Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.



Windows 7: AppLocker - Create New Rules


AppLocker - Create New Rules

How to Create New Rules in AppLocker in Windows 7 and Windows 8
Published by Brink
25 Apr 2009
Published by

How to Create New Rules in AppLocker in Windows 7 and Windows 8


information   Information
AppLocker is a feature that replaces the Software Restriction Policies feature. AppLocker helps administrators control which applications and files users can run. These include executable files, scripts, Windows Installer files, DLLs, Packaged apps and Packaged app installers.

For more details information about AppLocker, please see:


This tutorial will show you how to enable and create new rules in AppLocker to help control how users can access and use files, such as executables, scripts, Windows installer files, DLLs, and packaged apps (Windows 8 Store apps) in Windows 7 and Windows 8.

Note   Note
The AppLocker Microsoft Management Console (MMC) snap-in is organized into four areas called rule collections. The four rule collections are executable files, scripts, Windows Installer files, and DLL files. These collections give you an easy way to differentiate the rules for different types of applications. The following table lists the file formats included in each rule collection.

Rule CollectionAssociated File Formats
Executable Rules .exe and .com
Windows Installer Rules .msi and .msp
Script Rules .ps1, .bat, .cmd, .vbs, and .js
DLL Rules .dll and .ocx
Packacked app Rules (Windows 8 only) .aappx (Store apps)

warning   Warning
AppLocker requirements

AppLocker enforcement is available in all editions of Windows Server 2008 R2, Windows Server 2012, Windows 7 Ultimate, Windows 7 Enterprise, Windows 8 Ultimate, and Windows 8 Enterprise.

To use AppLocker, you need:
  • You must be logged in as an administrator to be able to do this tutorial.
  • Only a computer running Windows Server 2008 R2, Windows Server 2012, Windows 7 Ultimate, Windows 7 Enterprise, and Windows 8 Enterprise can both create and enforce AppLocker rules.
  • While you can create AppLocker rules on computers running Windows 7 Professional, they will not be enforced on those computers. However, you can create the rules on a computer running Windows 7 Professional and then export the policy for implementation on a computer running an edition of Windows that does support AppLocker rule enforcement.
  • For Group Policy deployment, at least one computer with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules.
  • Computers running Windows Server 2008 R2, Windows Server 2012, Windows 7 Ultimate, Windows 7 Enterprise, or Windows 8 Enterprise enforce the AppLocker rules that you create.
EXAMPLE: Blocked Message
NOTE: This is the type of message users will see when they try to access a file that has had a rule created for it in AppLocker set to deny (step 7) for that user or user's group.
Name:  Enforced_Rule.jpg
Views: 5839
Size:  46.7 KB
Here's How:
1. If you have not already, then you will need to change the Application Identity service to be set as Started and Automatic. (See screenshot below)
AppLocker - Create New Rules-step1.jpg
2. Open the Local Security Policy editor.

3. In the left pane, double click on Application Control Policies to expand it, then select a rule collection that you want to create a new rule in. (See screenshot below)
NOTE: The rule collection will be either the Executable Rules, Windows Installer Rules, Script Rules, or DLL Rules collection. You will need to enable the DLL Rules to be able to have it available. See the NOTE box at the top of the tutorial for more on these.
AppLocker - Create New Rules-dll-1.jpg
4. If you have not already created default rules for the selected rules collection, then you will need to right click on the selected rule collection and click on Create Default Rules. (See screenshot below)
NOTE: For example, I will be using Executable Rules in this tutorial.
AppLocker - Create New Rules-step2.jpg
.
AppLocker - Create New Rules-step2b.jpg
5. Right click on the selected rule collection, and click/tap on Create New Rule. (See screenshot below)
AppLocker - Create New Rules-step3.jpg
6. Click/tap on the Next button at the bottom. (See screenshot below)
AppLocker - Create New Rules-step4.jpg
7. Select Allow or Deny as the action you want to use for the selected User or Group. (See screenshot below)
NOTE: An allow action permits affected files to run, while a deny actions prevents affected files from running. The affected files depends on what rule collection you selected in step 3.
AppLocker - Create New Rules-step5.jpg
8. If you do not want to have this rule applied to Everyone (default), then click on the Select button to select the User or Group you want to allow or deny instead. (See screenshot above)
NOTE: If you do want to have this rule apply to Everyone, then skip this step and go to step 12.

9. To Enter a User Name to Apply the Rule to
NOTE: This is if you know the user account name that you want to apply this rule to and just want to enter it instead of selecting it from a list.
A) Type the user account name, and click/tap on the Check Names button. (See screenshot below)
NOTE: For example, I want to apply this rule to a user with the user account name of Example Standard.
Name:  Step5A.jpg
Views: 5548
Size:  62.5 KB
B) Go to step 11.
10. To Select a User or Group to Apply the Rule to
A) Click/tap on the Advanced button instead. (See screenshot below step 9A)

B) Click/tap on the Find Now button, select the User or Group that you want to apply this rule to, and click/tap on OK. (See screenshot below)
NOTE: For example, I want to apply this rule to a user with the user account name of Example Standard.
AppLocker - Create New Rules-step5b.jpg
11. Click/tap on OK. (See screenshot below)
Name:  Step5C.jpg
Views: 5468
Size:  62.7 KB
12. Click/tap on Next. (See screenshot below)
AppLocker - Create New Rules-step5d.jpg
13. If you want a Publisher Rule Condition
NOTE: This condition identifies an application based on its digital signature and extended attributes. The digital signature contains information about the company that created the application (the publisher). The extended attributes, which are obtained from the binary resource, contain the name of the product that the application is part of and the version number of the application. The publisher may be a software development company, such as Microsoft, or the information technology department of your organization. Use a publisher condition when possible. Publisher conditions can be created to allow applications to continue to function even if the location of the application changes or if the application is updated.
A) Select (dot) Publisher, and click/tap on Next or Use an installed packaged app as a reference (Packaged apps Rules). (See screenshots below)
AppLocker - Create New Rules-step6-publisher-1.jpg

