AppLocker policies (also known as application control policies) are similar to Software Restriction Policies, but have the following advantages:
- Policies are applied to a specific user or group, or all existing, future, or previous versions of an application.
- Policy management is through a set of predefined rules, called default rules, which are created automatically. The default rules:
- Are populated in specific rule types when you manually select the Create Default Rules option.
- Are managed and maintained by an administrator to meet specific needs.
- Act as a fallback block rule that restricts the execution of any application that does not have an allow rule (i.e., once AppLocker is enabled, only applications that have an allow rule will execute).
The following table describes the AppLocker rule types:
|Executable||An executable rule applies to files with .exe and .com extensions.
|Windows Installer||The Windows installer rule applies to .msi and .msp file extensions. The default installer rules allow:
|Script||The script rule applies to .ps1, .bat, .cmd, .vbs, and .js file extensions. The default script rules allow:
|DLL||The DLL rule applies to .dll (Dynamic-Link Library) and .ocx file extensions.
Note: DLL rules affect system performance and require considerable administrative effort.
When you create a new rule, regardless of the rule type, you must specify a condition for the rule. Conditions are properties of files that AppLocker uses to enforce rules. AppLocker rules have the following conditions:
|Publisher||The publisher condition uses the digital signature of the application’s publisher. The digital signature contains details about the company that created the application.
|Path||The path condition specifies a folder, a file, or a wildcard of files to restrict or allow execution.
|Hash||The hash condition uses the digital fingerprint (also known as a file hash) of the application.
Be aware of the following:
- AppLocker rules take precedence over software restriction policies for Windows Server 2008 R2 and Windows 7 clients.
- If both software restriction policies and AppLocker policies are configured in the same policy object, only the AppLocker settings will apply. Microsoft recommends that you use AppLocker for Windows Server 2008 R2 and Windows 7.
- If no rules have been defined for a specific type, then all applications of that type are allowed to run. Once you define one rule, then only software allowed by that rule (or the default rules) is allowed.
- Exceptions allow specific applications to be exempt from the AppLocker rules. Exceptions of any condition can be made in any rules. For example, you can create a path condition that allows all applications in C:\Windows to execute, but restrict the calculator application from running using a hash condition.
- AppLocker has a soft-enforcement (also known as auditing) mode. Soft-enforcement mode:
- Uses restrictions to only monitor AppLocker events. Blocked software is still allowed to run while in soft-enforcement mode.
- Audits AppLocker functionality before full implementation in the environment.
- Verifies which applications are affected without actually blocking or hard-enforcing the applications from executing.
Note: The enforcement mode (either Enforce rules or Audit only) applies to all rules of a specific type. You cannot selectively enforce or audit different rules within a rule type. For example, you cannot audit one executable rule and enforce another executable rule, but you can audit all executable rules and enforce all script rules.
- Events that are generated by auditing AppLocker are written to the AppLocker event log. Each log contains the following information:
- Rule name
- SID of the user or group
- File and path of the restricted or permitted application
- Rule type or condition used
- Use the following Windows PowerShell cmdlets to manage AppLocker policies:
- Test-ApplockerPolicy tests whether an AppLocker rule will block an application file on a client computer.
- Get-AppLockerPolicy displays an AppLockerPolicy object or exports an XML-formatted string.
- New-AppLockerPolicy creates a new AppLocker policy.
- Set-AppLockerPolicy applies an AppLocker policy to the specified GPO.