Microsoft Corporation. Status: Preliminary documentation



Similar documents
EventTracker: Support to Non English Systems

Pipeliner CRM Phaenomena Guide Add-In for MS Outlook Pipelinersales Inc.

Technical Brief for Windows Home Server Remote Access

How To Install Outlook Addin On A 32 Bit Computer

Creating and Deploying Active Directory Rights Management Services Templates Step-by-Step Guide

Exclaimer Alias Manager for Exchange Deployment Guide - Exclaimer Alias Manager for Exchange Outlook Add-In

Improving Performance of Microsoft CRM 3.0 by Using a Dedicated Report Server

Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide

Windows Small Business Server 2003 Upgrade Best Practices

How To Set Up A Load Balancer With Windows 2010 Outlook 2010 On A Server With A Webmux On A Windows Vista V (Windows V2) On A Network With A Server (Windows) On

Project management integrated into Outlook

New Zealand National Cyber Security Centre

Deploying Remote Desktop IP Virtualization Step-by-Step Guide

File and Printer Sharing with Microsoft Windows

Lab Answer Key for Module 1: Installing and Configuring Windows Server Table of Contents Lab 1: Configuring Windows Server

Administering Group Policy with Group Policy Management Console

Migrating Active Directory to Windows Server 2012 R2

About This Guide Signature Manager Outlook Edition Overview... 5

Pipeliner CRM Phaenomena Guide Administration & Setup Pipelinersales Inc.

Pipeliner CRM Phaenomena Guide Opportunity Management Pipelinersales Inc.

Enable File and Folder Auditing

Troubleshooting File and Printer Sharing in Microsoft Windows XP

Pipeliner CRM Phaenomena Guide Getting Started with Pipeliner Pipelinersales Inc.

Lab Answer Key for Module 9: Active Directory Domain Services. Table of Contents Lab 1: Exploring Active Directory Domain Services 1

Step-by-Step Guide for Microsoft Advanced Group Policy Management 4.0

Windows Server Update Services 3.0 SP2 Step By Step Guide

Dell Recovery Manager for Active Directory 8.6. Quick Start Guide

Pipeliner CRM Phaenomena Guide Sales Pipeline Management Pipelinersales Inc.

Specops Command. Installation Guide

Version Provance Technologies, Inc. All rights reserved. Provance Technologies Inc. 85 Bellehumeur Gatineau, Quebec CANADA J8T 8B7

Project management integrated into Outlook

Pipeliner CRM Phaenomena Guide Sales Target Tracking Pipelinersales Inc.

Lab Answer Key for Module 6: Configuring and Managing Windows SharePoint Services 3.0. Table of Contents Lab 1: Configuring and Managing WSS 3.

HELP DOCUMENTATION E-SSOM DEPLOYMENT GUIDE

The 2007 R2 Version of Microsoft Office Communicator Mobile for Windows Mobile: Frequently Asked Questions

Installing Windows Rights Management Services with Service Pack 2 Step-by- Step Guide

Step-by-Step Guide for Monitoring in Windows HPC Server 2008 Beta 2

DriveLock Quick Start Guide

Getting Started Guide

How to - Install EventTracker and Change Audit Agent

Deploying the Workspace Application for Microsoft SharePoint Online

AD RMS Step-by-Step Guide

Overview of Microsoft Office 365 Development

UPGRADE. Upgrading Microsoft Dynamics Entrepreneur to Microsoft Dynamics NAV. Microsoft Dynamics Entrepreneur Solution.

Module 8: Implementing Group Policy

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

Introduction to DirectAccess in Windows Server 2012

Hyper-V Server 2008 Setup and Configuration Tool Guide

DeviceLock Management via Group Policy

Windows BitLocker Drive Encryption Step-by-Step Guide

Adobe Acrobat 9 Deployment on Microsoft Windows Group Policy and the Active Directory service

Create, Link, or Edit a GPO with Active Directory Users and Computers

Installation Guide. . All right reserved. For more information about Specops Inventory and other Specops products, visit

How to deploy Arkeia Network Backup v10 on Windows Server 2008 and later with a domain

Deploying Microsoft RemoteFX on a Single Remote Desktop Virtualization Host Server Step-by-Step Guide

NETWRIX WINDOWS SERVER CHANGE REPORTER

Office Language Interface Pack for Farsi (Persian) Content

Redeploying Microsoft CRM 3.0

SmartDraw Installation Guide

Microsoft Dynamics GP. Engineering Data Management Integration Administrator s Guide

