AppLocker Policies Deployment Guide

Microsoft Corporation Published: April 2011

Abstract
This guide provides steps based on your design and planning investigation for deploying application control policies by using AppLocker for Windows Server 2008 R2 and Windows 7. It is intended for security architects, security administrators, and system administrators. Through a sequential and iterative deployment process, you can create application control policies, test and adjust the policies, and implement a method for maintaining those policies as the needs in your organization change.

Copyright information
This document is provided as-is. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. 2011 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, AppLocker, Active Directory, Internet Explorer, RemoteApp, PowerShell, Windows, Windows Vista, and Windows Server are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

Contents
AppLocker Policies Deployment Guide...........................................................................................1 Abstract ...................................................................................................................................1 Copyright information......................................................................................................................2 Contents..........................................................................................................................................3 AppLocker Policies Deployment Guide...........................................................................................6 Purpose of this guide...................................................................................................................6 Prerequisites to deploying AppLocker policies.............................................................................6 Contents of this guide..................................................................................................................6 Additional resources....................................................................................................................7 Understanding the AppLocker Policy Deployment Process............................................................7 Resources in support of the deployment process........................................................................8 Requirements for Deploying AppLocker Policies............................................................................9 Your deployment plan...............................................................................................................9 Supported operating systems.................................................................................................11 Your policy distribution mechanism........................................................................................12 Your event collection and analysis system.............................................................................12 Using Software Restriction Policies with AppLocker Policies........................................................12 Understanding the difference between SRP and AppLocker.....................................................13 Using SRP and AppLocker together..........................................................................................13 Testing and validating SRP policies and AppLocker policies that are deployed in the same environment............................................................................................................................14 Step 1: Test the effect of SRP policies....................................................................................14 Step 2: Test the effect of AppLocker policies..........................................................................14 Creating Your AppLocker Policies.................................................................................................15 AppLocker policy deployment steps..........................................................................................15 Step 1: Use your plan.............................................................................................................15 Step 2: Create your rules and rule collections........................................................................15 Step 3: Configure the enforcement setting.............................................................................15 Step 4: Update the GPO........................................................................................................16 Step 5: Test the effect of the policy.........................................................................................16 Step 6: Implement the policy..................................................................................................16 Step 7: Test the effect of the policy and adjust.......................................................................16 Next steps..................................................................................................................................16 Creating Your AppLocker Rules....................................................................................................16

Creating AppLocker rules..........................................................................................................16 Automatically generate your rules..........................................................................................17 Create your rules individually.................................................................................................17 About selecting rules.................................................................................................................17 Next steps..................................................................................................................................18 Testing and Updating an AppLocker Policy...................................................................................18 Step 1: Enable the Audit only enforcement setting....................................................................18 Step 2: Configure the Application Identity service to start automatically....................................18 Step 3: Test the policy................................................................................................................19 Step 4: Analyze AppLocker events............................................................................................19 Step 5: Modify the AppLocker policy..........................................................................................19 Step 6: Repeat policy testing, analysis, and policy modification................................................20 Deploying the AppLocker Policy into Production...........................................................................20 Understanding your design decisions.....................................................................................20 AppLocker deployment methods............................................................................................20 Deploying AppLocker Policies by Using the Enforce Rules Setting..............................................21 Background and prerequisites...................................................................................................21 Step 1: Retrieve the AppLocker policy.......................................................................................21 Step 2: Alter the enforcement setting.........................................................................................21 Step 3: Update the policy...........................................................................................................22 Step 4: Monitor the effect of the policy.......................................................................................22 Using a Reference Computer to Create and Maintain AppLocker Policies...................................22 Background and prerequisites...................................................................................................23 Step 1: Automatically generate rules on the reference computer..............................................23 Step 2: Create the default rules on the reference computer......................................................23 Step 3: Modify rules and the rule collection on the reference computer....................................24 Step 4: Test and update the policy on the reference computer..................................................24 Step 5: Export and import the policy into production..................................................................25 Step 6: Monitor the effect of the policy in production.................................................................25 Determine Which Applications Are Digitally Signed on a Reference Computer............................25 Configure the AppLocker Reference Computer............................................................................26 Additional resources...............................................................................................................27 Maintaining AppLocker Policies....................................................................................................27 Maintaining AppLocker policies by using Group Policy..............................................................28 Step 1: Understand the current behavior of the policy............................................................28 Step 2: Export the AppLocker policy from the GPO................................................................28 Step 3: Update the AppLocker policy by editing the appropriate AppLocker rule...................28 Step 4: Test the AppLocker policy..........................................................................................29 Step 5: Import the AppLocker policy into the GPO.................................................................29

Step 6: Monitor the resulting policy behavior..........................................................................29 Maintaining AppLocker policies by using the Local Security Policy snap-in...............................29 Step 1: Understand the current behavior of the policy............................................................29 Step 2: Update the AppLocker policy by modifying the appropriate AppLocker rule...............29 Step 3: Test the AppLocker policy..........................................................................................30 Step 4: Deploy the policy with the modified rule.....................................................................30 Step 5: Monitor the resulting policy behavior..........................................................................30 Additional resources..................................................................................................................30

AppLocker Policies Deployment Guide

This topic for the IT professional introduces the concepts and describes the steps required to deploy AppLocker policies in Windows Server 2008 R2 and Windows 7.

