AppLocker, which is built in to Windows 7 Enterprise and Windows 8, prevents unknown applications from running unless installed with an admin account first. It provides tremendous protection against malware. Even antivirus companies are publicly saying that antivirus provides little protection against current malware. Rather than attempt to enumerate what's bad, application whitelisting technologies like AppLocker enumerate what's good, and deny everything else. This turns out to be a lot easier than it sounds.
A test AppLocker policy is in place on the "Campus Clients" container, but you must opt in to activate the policy by following these steps:
- Create a file named exactly applock.txt (an empty file is fine).
- Move it to c:\windows\tracing\applock.txt
- Run gpedit /force (or wait about 30 minutes for it to run as scheduled)
You can disable AppLocker by removing c:\windows\tracing\applock.txt and running gpedit /force again. Or, you can explicitly run setup programs as .\admin by right-clicking on the executable and choosing "Run as administrator." Please don't get into the habit of running things as .\admin; that would be a big step backwards.
If AppLocker decides to block a program, it will display a pointer to this wiki page.
At some future date when AppLocker is considered safe for our clients, the opt-in logic would become opt-out. Any PC in "Campus Clients" would be subject to the policy unless they created a "no-applock.txt" file (or some such signal TBD).
References For Understanding AppLocker
- Application whitelisting explained
- Using Event Viewer with AppLocker
- Display a custom URL when an application is blocked
- Free, almost perfect malware protection with GPO AppLocker
- A pragmatic approach towards AppLocker policies
- DSD confirms: application whitelisting is the go
- AppLocker Guide for Technical Decision Makers