Microsoft Hyper-V Server 2008 R2 Getting Started Guide

DeviceLock Management via Group Policy

User Document. Adobe Acrobat 7.0 for Microsoft Windows Group Policy Objects and Active Directory

Using Group Policies to Install AutoCAD. CMMU 5405 Nate Bartley 9/22/2005

Hands-On Lab: WSUS. Lab Manual Expediting WSUS Service for XP Embedded OS

Writers: Joanne Hodgins, Omri Bahat, Morgan Oslake, and Matt Hollingsworth

Using Apple Remote Desktop to Deploy Centrify DirectControl

Installation Guide. Novell Storage Manager for Active Directory. Novell Storage Manager for Active Directory Installation Guide

Update and Installation Guide for Microsoft Management Reporter 2.0 Feature Pack 1

Pipeliner CRM Phaenomena Guide Importing Leads & Opportunities Pipelinersales Inc.

BMC Performance Manager Windows Security White Paper DCOM / WMI

For Active Directory Installation Guide

Integrate Cisco IronPort Web Security Appliance (WSA)

4cast Client Specification and Installation

TECHNICAL DOCUMENTATION SPECOPS DEPLOY / APP 4.7 DOCUMENTATION

White Paper. Software version: 5.0

Step By Step Guide: Demonstrate DirectAccess in a Test Lab

Version 5.0. SurfControl Web Filter for Citrix Installation Guide for Service Pack 2

Product Guide for Windows Home Server

SolarWinds Migrating SolarWinds NPM Technical Reference

Distributing SMS v2.0

Foxit Enterprise Reader GPO User Guide

ACTIVE DIRECTORY DEPLOYMENT

Microsoft Dynamics NAV 2013 R2 Release Notes Follow-up

Upgrade Guide. Upgrading to EventTracker v6.0. Upgrade Guide Columbia Gateway Drive, Suite 250 Publication Date: Sep 20, 2007.

HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION

EventTracker: Configuring DLA Extension for AWStats Report AWStats Reports

Compatibility with Encryption Products

StarWind iscsi SAN Software: Installing StarWind on Windows Server 2008 R2 Server Core

Microsoft Lync Server 2010

NETWRIX FILE SERVER CHANGE REPORTER

Sharpdesk V3.5. Push Installation Guide for system administrator Version

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Adobe Acrobat 9 Deployment on Microsoft Systems Management

How To Manage Storage With Novell Storage Manager 3.X For Active Directory

Outpost Network Security

PRODUCT WHITE PAPER LABEL ARCHIVE. Adding and Configuring Active Directory Users in LABEL ARCHIVE

Using Group Policy to Manage and Enforce ACL on VNX for File P/N REV A01 February 2011

Transcription:

Microsoft Corporation Status: Preliminary documentation Beta content: This guide is currently in beta form. The AppLocker team greatly appreciates you reviewing the document and looks forward to receiving your feedback. To report bugs or ask questions about any of the content in this guide, please send e-mail to the AppLocker Feedback alias applock@microsoft.com. Abstract: This article details questions that IT professionals have frequently asked about AppLocker in Windows 7 and Windows Server 2008 R2. 1

This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred. 2009 Microsoft Corporation. All rights reserved. Microsoft, AppLocker, Internet Explorer, Windows 7, and Windows Server 2008 R2 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 2

Contents Understanding AppLocker... 4 What is AppLocker?... 4 How does AppLocker differ from Software Restriction Policies (SRP)?... 4 What kinds of files can I manage with AppLocker?... 5 Where can I find more information about AppLocker?... 5 Planning and Deploying AppLocker... 5 Which editions of Windows 7 and Windows Server 2008 R2 support AppLocker rules?... 5 Which editions of Windows can I use to create AppLocker rules?... 5 Can SRP rules be migrated to AppLocker rules?... 6 What are rule conditions?... 6 Can I configure the default AppLocker rule action?... 6 Wh a I ha g h fa a?... 6 Can I test my AppLocker rules before I enforce them?... 6 Can AppLocker rules be applied to specific users or groups?... 7 Do I need to upgrade my domain controllers to use AppLocker rules?... 7 Does AppLocker use any services for its rule enforcement?... 7 How do I create DLL rules?... 7 Why is the DLL rule collection disabled by default?... 7 Managing AppLocker... 7 Wh a m b g f?... 7 How can I view the AppLocker events on client computers?... 8 What should I do if my rules are too restrictive and Windows is behaving irregularly or will not boot?... 8 3

