AppLocker - Fact Sheet

  • Security
  • Published Jul 18, 2012 Updated Nov 21, 2019

This is the first in a small series of articles about AppLocker, a technology built into Windows that enables administrators to audit and optionally block application execution.

Requirements

AppLocker works on:

  • Windows 7 Enterprise or Ultimate
  • Server 2008 R2 Standard, Enterprise or Datacenter

Domain controllers must be running at least Windows Server 2003.

The Application Identity service must be running or configuration changes cannot be processed. Contrary to popular belief the service is not required for rule enforcement - stopping it does not unblock restricted applications.

File Types

AppLocker monitors and/or controls the execution of the following types of files:

  • Executables (*.exe, *.com)
  • Installers (*.msi, *.msp)
  • Scripts (*.bat, *.cmd, *.js, *.ps1, *.vbs)
  • DLLs (*.dll, *.ocx)

What It Does Not Do

AppLocker does not audit or control the execution of:

  • Individual scripts that run in their own host process (e.g. Perl or Python). The host process may be blocked entirely, though. If, for example, perl.exe is blocked, no Perl script can be executed.
  • Individual macros (e.g. Microsoft Office)
  • Posix subsystem code. As an alternative, the Posix subsystem could be disabled.
  • Individual 16 bit programs. As an alternative, the 16 bit subsystem could be blocked entirely. This applies to 32-bit Windows 7 only.
  • Individual App-V applications (App-V works with AppLocker, it is just not possible to block only certain applications).

Audit or Enforce

AppLocker can operate in auditing mode, enforcement mode or switched off completely. The mode of operation is configured for each file type individually. It is therefore easily possible to audit scripts, enforce applications and leave installers and DLLs alone.

AppLocker properties

Rules

Similar to a firewall, AppLocker works with rules that control whether to log, permit or deny an operation. Rules apply to users or groups, not computers. This makes it possible to differentiate between restricted standard users and unrestricted power users, for example.

AppLocker has three different types of rules:

  • Publisher: applies to all files that are digitally signed by a certain organization. Can optionally be limited to a certain product name, file name and file version.
  • Path: applies to files in a certain path or to individual files in a specific location.
  • Hash: applies to individual files identified by their hash value (note that if a file is updated or patched the hash changes and the rule becomes invalid).

Configuration and Rule Distribution

AppLocker rules are typically distributed by domain-based group policy. The relevant node is: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Application Control Policies -> AppLocker. Configuring AppLocker through local group policy is possible, too.

Additionally, rules can be created from PowerShell. It is also possible to test from PowerShell whether specific files are allowed to run.

AppLocker Internals

James Forshaw has started a nice series of articles about the internals of AppLocker:

AppLockerSoftware Restriction Policies

Comments

Related Posts

AppLocker - Solutions to Common Problems

AppLocker - Solutions to Common Problems
This article is part of my small series about AppLocker, a technology built into Windows that enables administrators to audit and optionally block application execution. AppLocker and UAC One of the default rules allows unrestricted application execution for administrators. That is only sensible. After all, someone needs to be able to troubleshoot and perform maintenance. However, if UAC is enabled, that rule is not very useful. Remember: UAC filters the SID for the group Administrators from the access token during normal operation. With the Administrators’ SID gone, AppLocker is active for administrators in the same way it is for all other users. Administrators wishing to bypass AppLocker need to start executables from an elevated command prompt (or right-click and select run as administrator), which is often impractical.
Security

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware