Using AppLocker

The organizations of today face many challenges in controlling which applications run on client computers. These challenges include managing the following:

• The Universal Windows Platform apps and desktop apps that users can access
• Which users are allowed to install new applications
• Which versions of the applications are allowed to run, and for which users

Unauthorized software can experience a higher incidence of malware infections and generate more helpdesk calls. However, it can be difficult for you to ensure that users' computers run only approved and licensed software.

You can use AppLocker to specify which software can run on a user's PC. AppLocker enables users to run the applications, installation programs, and scripts that they require to be productive while still providing the security and compliance benefits of application standardization.

Important Note

Only Windows 10 Enterprise and Windows 10 Education editions support AppLocker. AppLocker is unable to control processes running under the system account on any OS.

AppLocker can be useful for organizations that want to limit the number and types of applications that can run. This can be achieved by preventing unlicensed software or malware from running, and by restricting the ActiveX controls that are installed.

You can also reduce the total cost of ownership by making sure that workstations are homogeneous across an enterprise and that users run only the software and applications that the enterprise approves. You can also reduce the security risks and the possibility of information leaks from running unauthorized software.

Understanding AppLocker rules

You can prevent many problems in your work environment by controlling which applications a user can run. AppLocker enables you to do this by creating rules that specify exactly which applications a user can run. AppLocker continues to function, even when applications are updated.

Because you configure AppLocker with Group Policy, you need to understand Group Policy creation and deployment. This makes AppLocker ideal for organizations that currently use Group Policy to manage their Windows 10 computers or have per-user application installations.

To authorize AppLocker rules, you need to use the new AppLocker Microsoft Management Console (MMC) snap-in in the Group Policy Management Editor window:

Figure 7.11 - The AppLocker MMC

AppLocker provides several rule-specific wizards. You can use one wizard to create a single rule and another wizard to generate rules automatically, based on your rule preferences and the folder that you select. The four wizards that AppLocker provides administrators with to author rules are Executable Rules Wizard, Windows Installer Rules Wizard, Script Rules Wizard, and Packaged App Rules Wizard.

At the end of each wizard, you can review the list of analyzed files. You can then modify the list to remove any file before AppLocker creates rules for the remaining files.

The events for AppLocker are stored in the Event Viewer on the local computer. You can review these events if you want to check whether your AppLocker rules have been applied as appropriate. AppLocker uses the following Event IDs, which you can use to troubleshoot AppLocker from the client:

• Event ID 8000: Indicates that the AppLocker policy did not apply correctly
• Event ID 8004: Indicates that a .exe or .dll file did not run
• Event ID 8007: Indicates that a script or .msi file did not run
• Event ID 8022: Indicates that the Packaged app is disabled
• Event ID 8025: Indicates that the Packaged app installation is disabled

AppLocker provides you with the ability to control which users can run designated desktop apps such as executables (.exe files), scripts, Windows Installer files (.msi and .msp), and dynamic link libraries (.dll). You can use AppLocker to specify which Universal Windows apps (.appx) users can install and use on their computers.

We will now move on and learn about how to configure AppLocker.

Configuring AppLocker

To enable AppLocker restrictions, for example, Universal Windows apps, you must configure the appropriate Group Policy settings by performing the following procedure:

1. Open the Local Group Policy Editor (gpedit.msc).
2. Under Local Computer Policy, in the left pane, navigate to Computer Configuration\Windows Settings\Security Settings\Application Control Policies\AppLocker.
3. Click on Packaged app Rules.
4. Right-click Packaged app Rules.
5. Click Create New Rule.
6. Use the Create Packaged app Rules wizard to configure an application restriction policy:
   

   Figure 7.12 - The Create Packaged app Rules wizard

7. Click on Create to create the default rule.

This default rule has lower precedence, but it enables all signed packaged apps to run. To create the default rule, perform the following steps:

1. Right-click Packaged app Rules.
2. Click Create Default Rules:

Figure 7.13 - The Create Default Rules option

At this point, you have a specific package rule and a set of default rules. By default, these policies are set to enforce. You can only change the policy to audit policies by performing the following steps:

1. Right-click the AppLocker node.
2. Click Properties.

   In the AppLocker Properties dialog box, select the Configured check box adjacent to Packaged app Rules. In the list, depending on your requirements, select either Enforce rules or Audit only and then click OK:

Figure 7.14 - The AppLocker Properties dialog box

Enforcement of AppLocker rules requires that the Application Identity service runs on all computers affected by your AppLocker policy. This service identifies applications, and then processes the AppLocker policies against the identified applications. You can enable this service by opening Services.msc and selecting the Application Identity service. Configure the service for automatic startup, and then start the service manually. You can also start the service by configuring the setting through a GPO.

In this section, you learned what AppLocker is and why it is important for an organization so that they can reduce the number of applications that can be run. If an AppLocker policy does not work, you can check the Event Viewer for specific event IDs to troubleshoot the problem. Furthermore, you learned how to configure AppLocker settings.