eWEEK Labs Walk-Through: App Whitelisting from XP to Windows 7

1 of 16

eWEEK Labs Walk-Through: App Whitelisting from XP to Windows 7

eWEEK Labs Walk-Through: App Whitelisting from XP to Windows 7by Jason Brooks

2 of 16

Starting out with SRP

I set out to lock down a test desktop running Windows XP Service Pack 3 in such a way that only applications installed in the program files or system directories would be allowed to run.

3 of 16

Disallow by default

In the "Security Levels" folder within "Software Restriction Policies," I clicked on "Disallowed," entered its properties dialog and opted to make "disallow" my default on the system.

4 of 16

Registry rules

When I made this change, Windows automatically generated four exception rules for particular registry locations to prevent SRP from completely locking me out of my system.

5 of 16


Windows' SRP allows for certificate, hash, Internet Zone and path-based rules to govern which applications are allowed to run.

6 of 16

A path-based rule

I added path-based rules that made my C:Program Files and C:Windows directories into free run zones.

7 of 16

Enforcement properties

I also adjusted the enforcement options to exclude administrators from enforcement and to include DLLs in my controls scheme—both of which differed from the system's defaults.

8 of 16

Make way for shortcuts

Another place where I diverged from defaults was in removing *.lnk, the file type for Windows shortcut files, as a blocked file extension. Without this change, none of the shortcuts in my Start menu would have worked.

9 of 16

Whitelisting in action

With my restriction policy in place, I sought to run an app from the desktop of a limited user, and Windows duly denied me.

10 of 16

Event logging

Windows files away SRP-based denials into the event log. Here you can see Windows refusing to run a shortcut (before I added the shortcut exception to my policy).

11 of 16

Hash-based rule

If I wished to allow a specific app to run on a limited user desktop, I could create a whitelisting rule based on a hash of the app.

12 of 16

Whitelisting in Windows 7

In Windows 7, SRP will be known as AppLocker, and will sport its very own MMC 3.0-based management dashboard.

13 of 16

AppLocker rules wizard

AppLocker includes a new rules generation wizard that rolls up the different policy control types offered under previous SRP versions into a single process.

14 of 16

Rule options

Windows 7 gave me the option of creating certificate-based rules for all signed files, and of creating hash- or path-based rules for the unsigned files. I could also opt to create hashes of all files under Program Files.

15 of 16

Review rules

The tool then told me how many files my new rule set would protect and how many rules the set would span, as well as offering me the option of reviewing the analyzed files and the yet-unmade rules before clicking "create."

16 of 16

Rule tweaking

If I wished to exclude some of the analyzed files from my policy, I could do so from the "review analyzed files" dialog.