Windows 7 Friday: Locking Down and Protecting Your Computer With AppLocker

by dboynton 2/20/2009 12:46:00 PM

windows7 I’ve been running Windows 7 Beta on all of my machines, work and personal, for about seven weeks now and have really been loving it. There are so many great new features and capabilities in Windows 7, I’ve decided to do a post each Friday on one new feature of Windows 7 until, well, I run out of things to post about. I’m calling this series Windows 7 Friday. Cool and original name, eh?

For this first post, I’m going to show you how to use an application called AppLocker to keep unwanted malware off your computer. Note: You’ll need to have administrative rights on your Windows 7 machine to use the AppLocker application, really since this is actual administrative work!

Put Your PC On Lock-Down
If you have kids and they use the family PC on a pretty regular basis, you’ve no doubt had to deal with malware getting installed on your machine and the scavenger hunt that ensues afterward as you try and locate it. No matter how many times you tell kids to be careful, they just can resist the shiny “Click Me and You’ll Have Good Luck for Sever Years” buttons that appear all over the social networking sites they like to visit. Wouldn’t it be nice if you could give them the ability to install software of which you approve while keeping them from loading up junk inadvertently?

Enter AppLocker. Basically, AppLocker lets you set policies for certain users or groups on your Windows 7 PC and define specifically what types of applications they can and cannot install.

Keeping with the “Preventing my kids from screwing up my computer” scenario, I created a new Windows group called Boynton Progeny and added my daughters’ user accounts to it. I could obviously apply the rules to their accounts individually, but grouping them like this just makes life easier for me.

Also, it's important to note that you should always leave the default rules running on your machine. Primarily, this exercise is designed to just add an additional rule for specific users on my home PC, namely my daughters.

With that done, follow these steps:

1)  Open AppLocker by clicking on the Windows 7 “start” icon in the lower left-hand corner of the desktop and, in the search field, type Run. When the dialog window appears, type GPEDIT.MSC.

2)  When the Local Group Policy Editor loads, navigate using the tree on the left to Computer Configuration->Windows Settings->Security Settings->Application Control Policies->AppLocker. Click on the Executable Rules applet.

AppLocker1

3)  In the pane to the right, left-click and select Create New Rule. From this point forward, AppLocker provides a really nice wizard-driven experience, so even if the process of getting here isn’t as friction free as I/’d like it, the rest of the experience will be.

4)  Once you click past the first screen of the wizard, you’ll find yourself at the Permissions screen. Here you can define whether this rule is to allow or deny activity on the PC, as well as selecting the Windows user or group to whom the rule should apply. In this case, I selected the Boynton Progeny group I created earlier. Click the Next button.

AppLocker2

5)  The next screen lets you set conditions for the rule, whether that rule is for a specific software publisher, a local path on your PC, or for unsigned applications. In this case, I want to allow the group Boynton Progeny to install any software signed by Microsoft Corporation, so I select the first option, Publisher, and click the Next button.

AppLocker3

6)  Since I selected Publisher in the previous screen, he next screen let’s me define the specific software publisher I want to approve. As I’m approving software signed by Microsoft, I need to provide that publisher information here. Fortunately, I don’t need to know it off the top of my head because AppLocker lets me provide a sample signed application. In this case, I used Virtual PC 2007. AppLocker pulled the publisher information from the executable certificate for me automatically. Now, all you have to do is use the slider to the left of the extracted publisher information and scope it to the right level, in this case by moving it next to the Publisher field. Notice that you can adjust the scope to the Product Name, File Name and File Version levels as well. Click the Next button.

AppLocker4

7)  The next screen gives you the ability to define any exceptions to the rule. For example, I could click on the Add button and, in the dialog box that appears, select the installer for Silverlight Tools for Visual Studio, click OK, and now the Boynton Progeny group can install any software signed by Microsoft except for the Silverlight Tools. When you’ve added any exceptions, click the Next button.

AppLocker5 

8)  This is the final screen of the wizard, so simply click Create and you’re done.

And that’s it!. Pretty easy, really. Likewise, you can go back through the wizard and restrict the ability for the Boynton Progeny group to install any software that isn’t signed by a known publisher or even to a specific directory path on the machine, like Windows\System32.

You will obviously want to take care in selecting rules as you could inadvertantly block perfectly valid applications from running. If for some reason you run into any unexpected issues setting up and using the rules in AppLocker, you can deactivate it by shutting down the AppIDSvc service via the Task Manager.

