AppLocker Reins in Applications
White-listing certain applications is one way to make sure your network stays safe.
- By Joern Wettern
Users who run unwanted or dangerous applications can undermine the security of your entire network. With the new AppLocker feature in Windows 7, Microsoft aims to simplify the task of ensuring that users can only run approved applications.
When users run unapproved apps, it doesn't take long before admins have to solve the ensuing problems. Programs don't need to be installed to be running on a computer. Downloading a program file from the Internet or copying it from a flash drive can be all that's needed for a program to start. Recently, many security experts have argued that the only way to prevent unwanted and dangerous programs from running on a computer is application white-listing.
What Is White-Listing?
White-listing consists of checking each application at the time it starts to see whether it's on a list of allowed programs, and preventing it from running if it's not on that list. Microsoft introduced a tool for white-listing way back in Windows 2000. Software Restriction Policies, which are applied via Group Policy, are designed to control which users can run which applications. If you ever tried using this feature, you know that it's cumbersome to configure and that updating rules to accommodate software updates is almost impossible.
Microsoft has jumped into the game by creating AppLocker, a new tool for application white-listing in Windows 7. AppLocker is included with the current beta versions of Windows 7 and Windows Server 2008 R2. Settings are applied using Group Policy Objects (GPOs); the configuration settings can be found in the GPO under Security
Settings. There are three types of rules you can configure: Executable Rules can apply to any program you select; Windows Installer Rules apply to programs that have been installed on the computer; and Script Rules apply to scripts that are started on a computer. In each of these categories, you can create rules that determine whether a user or group of users is allowed to run a program, or you can choose to prevent a program from starting. You can combine rules to create exceptions; for example, one rule might allow users to run all installed programs, but a second rule could prevent one particular user from running Solitaire.
How AppLocker Helps
AppLocker lets you start with default rules covering the apps you most likely want to allow, such as all installed programs and all applications in the Windows directory. You can then add additional rules to create a more stringent policy. Another nice feature is a wizard that automatically creates rules based on all files in a folder you specify. If you create your policy on a computer that's representative of most other computers in your organization, you can create the policy rules required to white-list all installed apps without having to spend lots of time.
Not unlike the old Software Restriction rules, AppLocker rules can be based on file paths, file hashes or software publishers' certificates. File paths are the least-reliable method and only work if you can ensure that executable files are always found in the same location. Using this method will also let maliciously modified programs run as long as they're in an allowed location.
File hash rules are more reliable, as they apply to specific versions of program files. If even a single byte of such a file is changed, a hash value rule no longer applies and the program is stopped dead in its tracks. However, file hash rules can be very difficult to maintain. As soon as a program file is changed because of a legitimate update, you need to update the hashes, or the application will stop working. If you don't update all hash rules before patching an app, you'll have to deal with a slew of user complaints as programs stop working across your network.
The most flexible and reliable rules are publisher rules. You can configure a policy that allows all programs that are signed by a trusted publisher to run, but your rules can also be more granular. A rule may allow only programs from a single publisher to run -- for example, only programs from Microsoft. To further limit the scope of the rule, you can narrow it down to a specific product name that needs to be specified in the signed file. For example, you could white-list Acrobat Reader without allowing other programs from its publisher, Adobe, to run. As long as future versions of Acrobat Reader are signed correctly, AppLocker will apply the same rule to the new versions. This removes the headaches created by application upgrades and patches if there are file path or hash rules that are in use.
Before enabling AppLocker, you'll also need to decide on the enforcement mode. You can have AppLocker always apply your policies, or you can allow for settings to be overridden by other GPOs. A third option is the audit-only mode, which lets all applications run but generates audit events when a rule applies.
Is AppLocker Right for You?
AppLocker is a capable and easy-to-use solution for application white-listing, but it has a number of limitations you need to know about. First of all, AppLocker only works on client computers running Windows 7 or Windows Server 2008 R2.
Another limitation of AppLocker is caused by the diversity of the programs that typically need to run on computers even in a small or midsize organization. Sure, if you run a handful of applications in your network and most users have identical needs to run these programs, creating and maintaining your rules will be very easy. But if you have to control dozens or hundreds of applications, each of them including multiple program files, you'll end up with a policy that includes a long list of rules that are difficult to maintain. And if some of these applications are not digitally signed, updating hash rules each time software is patched can easily turn into a full-time job.
Maintaining and synchronizing AppLocker rules in a distributed environment can also be challenging. While AppLocker lets you export and import a policy and its associated rules, there's no central repository or merging functionality. So, if you maintain a different AppLocker policy for each of five departments, you'll need to add a new app separately to each of these policies.
If you're planning on migrating most client computers to Windows 7, and if your network is small and homogenous, AppLocker may fit the bill. Even in a larger environment, AppLocker may be the right tool to lock down a subset of computers to let certain users only run a limited set of programs. However, when it comes to enterprise-wide application white-listing, or if you need to control app use on pre-Windows 7 clients, there are better third-party solutions.
Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping
companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.