AppLocker - Create New Rules

    AppLocker - Create New Rules

    AppLocker - Create New Rules

    How to Create New Rules in AppLocker in Windows 7 and Windows 8
    Published by
    Designer Media Ltd


    How to Create New Rules in AppLocker in Windows 7 and Windows 8


       Information
    AppLocker is a feature that replaces the Software Restriction Policies feature. AppLocker helps administrators control which applications and files users can run. These include executable files, scripts, Windows Installer files, DLLs, Packaged apps and Packaged app installers.

    For more details information about AppLocker, please see:




    This tutorial will show you how to enable and create new rules in AppLocker to help control how users can access and use files, such as executables, scripts, Windows installer files, DLLs, and packaged apps (Windows 8 Store apps) in Windows 7 and Windows 8.

       Note
    The AppLocker Microsoft Management Console (MMC) snap-in is organized into four areas called rule collections. The four rule collections are executable files, scripts, Windows Installer files, and DLL files. These collections give you an easy way to differentiate the rules for different types of applications. The following table lists the file formats included in each rule collection.

    Rule Collection Associated File Formats
    Executable Rules .exe and .com
    Windows Installer Rules .msi and .msp
    Script Rules .ps1, .bat, .cmd, .vbs, and .js
    DLL Rules .dll and .ocx
    Packacked app Rules (Windows 8 only) .aappx (Store apps)
       Warning
    AppLocker requirements

    AppLocker enforcement is available in all editions of Windows Server 2008 R2, Windows Server 2012, Windows 7 Ultimate, Windows 7 Enterprise, Windows 8 Ultimate, and Windows 8 Enterprise.


    To use AppLocker, you need:
    • You must be logged in as an administrator to be able to do this tutorial.
    • Only a computer running Windows Server 2008 R2, Windows Server 2012, Windows 7 Ultimate, Windows 7 Enterprise, and Windows 8 Enterprise can both create and enforce AppLocker rules.
    • While you can create AppLocker rules on computers running Windows 7 Professional and Windows 8 Pro, they will not be enforced on those computers. However, you can create the rules on a computer running Windows 7/8 Professional and then export the policy for implementation on a computer running an edition of Windows that does support AppLocker rule enforcement.
    • For Group Policy deployment, at least one computer with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules.
    • Computers running Windows Server 2008 R2, Windows Server 2012, Windows 7 Ultimate, Windows 7 Enterprise, or Windows 8 Enterprise enforce the AppLocker rules that you create.

    EXAMPLE: Blocked Message
    NOTE: This is the type of message users will see when they try to access a file that has had a rule created for it in AppLocker set to deny (step 7) for that user or user's group.
    AppLocker - Create New Rules-enforced_rule.jpg
    Here's How:
    1. If you have not already, then you will need to change the Application Identity service to be set as Started and Automatic. (See screenshot below)
    AppLocker - Create New Rules-step1.jpg
    2. Open the Local Security Policy editor.

    3. In the left pane, double click on Application Control Policies to expand it, then select a rule collection that you want to create a new rule in. (See screenshot below)
    NOTE: The rule collection will be either the Executable Rules, Windows Installer Rules, Script Rules, or DLL Rules collection. You will need to enable the DLL Rules to be able to have it available. See the NOTE box at the top of the tutorial for more on these.
    AppLocker - Create New Rules-dll-1.jpg
    4. If you have not already created default rules for the selected rules collection, then you will need to right click on the selected rule collection and click on Create Default Rules. (See screenshot below)
    NOTE: For example, I will be using Executable Rules in this tutorial.
    AppLocker - Create New Rules-step2.jpg
    .
    AppLocker - Create New Rules-step2b.jpg
    5. Right click on the selected rule collection, and click/tap on Create New Rule. (See screenshot below)
    AppLocker - Create New Rules-step3.jpg
    6. Click/tap on the Next button at the bottom. (See screenshot below)
    AppLocker - Create New Rules-step4.jpg
    7. Select Allow or Deny as the action you want to use for the selected User or Group. (See screenshot below)
    NOTE: An allow action permits affected files to run, while a deny actions prevents affected files from running. The affected files depends on what rule collection you selected in step 3.
    AppLocker - Create New Rules-step5.jpg
    8. If you do not want to have this rule applied to Everyone (default), then click on the Select button to select the User or Group you want to allow or deny instead. (See screenshot above)
    NOTE: If you do want to have this rule apply to Everyone, then skip this step and go to step 12.

    9. To Enter a User Name to Apply the Rule to
    NOTE: This is if you know the user account name that you want to apply this rule to and just want to enter it instead of selecting it from a list.
    A) Type the user account name, and click/tap on the Check Names button. (See screenshot below)
    NOTE: For example, I want to apply this rule to a user with the user account name of Example Standard.
    AppLocker - Create New Rules-step5a.jpg
    B) Go to step 11.
    10. To Select a User or Group to Apply the Rule to
    A) Click/tap on the Advanced button instead. (See screenshot below step 9A)

