I’ve been running Windows 7 Beta on all of my machines, work and personal, for about seven weeks now and have really been loving it. There are so many great new features and capabilities in Windows 7, I’ve decided to do a post each Friday on one new feature of Windows 7 until, well, I run out of things to post about. I’m calling this series Windows 7 Friday. Cool and original name, eh?
For this first post, I’m going to show you how to use an application called AppLocker to keep unwanted malware off your computer. Note: You’ll need to have administrative rights on your Windows 7 machine to use the AppLocker application, really since this is actual administrative work!
Put Your PC On Lock-Down
If you have kids and they use the family PC on a pretty regular basis, you’ve no doubt had to deal with malware getting installed on your machine and the scavenger hunt that ensues afterward as you try and locate it. No matter how many times you tell kids to be careful, they just can resist the shiny “Click Me and You’ll Have Good Luck for Sever Years” buttons that appear all over the social networking sites they like to visit. Wouldn’t it be nice if you could give them the ability to install software of which you approve while keeping them from loading up junk inadvertently?
Enter AppLocker. Basically, AppLocker lets you set policies for certain users or groups on your Windows 7 PC and define specifically what types of applications they can and cannot install.
Keeping with the “Preventing my kids from screwing up my computer” scenario, I created a new Windows group called Boynton Progeny and added my daughters’ user accounts to it. I could obviously apply the rules to their accounts individually, but grouping them like this just makes life easier for me.
Also, it's important to note that you should always leave the default rules running on your machine. Primarily, this exercise is designed to just add an additional rule for specific users on my home PC, namely my daughters.
With that done, follow these steps:
1) Open AppLocker by clicking on the Windows 7 “start” icon in the lower left-hand corner of the desktop and, in the search field, type Run. When the dialog window appears, type GPEDIT.MSC.
2) When the Local Group Policy Editor loads, navigate using the tree on the left to Computer Configuration->Windows Settings->Security Settings->Application Control Policies->AppLocker. Click on the Executable Rules applet.
3) In the pane to the right, left-click and select Create New Rule. From this point forward, AppLocker provides a really nice wizard-driven experience, so even if the process of getting here isn’t as friction free as I/’d like it, the rest of the experience will be.
4) Once you click past the first screen of the wizard, you’ll find yourself at the Permissions screen. Here you can define whether this rule is to allow or deny activity on the PC, as well as selecting the Windows user or group to whom the rule should apply. In this case, I selected the Boynton Progeny group I created earlier. Click the Next button.
5) The next screen lets you set conditions for the rule, whether that rule is for a specific software publisher, a local path on your PC, or for unsigned applications. In this case, I want to allow the group Boynton Progeny to install any software signed by Microsoft Corporation, so I select the first option, Publisher, and click the Next button.
6) Since I selected Publisher in the previous screen, he next screen let’s me define the specific software publisher I want to approve. As I’m approving software signed by Microsoft, I need to provide that publisher information here. Fortunately, I don’t need to know it off the top of my head because AppLocker lets me provide a sample signed application. In this case, I used Virtual PC 2007. AppLocker pulled the publisher information from the executable certificate for me automatically. Now, all you have to do is use the slider to the left of the extracted publisher information and scope it to the right level, in this case by moving it next to the Publisher field. Notice that you can adjust the scope to the Product Name, File Name and File Version levels as well. Click the Next button.
7) The next screen gives you the ability to define any exceptions to the rule. For example, I could click on the Add button and, in the dialog box that appears, select the installer for Silverlight Tools for Visual Studio, click OK, and now the Boynton Progeny group can install any software signed by Microsoft except for the Silverlight Tools. When you’ve added any exceptions, click the Next button.
8) This is the final screen of the wizard, so simply click Create and you’re done.
And that’s it!. Pretty easy, really. Likewise, you can go back through the wizard and restrict the ability for the Boynton Progeny group to install any software that isn’t signed by a known publisher or even to a specific directory path on the machine, like Windows\System32.
You will obviously want to take care in selecting rules as you could inadvertantly block perfectly valid applications from running. If for some reason you run into any unexpected issues setting up and using the rules in AppLocker, you can deactivate it by shutting down the AppIDSvc service via the Task Manager.
Having good malware detection software on your PC is a must, but the best defense is a strong offence. If you can stop unwanted or unnecessary software from getting installed on you machine, all the better, and AppLocker in Windows 7 gives you an easy, intuitive way to do this.
Coming up: Next Friday I’ll dive into some of the security updates in Windows 7, including the new and improved User Access Control (UAC) and BitLocker.