Understanding AppLocker What is AppLocker? AppLocker TM is a new feature in Windows 7 and Windows Server 2008 R2 that replaces the Software Restriction Policies feature. AppLocker contains new capabilities and extensions that reduce administrative overhead and help administrators control how users can access and use files, such as executable files, scripts, Windows Installer files, and DLLs. Using AppLocker, you can: Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file. Assign a rule to a security group or an individual user. Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run except Registry Editor (Regedit.exe). Use audit-only mode to deploy the policy and understand its impact before enforcing it. Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, the existing policy is overwritten. Simplify creating and managing AppLocker rules by using AppLocker PowerShell cmdlets. How does AppLocker differ from Software Restriction Policies? Software Restriction Policies (SRP) were originally designed in Windows XP and Windows Server 2003 to help IT professionals limit the number of applications that would require administrator access. With the introduction of User Account Control (UAC) and the emphasis of standard user accounts in Windows Vista, fewer applications today require administrator privileges. As a result, AppLocker was introduced to expand the goals of the original SRP by allowing IT administrators to create a comprehensive list of applications that should be allowed to run. The following table compares AppLocker to Software Restriction Policies. Feature Software Restriction Policies AppLocker Rule scope Rule conditions provided Specific user or group (per GPO) File hash, path, certificate, registry path, and Internet zone rules Specific user or group (per rule) File hash, path, and publisher rules 4

Rule types provided Allow and deny Allow and deny Default rule action Allow or deny Deny Audit-only mode No Yes Wizard to create multiple rules at one time No Yes Policy import or export No Yes Rule collection No Yes PowerShell support No Yes Custom error messages No Yes What kinds of files can I manage with AppLocker? AppLocker can be used to manage four different types of files: executable (.exe), Windows Installer (.msi and.msp), script (.bat,.cmd,.js,.ps1, and.vbs), and DLL (.dll and.ocx). Each of these file types is managed in its own rule collection. Where can I find more information about AppLocker? AppLocker page on the Windows Server TechCenter (http://technet.microsoft.com/en-us/library/dd723678(ws.10).aspx) AppLocker Silverlight demo (http://technet.microsoft.com/enus/windows/dd320283.aspx) AppLocker documentation on the Microsoft Download Center (http://www.microsoft.com/downloads/details.aspx?familyid=025cf2e8-b0ab-4419- b5bb-86ab2d5eca83&displaylang=en) Planning and Deploying AppLocker Which editions of Windows 7 and Windows Server 2008 R2 support AppLocker rules? AppLocker rules can be enforced on Windows 7 Ultimate edition, Windows 7 Enterprise edition, and all editions of Windows Server 2008 R2 except Windows Web Server and Windows Server Foundation. Which editions of Windows can I use to create AppLocker rules? To create rules for a local computer, the computer must be running Windows 7 Ultimate edition or Windows 7 Enterprise edition. If you want to create rules for a GPO, you can use a computer that is running any edition of Windows 7, provided that the Remote Server Administration Toolkit is installed. AppLocker rules can be created on any edition of Windows 5

Server 2008 R2. While you can create AppLocker rules on Windows Professional computers, they will not be enforced on those computers. However, you could create the rules there and export the policy for implementation on an edition of Windows that does support AppLocker rule enforcement. Can SRP rules be migrated to AppLocker rules? No, not directly. Because AppLocker is an entirely new feature in Windows 7 and Windows Server 2008 R2, AppLocker rules are not based on the same technology as Software Restriction Policies (SRP) rules. To migrate existing SRP rules, you must carefully analyze your existing SRP rules and determine how they would conceptually map to new AppLocker rules. What are rule conditions? Rule conditions are properties of files that AppLocker uses to enforce rules. Each AppLocker rule can use one primary rule condition. There are three rule conditions in AppLocker: publisher, path, and file hash. Publisher: Can only be used for files that are digitally signed by a software publisher. This condition type uses the digital certificate (publisher name and product name) and properties of the file (file name and file version). This type of rule can be created for an entire product suite, which allows the rule in most cases to still be applicable when the application is updated. Path: Based on the file or folder path of where specific applications are installed. File hash: Based on the unique file hash that Windows cryptographically computes for each file. This condition type is unique, so each time that a publisher updates a file, you must create a new rule. Can I configure the default AppLocker rule action? The default rule action is to run only those applications that are specifically allowed in the AppLocker rule set. While there is no setting to configure the default rule behavior, you can use AppLocker's rule set to override it. To do this, create an allow rule with a path condition set to *. This configuration will allow all files to run. You can then create deny rules to block specific files. Why isn t there a setting to configure the default rule action? Managing files that are allowed is a more secure and manageable way of controlling applications in an organization. Although initial rule setup can be easier with a deny list, organizations wanting to lock down their environments will find that they will need many more rules to block specific files than if they had created a list of allowed files. Can I test my AppLocker rules before I enforce them? Yes, you can use the AppLocker audit only enforcement mode to test your rules before they are enforced. 6

