Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

AppLocker, which is built in to Windows 7 Enterprise and later, prevents can be configured (in "enforcing" mode) to prevent unknown programs from running unless installed or otherwise pre-cleared by an admin first. This is increasingly necessary because even antivirus companies are publicly saying that antivirus provides little protection against current malware. Rather than attempt to enumerate what's bad, application whitelisting technologies like AppLocker enumerate what's good, and deny everything else.

Image Removed

...

As of spring 2018, three departments are running in enforcing mode:  HR, ITS, and BUSO.  See /wiki/spaces/itskb/pages/26145761 page for more information on how this is done.

Image Added

What should you do if a program won't run and you are directed to this page?

When a program is blocked by AppLocker, Windows will pop up "Your system administrator has blocked you from running this program" as shown at right. The "More information" link goes to the web page you are reading now.

...

The Information Security Officer will periodically review reports on such overrides and as appropriate, add them to the centrally managed policy. This information is gathered automatically; you do not need to report them to the helpdesk or anyone else.

If opening a program downloaded in Chrome or IE doesn't work...

See above. Same reason, but "Downloads" may be treated as so untrusted that they don't pop up an alert. Find the program in your Downloads folder (or wherever you saved it) and right-click to run as admin, etc.

Want to protect your computers from ransomware and other malicious code?

Many of our peer institutions including Simon Fraser, CSB/SJU, and the University of Minnesota apply an AppLocker policy to all deployed staff PCs. Carleton does this only on request. If you would like your PC or all PCs in your department to use this recommended security feature that has been built in to Windows 7 since 2009, contact the Information Security Officer (Rich Graves).

Current policy application: mostly report-only

A "reporting-only" AppLocker policy has been in place for most campus computers since 2014. The policy is maintained by the Information Security Officer (Rich Graves). More than 99.7% of program execution this year was previously whitelisted. Most of the exceptions were malware.

A small number of computers have been placed in organizational units (OUs) that actually block unapproved programs. This applies to the entire Campus_Clients\BUSO OU and the AppLocker-Enforced directories within Facilties FACL, HUMR, and ITS.

References for understanding AppLocker

...