AppLocker, which is built in to Windows 7 Enterprise and Windows 8, prevents later, can be configured (in "enforcing" mode) to prevent unknown programs from running unless installed or otherwise pre-cleared by an admin first. This provides tremendous protection against malware. Even is increasingly necessary because even antivirus companies are publicly saying that antivirus provides little protection against current malware. Rather than attempt to enumerate what's bad, application whitelisting technologies like AppLocker enumerate what's good, and deny everything else. This turns out to be a lot easier than it sounds.A test AppLocker policy is in place on the "Campus Clients" container, but you must opt in to activate the policy
As of spring 2018, three departments are running in enforcing mode: HR, ITS, and BUSO. See /wiki/spaces/itskb/pages/26145761 page for more information on how this is done.
What should you do if a program won't run and you are directed to this page?
When a program is blocked by AppLocker, Windows will pop up "Your system administrator has blocked you from running this program" as shown at right. The "More information" link goes to the web page you are reading now.
If you are confident that the program came from a legitimate source, you can override the policy and run the blocked application by following these steps:
- Create a file named exactly applock.txt (an empty file is fine).
- Move it to c:\windows\tracing\applock.txt
- Run gpedit /force (or wait about 30 minutes for it to run as scheduled)
...
- a new folder with a certain name. Contact infosec@carleton.edu or ask the ITS helpdesk to refer to WebHelpDesk ticket #66807 for the name to use.
- Move the program and any dependencies into the new folder.
- Run the program from there.
In rare cases (multi-stage installers from ninite.com), it might be necessary to right-click on the program and choose "Run as administrator." Please This can be dangerous, though, so don't get into the habit of running things as .\admin; that would be a big step backwards.
If AppLocker decides to block a program, it will display a pointer to this wiki page.
At some future date when AppLocker is considered safe for our clients, the opt-in logic would become opt-out. Any PC in "Campus Clients" would be subject to the policy unless they created a "no-applock.txt" file (or some such signal TBD).
...
in the habit.
The Information Security Officer will periodically review reports on such overrides and as appropriate, add them to the centrally managed policy. This information is gathered automatically; you do not need to report them to the helpdesk or anyone else.
If opening a program downloaded in Chrome or IE doesn't work...
See above. Same reason, but "Downloads" may be treated as so untrusted that they don't pop up an alert. Find the program in your Downloads folder (or wherever you saved it) and right-click to run as admin, etc.
Want to protect your computers from ransomware and other malicious code?
Many of our peer institutions including Simon Fraser, CSB/SJU, and the University of Minnesota apply an AppLocker policy to all deployed staff PCs. Carleton does this only on request. If you would like your PC or all PCs in your department to use this recommended security feature that has been built in to Windows 7 since 2009, contact the Information Security Officer.
Current policy application: mostly report-only
A "reporting-only" AppLocker policy has been in place for most campus computers since 2014. The policy is maintained by the Information Security Officer. More than 99.7% of program execution this year was previously whitelisted. Most of the exceptions were malware.
A small number of computers have been placed in organizational units (OUs) that actually block unapproved programs. This applies to the entire Campus_Clients\BUSO OU and the AppLocker-Enforced directories within FACL, HUMR, and ITS.
References for understanding AppLocker
- Application whitelisting explained
- Using Event Viewer with AppLocker
- Display a custom URL when an application is blocked
- Free, almost perfect malware protection with GPO AppLocker
- A pragmatic approach towards AppLocker policies
- DSD confirms: application whitelisting is the go
- AppLocker Guide for Technical Decision Makers
(Yes, AppLocker makes even more sense for servers, which run a more predictable set of software.)