- eWEEK Labs Walk-Through: App Whitelisting from XP to Windows 7
- Starting out with SRP
- Disallow by default
- Registry rules
- Rulemaking
- A path-based rule
- Enforcement properties
- Make way for shortcuts
- Whitelisting in action
- Event logging
- Hash-based rule
- Whitelisting in Windows 7
- AppLocker rules wizard
- Rule options
- Review rules
- Rule tweaking
eWEEK Labs Walk-Through: App Whitelisting from XP to Windows 7
eWEEK Labs Walk-Through: App Whitelisting from XP to Windows 7by Jason Brooks
Starting out with SRP
I set out to lock down a test desktop running Windows XP Service Pack 3 in such a way that only applications installed in the program files or system directories would be allowed to run.
Disallow by default
In the “Security Levels” folder within “Software Restriction Policies,” I clicked on “Disallowed,” entered its properties dialog and opted to make “disallow” my default on the system.
Registry rules
When I made this change, Windows automatically generated four exception rules for particular registry locations to prevent SRP from completely locking me out of my system.
Rulemaking
Windows’ SRP allows for certificate, hash, Internet Zone and path-based rules to govern which applications are allowed to run.
A path-based rule
I added path-based rules that made my C:Program Files and C:Windows directories into free run zones.
Enforcement properties
I also adjusted the enforcement options to exclude administrators from enforcement and to include DLLs in my controls scheme—both of which differed from the system’s defaults.
Make way for shortcuts
Another place where I diverged from defaults was in removing *.lnk, the file type for Windows shortcut files, as a blocked file extension. Without this change, none of the shortcuts in my Start menu would have worked.
Whitelisting in action
With my restriction policy in place, I sought to run an app from the desktop of a limited user, and Windows duly denied me.
Event logging
Windows files away SRP-based denials into the event log. Here you can see Windows refusing to run a shortcut (before I added the shortcut exception to my policy).
Hash-based rule
If I wished to allow a specific app to run on a limited user desktop, I could create a whitelisting rule based on a hash of the app.
Whitelisting in Windows 7
In Windows 7, SRP will be known as AppLocker, and will sport its very own MMC 3.0-based management dashboard.
AppLocker rules wizard
AppLocker includes a new rules generation wizard that rolls up the different policy control types offered under previous SRP versions into a single process.
Rule options
Windows 7 gave me the option of creating certificate-based rules for all signed files, and of creating hash- or path-based rules for the unsigned files. I could also opt to create hashes of all files under Program Files.
Review rules
The tool then told me how many files my new rule set would protect and how many rules the set would span, as well as offering me the option of reviewing the analyzed files and the yet-unmade rules before clicking “create.”
Rule tweaking
If I wished to exclude some of the analyzed files from my policy, I could do so from the “review analyzed files” dialog.