1eWEEK Labs Walk-Through: App Whitelisting from XP to Windows 7
eWEEK Labs Walk-Through: App Whitelisting from XP to Windows 7by Jason Brooks
2Starting out with SRP
I set out to lock down a test desktop running Windows XP Service Pack 3 in such a way that only applications installed in the program files or system directories would be allowed to run.
3Disallow by default
In the “Security Levels” folder within “Software Restriction Policies,” I clicked on “Disallowed,” entered its properties dialog and opted to make “disallow” my default on the system.
4Registry rules
When I made this change, Windows automatically generated four exception rules for particular registry locations to prevent SRP from completely locking me out of my system.
5Rulemaking
Windows’ SRP allows for certificate, hash, Internet Zone and path-based rules to govern which applications are allowed to run.
6A path-based rule
I added path-based rules that made my C:Program Files and C:Windows directories into free run zones.
7Enforcement properties
I also adjusted the enforcement options to exclude administrators from enforcement and to include DLLs in my controls scheme—both of which differed from the system’s defaults.
8Make way for shortcuts
Another place where I diverged from defaults was in removing *.lnk, the file type for Windows shortcut files, as a blocked file extension. Without this change, none of the shortcuts in my Start menu would have worked.
9Whitelisting in action
With my restriction policy in place, I sought to run an app from the desktop of a limited user, and Windows duly denied me.
10Event logging
Windows files away SRP-based denials into the event log. Here you can see Windows refusing to run a shortcut (before I added the shortcut exception to my policy).
11Hash-based rule
If I wished to allow a specific app to run on a limited user desktop, I could create a whitelisting rule based on a hash of the app.
12Whitelisting in Windows 7
In Windows 7, SRP will be known as AppLocker, and will sport its very own MMC 3.0-based management dashboard.
13AppLocker rules wizard
AppLocker includes a new rules generation wizard that rolls up the different policy control types offered under previous SRP versions into a single process.
14Rule options
Windows 7 gave me the option of creating certificate-based rules for all signed files, and of creating hash- or path-based rules for the unsigned files. I could also opt to create hashes of all files under Program Files.
15Review rules
The tool then told me how many files my new rule set would protect and how many rules the set would span, as well as offering me the option of reviewing the analyzed files and the yet-unmade rules before clicking “create.”
16Rule tweaking
If I wished to exclude some of the analyzed files from my policy, I could do so from the “review analyzed files” dialog.
AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...