a coordinated effort between desktop management and security teams in IT.

Important

USE CAUTION WHEN CONSIDERING AND IMPLEMENTING APPLOCKER

When implementing AppLocker policies to control access to certain apps, plan ahead to ensure that the policies and affected applications behave as expected.

You manage access to applications that are already installed by using AppLocker policies for an environment. AppLocker uses policies to enforce rules that allow or prevent applications from executing on computers in an environment. When creating a policy for AppLocker, consider:

• Rule definition

• Rule enforcement

Before configuring AppLocker to prevent the execution of applications, be sure that the policies are planned and tested in Audit-only mode to avoid any unnecessary disruption in the use of the applications.

Defining rules

AppLocker supports four types of rules in Windows 8:

• Executable rules These rules affect the execution of standard executable files. For example, if an organization wants to restrict access to an application, a rule to prevent access to Application.exe can be created.

• Windows Installer rules These rules enable administrators to control Windows Installer packages by specifying the publisher, path, or file hash for the package.

• Script rules These rules allow scripts to be restricted or executed.

• Packaged app rules These rules allow Windows 8 native applications to be restricted by AppLocker.

For example, an organization might want to configure AppLocker rules to prevent access to nonessential applications. This can benefit the organization by:

• Increasing productivity

• Reducing risk of malware

• Reducing maintenance

The organization can create rules for specific applications to ensure that these applications cannot be run either by specific groups of employees or by anyone. The control of applications is very granular based on properties that exist with the file. If an organization finds that an employee is constantly spending time using an instant messaging application that is not supported, the application can be restricted by using AppLocker.

When defining rules for Windows Installer and packaged apps, the installation process for apps can be controlled, preventing installation of these applications if necessary.

Enforcing rules

After rules for application management are created, they are not enforced by default. Because enabling rules in AppLocker can prevent software from running, rule enforcement is disabled. Each rule type described previously can be enabled independently of other rule types. Figure 5 shows the AppLocker Properties dialog box with Executable Rules configured and set to Enforce Rules.

Figure 5. Enabling AppLocker rules for audit or enforcement

After a rule type is configured, it has two modes:

• Enforce rules This mode enforces any rules of the selected type.

• Audit only This mode records the rule actions for computers and applications meeting rule conditions but does not enforce the rule.

When planning an AppLocker implementation, Audit mode gives administrators an idea of how a policy will control an application without affecting the use of the application.

To define a packaged app rule as part of an AppLocker policy, complete the following steps:

1. Open the Run box by searching for Run on the Start screen and tapping or clicking the result.

2. Type gpedit.msc and tap or click OK.

3. Expand the following path:

   Computer Configuration\Windows Settings\Security Settings\Application Control
   Policies\AppLocker

4. Press and hold or right-click Packaged App Rules.

5. Tap or click Create New Rule.

6. Review the Before You Begin information in the Create Packaged App Rules Wizard and tap or click Next to open the Permissions page, as shown in Figure 6.

   

   Figure 6. Displaying permissions configured for a packaged app in an AppLocker rule

7. Select an Action to be taken:

   • Allow Permit the application to run.

   • Deny Do not permit the application to run.

8. Select a user account or group to which to apply this rule. Everyone is selected by default.

9. Tap or click Next.

10. Specify the packaged app to use as a reference by choosing from the following:

    • Use An Installed Packaged App As A Reference Select a native Windows 8 application installed on the computer.

    • Use A Packaged App Installer As A Reference Specify the details about publisher, package name, and version to prevent installers that meet these criteria from running.

11. Tap or click Next.

12. Click Add to define exceptions for the rule.

13. Define any exceptions for apps that meet defined criteria but that should be allowed to run by selecting an existing application or defining information about an installer.

14. Tap or click OK to add the exception.

15. Tap or click Next to specify a name for the rule and a description (optional).

16. Tap or click Create to complete and save the rule.

After rules are defined to control certain applications, they must be enabled to allow enforcement. To configure the enforcement of packaged app rules in AppLocker, complete the following steps:

1. Open the Run box by searching for Run on the Start screen and tapping or clicking the result.

2. Type gpedit.msc and tap or click OK.

3. Expand the following path:

   Computer Configuration\Windows Settings\Security Settings\Application Control
   Policies

4. Select AppLocker.

5. In the results pane, tap or click the Configure Rule Enforcement link.

6. Select the Configured check box for the Packaged App Rules section.

7. Select Enforce Rules to enable enforcement.

8. Tap or click OK in the AppLocker Properties dialog box.

After AppLocker is configured, Group Policy must be refreshed to apply the new settings. This can be accomplished by restarting the computer or by running gpupdate /force from the Run box or command line.