Six months ago, when I started using Windows 7 full time on my primary system, I wanted to take better advantage of the new operating system’s baked-in security features. I had already been running as a limited-rights user that needed a separate administrator password to affect system changes throughout my time with Windows Vista and I had gotten used to the routine of right-click/Run as Administrator/password to install anything. And since I was going to use Windows 7 Ultimate, I decided to give the new AppLocker a try, to extend that muscle memory to running applications and to see if such lockdown was a feasible option on a heavily used workstation.
AppLocker is Microsoft’s take on application whitelisting, a process by which a user can only run applications or processes that are expressly permitted by policy. Application whitelisting takes the opposite approach from traditional security solutions which try to block suspicious or known bad code from running. AppLocker instead blocks everything from running except for known good and expressly permitted code.
Initially, I set up AppLocker with the default rules. My every day, limited-rights user account could only run executables and scripts installed to either the Program Files or Windows directories and only install signed Windows installers (or unsigned ones saved to a specific folder in the Windows directory). And after a period of acclimation, I deleted those exceptions for Windows Installer packages as well. In sum, to run any application from a different directory or to install anything, I had to expressly run it as administrator.
So AppLocker dictates my user account can only run applications installed in two approved locations, and Least Privilege/User Account Control says my user account cannot save things to those two locations. It’s pretty good security, provided I don’t do anything stupid with my administrator password. I suppose a privilege-escalating vulnerability could present a problem, but those are generally rare, although there was one of note recently.
After six months of use, I generally forget that AppLocker is running in the background, since I’ve already trained myself to install new programs or updates in the new manner. Indeed, I’ve found it works well most of the time. Of course, there is still code out there that can’t deal with this type of security, and the most glaring examples I’ve encountered are Web browser add-ons.
WebEx has been most troublesome application for me. Neither in Internet Explorer nor Firefox has my limited-rights user account been able to join a conference. The Website prompts me to download some code to join, but if I use the separate administrator account to install the code, I can’t get into the meeting. Likely, the add-on was added to the administrator’s browser instance.
The only solution I’ve found to my WebEx problem is to run Internet Explorer as Administrator (it doesn’t work in Firefox), which honestly, is the last thing I want to do. Doing this defeats the purpose of locking down my security at all, as I am exempting one of the most commonly attacked platforms from my security policy.
So I’ve started joining WebEx conferences from my iPhone instead.
Unfortunately, I know software developers have little impetus to design their code to work under such circumstances, as hardly anyone is going to use their computer in this way. When I asked someone from Cisco about my WebEx problem, I was asked incredulously, “Why would you do that to yourself?” (This person was not associated with the WebEx team, I should note).
Indeed, AppLocker likely has a short and anonymous future ahead of it, if only because the lion’s share of Windows 7 users out there doesn’t have access to the feature. In January, Microsoft announced it moved in excess of 60 million copies of Windows 7 in the last two months of 2009. But what percentage of those 60 million sold are the Ultimate SKU, which is the only consumer edition to include the feature?
The volume licensed Enterprise edition also comes with AppLocker functionality, and I see some companies leveraging the feature for kiosks or other limited use workstations. But I can’t see many companies deploying it to their user base. Many IT professionals I’ve talked to about this confide they still haven’t taken away local admin rights from their users, so AppLocker isn’t even on their radar as a feasible alternative.
Are there any corporations out there trying to implement AppLocker across their user base? I’d love to hear your story.