Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

AppLocker, which is built in to Windows 7 Enterprise and Windows 8, prevents unknown programs from running unless installed or otherwise pre-cleared by an admin first. This provides tremendous protection against malware. Even antivirus companies are publicly saying that antivirus provides little protection against current malware. Rather than attempt to enumerate what's bad, application whitelisting technologies like AppLocker enumerate what's good, and deny everything else. This turns out to be a lot easier than it sounds.

How to Opt In to Use AppLocker

A test AppLocker policy is in place on the "Campus Clients" container, but you must opt in to activate the policy by following these steps:

  1. Create a file named exactly applock.txt (an empty file is fine).
  2. Move it to c:\windows\tracing\applock.txt
  3. Run gpedit /force (or wait about 30 minutes for it to run as scheduled)

At some future date, when AppLocker is considered safe for our clients, the opt-in logic would become opt-out. Any PC in "Campus Clients" would be subject to the policy unless they created a "no-applock.txt" file (or some such signal TBD).

How to Run a Blocked Program or Opt Out

Anything already installed in Program Files or other common locations will run, so this should not be a common event.

When AppLocker blocks a program, it will pop up an alert box (whose content we cannot edit) with a pointer to this wiki page (they let you add a "local support" URL). Please let Rich know when this happens. Email is fine. Every program that the helpdesk could find to install on my test laptops will run, but IT people get creative.

You can explicitly run setup programs as .\admin by right-clicking on the executable and choosing "Run as administrator." Stuff run as .\admin, .\carladmin, or ads\its bypasses AppLocker. Please don't get into the habit of running things as .\admin, though; that would be a big step backwards.

You can disable AppLocker entirely by removing c:\windows\tracing\applock.txt and running gpedit /force again.

References For Understanding AppLocker

(Yes, AppLocker makes even more sense for servers, which run a more predictable set of software.)

  • No labels