    B) Click/tap on the Find Now button, select the User or Group that you want to apply this rule to, and click/tap on OK. (See screenshot below)
    NOTE: For example, I want to apply this rule to a user with the user account name of Example Standard.
    AppLocker - Create New Rules-step5b.jpg
    11. Click/tap on OK. (See screenshot below)
    AppLocker - Create New Rules-step5c.jpg
    12. Click/tap on Next. (See screenshot below)
    AppLocker - Create New Rules-step5d.jpg
    13. If you want a Publisher Rule Condition
    NOTE: This condition identifies an application based on its digital signature and extended attributes. The digital signature contains information about the company that created the application (the publisher). The extended attributes, which are obtained from the binary resource, contain the name of the product that the application is part of and the version number of the application. The publisher may be a software development company, such as Microsoft, or the information technology department of your organization. Use a publisher condition when possible. Publisher conditions can be created to allow applications to continue to function even if the location of the application changes or if the application is updated.
    A) Select (dot) Publisher, and click/tap on Next or Use an installed packaged app as a reference (Packaged apps Rules). (See screenshots below)
    AppLocker - Create New Rules-step6-publisher-1.jpg

    AppLocker - Create New Rules-packacked_app_publisher-1.jpg
    B) Click/tap on the Browse button. Navigate to the file that you want to allow or deny access to, select it, and click/tap on Open. (See screenshots below)
    AppLocker - Create New Rules-step6-publisher-2.jpg

    AppLocker - Create New Rules-step6-publisher-3.jpg
    OR

    C) Click/tap on Select (Packaged apps Rules). Select (check) Store apps and Metro screens, that you want to allow or deny access to, and click/tap on OK. (See screenshots below)
    AppLocker - Create New Rules-packacked_app_publisher-1.jpg

    AppLocker - Create New Rules-packacked_app_publisher_select-2.jpg
    D) Use the slider to select which properties you want incuded to define the rule with. As you move the slider down, the more properties are added and makes the rule more specific for the selected file above. Click/tap on Create. (See screenshot below)
    AppLocker - Create New Rules-step6-publisher-4.jpg
    E) The rule has now been added. (See screenshot below)
    AppLocker - Create New Rules-step6-publisher-5.jpg
    F) Go to step 16 below.
    14. If you want a Path Rule Condition
    NOTE: This condition is used to select a specific file or folder path location on your computer or on the network.
    A) Select (dot) Path, and click/tap on Next. (See screenshot below)
    AppLocker - Create New Rules-step6-path-1.jpg
    B) Select Browse Files or Browse Folders path to apply this rule to. If you specify a folder path, then all files in that folder will be included and affected by this rule.
    AppLocker - Create New Rules-step6-path-2.jpg
    C) Navigate to the file or folder that you want allow or deny access to, select it, and click/tap on Open or OK. (See screenshots below)
    AppLocker - Create New Rules-step6-path-3a.jpg
    D) Click/tap on the Create button. (See screenshots below)
    AppLocker - Create New Rules-step6-path-4a.jpg
    E) The rule has now been added. (See screenshots below)
    AppLocker - Create New Rules-step6-path-5a.jpg
    F) Go to step 16 below.
    15. If you want a File Hash Rule Condition
    NOTE: When the file hash condition is chosen, the system computes a cryptographic hash of the identified file. Select this option if you want to create a rule for an application that is not signed.
    A) Select (dot) File hash, and click/tap on Next. (See screenshot below)
    AppLocker - Create New Rules-step6-file_hash-1.jpg
    B) Select Browse Files or Browse Folders path to apply this rule to. If you specify a folder path, then all files in that folder will be included and affected by this rule.
    AppLocker - Create New Rules-step6-file_hash-2.jpg
    C) Navigate to the file or folder that you want allow or deny access to, select it, and click/tap on Open or OK. (See screenshots below)
    AppLocker - Create New Rules-step6-path-3a.jpg
    D) The file or files in the folder have been added. Repeat steps 15B and 15C to add any more files to be included in this rule. (See screenshot below)
    NOTE: To remove a file, select it and click/tap on the Remove button.
    AppLocker - Create New Rules-step6-file_hash-3.jpg
    E) When done, click/tap on the Create button. (See screenshot above)

    F) The rule has now been added. (See screenshot below)
    AppLocker - Create New Rules-step6-file_hash-4.jpg
    16. Repeat this tutorial to add another rule to any one of the Rule Collections.
    NOTE: This will be either the Executable Rules, Windows Installer Rules, Script Rules, or DLL Rules collection. You will need to enable the DLL Rules to have it available. See the NOTE box at the top of the tutorial for more on these.

    17. When done, close the Local Security Policy editor.


    That's it,
    Shawn Brink





  1. Posts : 995
    XP/win7 x86 build 7127
       #1

    good job on the tut

    MS still needs to become more user/family friendly for restricting application access... some done in parental controls, so they are on the right foot... just need to lift that left foot and bring it forward.
      My Computer


  2. Posts : 71,975
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #2

    Thank you Digger.

    This feature has a lot more options to help restrict users and groups from running applications according to it's publisher, product name, file name, and/or file version. It's pretty nice. :)
      My Computer


  3. Posts : 196
    Windows 7 / Windows 8.1
       #3

    I'm just starting to explore the potentials of this extremely excellent and capable feature on my PC and although not "user friendly" to the common consumer, it is certainly a very simple and effective tool for those IT professionals in need of certain protections by other User Accounts or networked connections. I LOVE APPLOCKER!

      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 06:40.
Find Us