Purpose of this guide

This guide provides steps based on your design and planning investigation for deploying application control policies by using AppLocker. It is intended for security architects, security administrators, and system administrators. Through a sequential and iterative deployment process, you can create application control policies, test and adjust the policies, and implement a method for maintaining those policies as the needs in your organization change. This guide covers the use of Software Restriction Policies (SRP) in conjunction with AppLocker policies to control application usage. For a comparison of SRP and AppLocker, see Using Software Restriction Policies with AppLocker Policies in this guide. To understand if AppLocker is the correct application control solution for you, see Understanding AppLocker Policy Design Decisions. For a web version of this document, see AppLocker Policies Deployment Guide in the Windows Server Technical Library.

Prerequisites to deploying AppLocker policies

The following are prerequisites or recommendations to deploying policies: Understand the capabilities of AppLocker: AppLocker Technical Overview AppLocker Step-by-Step Guide Understanding the AppLocker Policy Deployment Process Understanding AppLocker Policy Design Decisions Determining Your Application Control Objectives Creating the List of Applications Deployed to Each Business Group Selecting the Types of Rules to Create Determining Group Policy Structure and Rule Enforcement Planning for AppLocker Policy Management Creating Your AppLocker Planning Document

Document your application control policy deployment plan by addressing these tasks:

Contents of this guide

6

This guide provides steps based on your design and planning investigation for deploying application control policies created and maintained by AppLocker for computers running Windows Server 2008 R2 and Windows 7. It contains the following topics: Understanding the AppLocker Policy Deployment Process Requirements for Deploying AppLocker Policies Using Software Restriction Policies with AppLocker Policies Creating Your AppLocker Policies Deploying the AppLocker Policy into Production Maintaining AppLocker Policies

Additional resources
Using Software Restriction Policies to Protect Against Unauthorized Software (http://go.microsoft.com/fwlink/?LinkID=155634) This TechNet article is about SRP in Windows XP and Windows Server 2003 and is also applicable to Windows Vista and Windows Server 2008. It provides an in-depth look at how software restriction policies can be used to fight viruses, regulate which ActiveX controls can be downloaded, run only digitally signed scripts, and enforce that only approved software is installed on system computers. Software Restriction Policies This collection of Windows Server 2003 product help topics describes the concepts to understand and the steps to implement and maintain SRP. AppLocker This topic lists AppLocker documentation resources for the IT professional.

Understanding the AppLocker Policy Deployment Process

This planning and deployment topic describes the process to use AppLocker when deploying application control policies in Windows Server 2008 R2 and Windows 7. To successfully deploy AppLocker policies, you need to identify your application control objectives and construct the policies for those objectives. The key to the process is the accurate inventory of your organization's applications, which requires investigation with all the targeted business groups. With an accurate inventory, you can create rules and set enforcement criteria that will allow the organization to use the required applications and allow the IT department to manage a controlled set of applications. The following diagram shows the main points in the design, planning, and deployment process for AppLocker.

Resources in support of the deployment process

The following documentation contains information about designing, planning, deploying, and maintaining AppLocker policies: 8

 For information about the AppLocker policy design and planning requirements and process, see the AppLocker Policies Design Guide. For information about the AppLocker policy deployment requirements and process, see the AppLocker Policies Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=160260). For information about AppLocker policy maintenance and monitoring, see the AppLocker Operations Guide (http://go.microsoft.com/fwlink/?LinkId=160259). For information about AppLocker policy architecture, components, and processing, see the AppLocker Technical Reference (http://go.microsoft.com/fwlink/?LinkId=160263).

Requirements for Deploying AppLocker Policies

This deployment topic lists the requirements you need to meet before deploying AppLocker policies. The following requirements must be met or addressed before deploying your AppLocker policies: Your deployment plan The supported operating systems Your policy distribution mechanism Your event collection and analysis system

Your deployment plan

An AppLocker policy deployment plan is the result of investigating what applications are required and necessary in your organization, what applications are optional, and what applications are forbidden. To develop this plan, see Planning Application Control Policies by Using AppLocker. The following table is an example of the data you need to collect and the decisions you need to make in order to successfully deploy AppLocker policies on computers running Windows Server 2008 R2 or Windows 7.
Busine ss group Organizat ional unit Implem ent AppLoc ker? Applicat ions Installation path Use default rule or define new rule condition All ow or den y GPO Supp nam e ort polic y

Bank Tellers

TellerEast and TellerWest

Yes

Teller softwar e

C:\Program Files\Woodgrove\Teller. exe

File is signed; create a publisher condition

All ow

Tell ers

Web help

Busine ss group

Organizat ional unit

Implem ent AppLoc ker?