AppLocker - Create New Rules-packacked_app_publisher-1.jpg

B) Click/tap on the Browse button. Navigate to the file that you want to allow or deny access to, select it, and click/tap on Open. (See screenshots below)
AppLocker - Create New Rules-step6-publisher-2.jpg

AppLocker - Create New Rules-step6-publisher-3.jpg

OR

C) Click/tap on Select (Packaged apps Rules). Select (check) Store apps and Metro screens, that you want to allow or deny access to, and click/tap on OK. (See screenshots below)
Click image for larger version

Name:	Packacked_app_Publisher-1.jpg
Views:	79
Size:	98.9 KB
ID:	269229

AppLocker - Create New Rules-packacked_app_publisher_select-2.jpg

D) Use the slider to select which properties you want incuded to define the rule with. As you move the slider down, the more properties are added and makes the rule more specific for the selected file above. Click/tap on Create. (See screenshot below)
AppLocker - Create New Rules-step6-publisher-4.jpg
E) The rule has now been added. (See screenshot below)
AppLocker - Create New Rules-step6-publisher-5.jpg
F) Go to step 16 below.
14. If you want a Path Rule Condition
NOTE: This condition is used to select a specific file or folder path location on your computer or on the network.
A) Select (dot) Path, and click/tap on Next. (See screenshot below)
AppLocker - Create New Rules-step6-path-1.jpg
B) Select Browse Files or Browse Folders path to apply this rule to. If you specify a folder path, then all files in that folder will be included and affected by this rule.
AppLocker - Create New Rules-step6-path-2.jpg
C) Navigate to the file or folder that you want allow or deny access to, select it, and click/tap on Open or OK. (See screenshots below)
AppLocker - Create New Rules-step6-path-3a.jpg
D) Click/tap on the Create button. (See screenshots below)
AppLocker - Create New Rules-step6-path-4a.jpg
E) The rule has now been added. (See screenshots below)
AppLocker - Create New Rules-step6-path-5a.jpg
F) Go to step 16 below.
15. If you want a File Hash Rule Condition
NOTE: When the file hash condition is chosen, the system computes a cryptographic hash of the identified file. Select this option if you want to create a rule for an application that is not signed.
A) Select (dot) File hash, and click/tap on Next. (See screenshot below)
AppLocker - Create New Rules-step6-file_hash-1.jpg
B) Select Browse Files or Browse Folders path to apply this rule to. If you specify a folder path, then all files in that folder will be included and affected by this rule.
AppLocker - Create New Rules-step6-file_hash-2.jpg
C) Navigate to the file or folder that you want allow or deny access to, select it, and click/tap on Open or OK. (See screenshots below)
Click image for larger version

Name:	Step6-Path-3A.jpg
Views:	493
Size:	221.8 KB
ID:	8905
D) The file or files in the folder have been added. Repeat steps 15B and 15C to add any more files to be included in this rule. (See screenshot below)
NOTE: To remove a file, select it and click/tap on the Remove button.
AppLocker - Create New Rules-step6-file_hash-3.jpg
E) When done, click/tap on the Create button. (See screenshot above)

F) The rule has now been added. (See screenshot below)
AppLocker - Create New Rules-step6-file_hash-4.jpg
16. Repeat this tutorial to add another rule to any one of the Rule Collections.
NOTE: This will be either the Executable Rules, Windows Installer Rules, Script Rules, or DLL Rules collection. You will need to enable the DLL Rules to have it available. See the NOTE box at the top of the tutorial for more on these.

17. When done, close the Local Security Policy editor.
That's it,
Shawn


.

25 Apr 2009   #1
Digger

XP/win7 x86 build 7127
 
 

good job on the tut

MS still needs to become more user/family friendly for restricting application access... some done in parental controls, so they are on the right foot... just need to lift that left foot and bring it forward.

My System SpecsSystem Spec
.

25 Apr 2009   #2
Brink
Microsoft MVP

64-bit Windows 8.1 Enterprise
 
 

Thank you Digger.

This feature has a lot more options to help restrict users and groups from running applications according to it's publisher, product name, file name, and/or file version. It's pretty nice.
My System SpecsSystem Spec
14 Jul 2010   #3
BugOutMachine

Windows 7 Ultimate x64
 
 

I'm just starting to explore the potentials of this extremely excellent and capable feature on my PC and although not "user friendly" to the common consumer, it is certainly a very simple and effective tool for those IT professionals in need of certain protections by other User Accounts or networked connections. I LOVE APPLOCKER!

My System SpecsSystem Spec
Comment

 AppLocker - Create New Rules





Tutorial Tools



Similar help and support threads for2: AppLocker - Create New Rules
Windows 7 Tutorial Category
AppLocker - I am unable to create file hash rules! What gives? Software
Possible to create "file rules" similar to email rules General Discussion
Applocker System Security
Cannot create rules in Hotmail Browsers & Mail
AppLocker and Publisher rules Security News
AppLocker Log System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 05:23 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33