Users running and installing any software they want is a big challenge or any IT Administrator because it increases the load work at time system crash and it goes against the company’s policy many a time.
Now since Windows 7 has started rolling out in corporates, IT Admin should now about an excellent feature in Windows 7 which helps them prevent users to run unauthorized software running in corporate machines. This feature is called as AppLocker and resides in Group Policy Editor in Windows 7.
Though I am targeting IT here but if you have a lot of users at home and you want to push rules, you can follow the same steps or follow this guide to block specific programs for any windows user which is simple and straight.
- Open the Group Policy Editor
- Navigate to Computer Configuration > Windows Settings > Security Settings > Application Control Policies > Applocker
Sections in AppLocker :
- Executable Rules
- Windows Installer Rules
- Script Rules
These three rules will help you block applications by version number becomes sometimes an update causes an issue. You can even block access to certain folders where a proprietary application is installed and the third part doesn’t want users to have access to this or you might not want users to mess here to keep the app running.The script rules are bit complex as they use powershell scripts and meant for advance usage.
We can talk all day about AppLocker so what I am doing below is giving specific examples for understand then provide resources which gives more understanding on this subject.
Prerequisite for Applocker to Work :
Run the Application Identity.
- Open Services and run the service which says Application Identity.
- For Applocker to work this should be be started prior to creating rules else you will have to restart the machine after setting to start automatically.
Configure Rule Enforcement
For rules to work you need to configure it to run manually. You will get this option as soon as you select AppLocker on the right pane.
If you don’t configure the above two thins, you will waste your time all day to make rules work. So do it first.
About Exporting and Importing Applocker Rules
My personal suggestion to IT Administrator would be to take a standard machine which you give out to the employees in the company with all applications installed. Then create rules etc using App locker. Once done that you can export this rule to the machines and import it. You can do a right-click over the Applocker and export and import rules.
How to block specific applications using AppLocker :
- Go to Executable Rules. Right click and Create New Rule.
- Select which type of rule you want to create. You can Either Allow or Deny and then apply it for a group of users or to a specific users. This is common for all rules creation.
- Select Publisher and click next. Now the screen which you will see a crucial and you must understand.
- First select a program which you want to block by browsing and selecting an executable. Done this you will see the screen filled up with complete details of publisher, signature, version etc.
At this stage if you go next then it means that this specific version of program is not allowed to be used by group or users you have restricted. However if you want to make it a bit flexible and all all versions of the same program to be not used by anybody, you need to move slider up. This will fill in the Version section with star meaning its all blocked.
I would have preferred a list of programs to pop up here as it is confusing to look for executable as most of the times you will find a lot of executable in one place. So make sure what you are blocking is the right one.
How to block access to specific folders :
- Follow the same steps above but when it comes to choosing Conditions, select Path.
- In Path option you can browse and select folder and files.
Thats it. Done with these basic things you know how to use App Locker to block Programs, Folders etc.