How to: Software Restriction policies with AppLocker

We’ve already seen how to restrict software on Windows Server 2012 // R2 using GPOs. There’s another way available since Windows Server 2012, thanks to a feature called AppLocker.

We still use GPOsAppLocker is a subset of GPOs – to enforce software restriction but it’s easier and more powerful.

AppLocker can manage execution permissions of:

  • Executables: files with .exe extension
  • Windows installers: Windows installer packages with .msi and .msp extensions
  • Scripts: files with .ps1, .bat, .cmd, .cbs and .js extensions
  • Packaged Apps: Windows Store apps

Open the Server Manager and launch the Group Policy Management:

Enforce Software Restriction policies with AppLocker

Create a new GPO:

Enforce Software Restriction policies with AppLocker

Edit the policy:

Enforce Software Restriction policies with AppLocker

You will find the AppLocker settings inside the path Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies\AppLocker. Click Configure rule enforcement:

Enforce Software Restriction policies with AppLocker

Check all the rules if you want to enforce them. By default AppLocker blocks all executables, installer packages and scripts, except for those specified in Allow rules:

Enforce Software Restriction policies with AppLocker

AppLocker differs from software restriction policies for the ability to automatically create rules. Right-click in the white box and select Automatically Generate Rules, a wizard will appear:

Enforce Software Restriction policies with AppLocker

Specify the users that will be affected and select the path that will be analyzed to automatically create “Allow execute” rules:

Enforce Software Restriction policies with AppLocker

You can choose to allow or not-allow the execution of unsigned executables. It’s better to create the rules based on the executable hash rather than the file path, it’s more reliable:

Enforce Software Restriction policies with AppLocker

Click Create:

Enforce Software Restriction policies with AppLocker

The new rules will appear:

Enforce Software Restriction policies with AppLocker

We can also manually create other rules. Right-click on the background and choose Create New Rule:

Enforce Software Restriction policies with AppLocker

Click Next:

Enforce Software Restriction policies with AppLocker

Specify the users who will be affected by the rule and the rule type (Allow or Deny execution):

Enforce Software Restriction policies with AppLocker

There are three ways to specify which applications will be affected by the rule:

  • Publisher: identify the applications signed by a specific publisher;
  • Path: identify specific files and paths;
  • File Hash: identifiy applications based on their digital fingerprint.

In our example we chose Path:

Enforce Software Restriction policies with AppLocker

Specify the Path:

Enforce Software Restriction policies with AppLocker

You can add exceptions if you need them:

Enforce Software Restriction policies with AppLocker

Name your new rule and click Create:

Enforce Software Restriction policies with AppLocker

The rule will appear:

Enforce Software Restriction policies with AppLocker

Comments