Six months ago, when I started using Windows 7 full time on
my primary system, I wanted to take better advantage of the new operating
system’s baked-in security features. I had already been running as a
limited-rights user that needed a separate administrator password to affect
system changes throughout my time with Windows Vista and I had gotten used to
the routine of right-click/Run as Administrator/password to install
anything. And since I was going to use
Windows 7 Ultimate, I decided to give the new AppLocker a try, to extend that
muscle memory to running applications and to see if such lockdown was a feasible
option on a heavily used workstation.
AppLocker is Microsoft’s take on application whitelisting, a
process by which a user can only run applications or processes that are
expressly permitted by policy. Application
whitelisting takes the opposite approach from traditional security solutions
which try to block suspicious or known bad code from running. AppLocker instead blocks everything from
running except for known good and expressly permitted code.
Initially, I set up AppLocker with the default rules. My
every day, limited-rights user account could only run executables and scripts
installed to either the Program Files or Windows directories and only
install signed Windows installers (or
unsigned ones saved to a specific folder in the Windows directory). And after a period of acclimation, I deleted
those exceptions for Windows Installer packages as well. In sum, to run any
application from a different directory or to install anything, I had to expressly
run it as administrator.
So AppLocker dictates my user account can only run
applications installed in two approved locations, and Least Privilege/User
Account Control says my user account cannot save things to those two locations.
It’s pretty good security, provided I don’t do anything stupid with my
administrator password. I suppose a privilege-escalating vulnerability could
present a problem, but those are generally rare, although there was one of note
recently.
After six months of use, I generally forget that AppLocker
is running in the background, since I’ve already trained myself to install new
programs or updates in the new manner. Indeed, I’ve found it works well most of
the time. Of course, there is still code out there that can’t deal with this
type of security, and the most glaring examples I’ve encountered are Web
browser add-ons.
WebEx has been most troublesome application for me. Neither
in Internet Explorer nor Firefox has my limited-rights user account been able
to join a conference. The Website prompts me to download some code to join, but
if I use the separate administrator account to install the code, I can’t get
into the meeting. Likely, the add-on was
added to the administrator’s browser instance.
The only solution I’ve found to my WebEx problem is to run
Internet Explorer as Administrator (it doesn’t work in Firefox), which
honestly, is the last thing I want to do. Doing this defeats the purpose of
locking down my security at all, as I am exempting one of the most commonly
attacked platforms from my security policy.
So I’ve started joining WebEx conferences from my iPhone
instead.
Unfortunately, I know software developers have little
impetus to design their code to work under such circumstances, as hardly anyone
is going to use their computer in this way. When I asked someone from Cisco
about my WebEx problem, I was asked incredulously, “Why would you do that to
yourself?” (This person was not associated with the WebEx team, I should note).
Indeed, AppLocker likely has a short and anonymous future
ahead of it, if only because the lion’s share of Windows 7 users out there doesn’t
have access to the feature. In January, Microsoft announced it moved in excess
of 60 million copies of Windows 7 in the last two months of 2009. But what
percentage of those 60 million sold are the Ultimate SKU, which is the only
consumer edition to include the feature?
The volume licensed Enterprise edition also comes with
AppLocker functionality, and I see some companies leveraging the feature for
kiosks or other limited use workstations.
But I can’t see many companies deploying it to their user base. Many IT professionals I’ve talked to about
this confide they still haven’t taken away local admin rights from their users,
so AppLocker isn’t even on their radar as a feasible alternative.
Are there any corporations out there trying to implement AppLocker
across their user base? I’d love to hear your story.
Windows & Interoperability News & Reviews 