Can AppLocker rules be applied to specific users or groups? Yes, rules can be created for specific users or groups. However, a rule can only apply to one user or one group. You can also create AppLocker rules to apply to all users (the Everyone group) and then apply that Group Policy object (GPO) to a specific computer group. Do I need to upgrade my domain controllers to use AppLocker rules? No, you do not need to update your domain controllers. You can use existing Windows Server 2003 and Windows Server 2008 domain controllers to host the AppLocker policy. However, you cannot use Windows Server 2003 or Windows Server 2008 computers to create AppLocker rules. Does AppLocker use any services for its rule enforcement? Yes, AppLocker uses the Application Identity service (AppIDSvc) for rule enforcement. This service must be set to start automatically in the GPO in order for AppLocker rules to be enforced. How do I create DLL rules? To create DLL rules in a GPO, you must enable to DLL rule collection in the Group Policy Management Editor console (gpedit.msc). 1. In the Group Policy Management Editor console, navigate to the AppLocker snap-in in the console tree. (Computer Configuration\Windows Settings\Security Settings\Application Control Policies\AppLocker) 2. Right-click AppLocker, and then click Properties. 3. Click the Advanced tab, click the Enable the DLL rule collection check box, and then click OK. Why is the DLL rule collection disabled by default? Managing DLLs can be a difficult task. Each application requires that specific DLLs are allowed to run, and one application can launch many DLLs. For this reason, implementing DLL rules is a more advanced way of using AppLocker. Improperly configuring DLL rules can cause application compatibility problems, and because AppLocker checks whether a DLL is allowed each time before it is allowed to run, many AppLocker events can be generated in the event log. Therefore, you should carefully plan your DLLs before enabling the rule collection. Managing AppLocker Why aren t my AppLocker rules being enforced? There are two reasons why the AppLocker rules might not be enforced: The Application Identity service (AppIDsvc) is not running. Rule enforcement is set to Audit only. 7

To determine why your AppLocker rules are not being enforced first check whether the Application Identity service (AppIDSvc) is running. On a local computer: 1. Using the Services Microsoft Management Console (MMC) snap-in: Click the Start button, type Services.msc into the Search programs and files box, and then press ENTER. Confirm that the status for Application Identity is Started. 2. Using PowerShell: On a remote computer: Open a PowerShell prompt and run: get-service appidsvc Confirm that the service is started. Open a PowerShell prompt and run: get-service <computername> appidsvc Confirm that the service is started. If the service is running, determine what the rule enforcement for the rule collection is set to enforce rules. How can I view the AppLocker events on client computers? To view AppLocker events, you can use event forwarding technologies, Event Viewer (eventvwr.msc), or the get-winevent PowerShell cmdlet. In the Event Viewer, AppLocker events are stored in a log under: Applications and Services Logs\Microsoft\Windows\AppLocker. There are two child logs: one for executables and DLLs and another for Windows Installer files and scripts. What should I do if my rules are too restrictive and Windows is behaving irregularly or will not boot? When AppLocker is enabled, only applications that are specified will be allowed to run. When you first create rules, AppLocker will prompt you to create the default rules. These default rules ensure that key Windows system files and all files in the Program Files directory will be permitted to run. While the default rules are not mandatory, we recommend that you start with the default rules as a baseline and then edit them or create your own to ensure that Windows will function properly. If computers cannot start properly due to your AppLocker policy, edit the AppLocker rules in the corresponding Group Policy object (GPO) to be less restrictive. If the AppLocker rules are f a m a policy, boot the computer into safe mode, create the default AppLocker rules, and then reboot the computer. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information