Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

AppLocker, which is built in to Windows 7 Enterprise and Windows 8, prevents unknown programs from running unless installed or otherwise pre-cleared by an admin first. This provides tremendous protection against malware. Even antivirus companies are publicly saying that antivirus provides little protection against current malware. Rather than attempt to enumerate what's bad, application whitelisting technologies like AppLocker enumerate what's good, and deny everything else. This turns out to be a lot easier than it sounds.

How to Opt In to Use AppLocker

A test AppLocker policy is in place on the "Campus Clients" container, but you must opt in to activate the policy by following these steps:

  1. Create a file named exactly applock.txt (an empty file is fine).
  2. Move it to c:\windows\tracing\applock.txt
  3. Run gpedit /force (or wait about 30 minutes for it to run as scheduled)

How to Opt Out or Run a Blocked Program

If AppLocker blocks a program, it will pop up an alert box (whose content we cannot edit) with a pointer to this wiki page (they let you add a "local support" URL).

You can explicitly run setup programs as .\admin by right-clicking on the executable and choosing "Run as administrator." Please don't get into the habit of running things as .\admin; that would be a big step backwards.

You can disable AppLocker entirely by removing c:\windows\tracing\applock.txt and running gpedit /force again.

References For Understanding AppLocker

At some future date, when AppLocker is considered safe for our clients, the opt-in logic would become opt-out. Any PC in "Campus Clients" would be subject to the policy unless they created a "no-applock.txt" file (or some such signal TBD).

(Yes, AppLocker makes even more sense for servers, which run a more predictable set of software.)

  • No labels