Having good malware detection software on your PC is a must, but the best defense is a strong offence. If you can stop unwanted or unnecessary software from getting installed on you machine, all the better, and AppLocker in Windows 7 gives you an easy, intuitive way to do this.

Coming up: Next Friday I’ll dive into some of the security updates in Windows 7, including the new and improved User Access Control (UAC) and BitLocker.

 

Currently rated 3.1 by 17 people

  • Currently 3.117647/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Tags:

Windows 7

Related posts

Comments

2/20/2009 7:10:00 PM

pingback

Pingback from blogs.msdn.com

.net DEvHammer : New Windows 7 Blog Series

blogs.msdn.com

4/8/2009 10:23:22 AM

free tv

cool article... thanks

free tv us

6/13/2009 9:13:00 AM

contemporary furniture

I'm testing the beta version of Windows 7 and so far it looks like it's gonna be worth waiting for. It's much like Vista in appearance only much faster to boot especially. The old Pent 4 with 2 gigs of ram I'm running it on is ready to use in 20 seconds after reboot and seams to work very smoothly. Some problem is when you have an older Pc. My cousin has a older pc and the graphics card has only 56Mb on board memory. When I try to install it, so many of the animated graphics functions either won't work or they are too slow. Also it won't recognize the sound card.

-Kenneth Parker

contemporary furniture us

7/23/2009 6:20:01 AM

web design

What is the full procedure of changing my windows from xp to windows 7?

web design us

7/23/2009 10:52:50 AM

Work At Home

I have used Windows 7 from my friends computer. It is a lot faster compared to my XP sp3. Interesting features given here. I have just forwarded the link to my friend. Hope he can tweak his Win 7.

Work At Home my

8/13/2009 4:39:32 AM

Wedding Invitations

I am plannig to switch to Windows 7 from XP. I have heard that they stop sending updates for Win XP from 2010. Vista have a lot of authorize boxes pop ups plus it uses a lot of memory. So, I think the best choice left now is Win 7. Hope this will be a better use compared to vista.

Wedding Invitations gb

8/14/2009 11:57:40 AM

Data entry services

How much space would windows 7 eat up from the computers memory? I have 3gb ram.

Data entry services us

8/14/2009 2:00:47 PM

dboynton

Windows 7 will run comfortably on a machine with just 1GB of RAM, so you will be fine.

dboynton

8/20/2009 3:14:31 AM

Rohs Screening

Hey,
Excellent blog.I found it very interesting and at the same time very informative.Thanks!!!

Rohs Screening us

8/31/2009 2:30:15 PM

pingback

Pingback from topsy.com

Twitter Trackbacks for

Windows 7 Friday: Locking Down and Protecting Your Computer With AppLocker
[dennyboynton.com]
on Topsy.com

topsy.com

10/7/2009 11:49:50 AM

launceston computer repair shop

Thanks for those screen shots, I tried using windows beta version on my PC, I must say it feels much better than vista to be frank, windows 7 is relatively fast than vista and I think after XP windows 7 will may become one of the popular operating system out there.

launceston computer repair shop us

10/13/2009 6:32:42 PM

Vista Drivers

"Windows 7 will run comfortably on a machine with just 1GB of RAM, so you will be fine." That's what they say, but I wouldn't take anything to heart until you've had the chance to try it out for yourself. I'm not sure if I'll give it a try or not, but looks like it may be better than Vista.

Vista Drivers us

10/15/2009 8:12:55 AM

dboynton

I think I've proven the performance on lower end hardware. I'm posting this comment on a Dell netbook with 1GB RAM and an Intel Atom proc running Windows 7 Ultimate with no issues. Setup was a breeze. What will be interesting to see is if PC manufactures switch their netbook setups to use Windows 7 instead of XP once it is generally available on Ovt. 22nd.

dboynton

Powered by BlogEngine.NET 1.3.0.0
Theme by Mads Kristensen

About the author

Denny Boynton Denny Boynton
Microsoft Architect Evangelist by day, wannabe rock 'n roll star by night! Want more? Here's my bio.

E-mail me Send mail

    follow me on Twitter


    Calendar

    <<  November 2014  >>
    MoTuWeThFrSaSu
    272829303112
    3456789
    10111213141516
    17181920212223
    24252627282930
    1234567

    View posts in large calendar

    Recent comments

    Authors

    Disclaimer

    The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

    © Copyright 2014, Denny Boynton

    Sign in