eWEEK Labs Walk-Through: App Whitelisting from XP to Windows 7

eWEEK Labs Walk-Through: App Whitelisting from XP to Windows 7by Jason Brooks

I set out to lock down a test desktop running Windows XP Service Pack 3 in such a way that only applications installed in the program files or system directories would be allowed to run.

In the “Security Levels” folder within “Software Restriction Policies,” I clicked on “Disallowed,” entered its properties dialog and opted to make “disallow” my default on the system.

When I made this change, Windows automatically generated four exception rules for particular registry locations to prevent SRP from completely locking me out of my system.

Windows’ SRP allows for certificate, hash, Internet Zone and path-based rules to govern which applications are allowed to run.

I added path-based rules that made my C:Program Files and C:Windows directories into free run zones.

I also adjusted the enforcement options to exclude administrators from enforcement and to include DLLs in my controls scheme—both of which differed from the system’s defaults.

Another place where I diverged from defaults was in removing *.lnk, the file type for Windows shortcut files, as a blocked file extension. Without this change, none of the shortcuts in my Start menu would have worked.

With my restriction policy in place, I sought to run an app from the desktop of a limited user, and Windows duly denied me.

Windows files away SRP-based denials into the event log. Here you can see Windows refusing to run a shortcut (before I added the shortcut exception to my policy).

If I wished to allow a specific app to run on a limited user desktop, I could create a whitelisting rule based on a hash of the app.

In Windows 7, SRP will be known as AppLocker, and will sport its very own MMC 3.0-based management dashboard.

AppLocker includes a new rules generation wizard that rolls up the different policy control types offered under previous SRP versions into a single process.

Windows 7 gave me the option of creating certificate-based rules for all signed files, and of creating hash- or path-based rules for the unsigned files. I could also opt to create hashes of all files under Program Files.

The tool then told me how many files my new rule set would protect and how many rules the set would span, as well as offering me the option of reviewing the analyzed files and the yet-unmade rules before clicking “create.”

If I wished to exclude some of the analyzed files from my policy, I could do so from the “review analyzed files” dialog.