Applicat ions

Installation path

Use default rule or define new rule condition

All ow or den y

GPO Supp nam e ort polic y

Window C:\Windows s files

Create a All path ow exception to the default rule to exclude \ Windows\T emp File is not signed; create a file hash condition All ow

Help desk

Time Sheet Organiz er Human HR-All Resour ces Yes Check Payout

C:\Program Files\Woodgrove\HR\Ti mesheet.exe

Web help

C:\Program File is Files\Woodgrove\HR\Ch signed; eckcut.exe create a publisher condition C:\Program Files\Internet Explorer\ File is signed; create a publisher condition

All ow

HR

Web help

Internet Explore r7

De ny

Help desk

Window C:\Windows s files

Use the All default ow rule for the Windows path

Help desk

Event processing policy

10

Business group

AppLocker event collection location

Archival policy

Analyzed?

Security policy

Bank Tellers Human Resources

Forwarded to: srvBT093 DO NOT FORWARD

Standard 60 months

None Yes; summary reports monthly to managers

Standard Standard

Policy maintenance policy

Business group Rule update policy Application decommission policy Application version policy Application deployment policy

Bank Tellers

Planned: Monthly through business office triage Emergency: request through help desk

Through business office triage; 30day notice required

General policy: keep past versions for 12 months List policies for each application

Coordinated through business office; 30-day notice required

Human Resources

Planned: through HR triage Emergency: request through help desk

Through HR triage; 30-day notice required

General policy: keep past versions for 60 months List policies for each application

Coordinated through HR; 30day notice required

Supported operating systems

AppLocker is supported only on the following editions of these operating systems:
Operating system/edition AppLocker policies created and maintained AppLocker policies deployed

Windows Server 2008 R2 Standard Windows Server 2008 R2 Enterprise Windows Server 2008 R2

Yes Yes Yes

Yes Yes Yes 11

Operating system/edition

AppLocker policies created and maintained

AppLocker policies deployed

Datacenter Windows Server 2008 R2 for Itanium-Based Systems Windows 7 Professional Windows 7 Ultimate Windows 7 Enterprise Yes Yes Yes Yes Yes No Yes Yes

Software Restriction Policies are supported on versions of Windows beginning with Windows XP and Windows Server 2003 including the above versions. However, the SRP Basic User feature is not supported on the above operating systems.

Your policy distribution mechanism

AppLocker uses Group Policy management architecture to effectively distribute application control policies. AppLocker policies can also be configured on individual computers by using the Local Security Policy snap-in. You will need a way to distribute the AppLocker policies throughout the targeted business group.

Your event collection and analysis system

Event processing is important to understand application usage. You must have a process in place to collect and analyze AppLocker events so that application usage is appropriately restricted and understood. For procedures to monitor AppLocker events, see: Configure an AppLocker Policy for Audit Only Configure an AppLocker Policy for Enforce Rules View the AppLocker Log in Event Viewer Review AppLocker Events with Get-AppLockerFileInformation

Using Software Restriction Policies with AppLocker Policies

This topic describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same deployment for Windows operating systems beginning with Windows XP and Windows Server 2003 and including Windows Server 2008 R2 and Windows 7.

12

Understanding the difference between SRP and AppLocker

You might want to deploy application control policies onto Windows operating systems earlier than Windows Server 2008 R2 or Windows 7. You can use AppLocker policies only on the supported editions of Windows Server 2008 R2 and Windows 7, but you can use SRP on supported editions of Windows beginning with Windows Server 2003 and Windows XP. To compare features and functions in SRP and AppLocker so that you can determine when to use each technology to meet your application control objectives, see Determine Your Application Control Objectives.

Using SRP and AppLocker together

Both SRP and AppLocker use Group Policy for domain management. However, when both SRP policies and AppLocker policies exist in the same Group Policy object (GPO), AppLocker policies will take precedence over SRP policies on computers running Windows Server 2008 R2 or Windows 7. For information about how inheritance in Group Policy applies to AppLocker policies and SRP policies, see Understanding AppLocker Rules and Enforcement Setting Inheritance in Group Policy. As an example of how both types of policy would affect the bank's "Teller software" application, consider the following scenario where the application is deployed on different Windows desktop operating systems and managed by the Tellers GPO.
Operating system Tellers GPO with AppLocker policy Tellers GPO with SRP policy Tellers GPO with both AppLocker policy and SRP policy

Windows 7

AppLocker policies in the GPO are applied and supersede any local AppLocker policies.

Local AppLocker policies supersede any SRP policies applied through the GPO.

AppLocker policies in the GPO are applied and supersede the SRP policies in the GPO and any local AppLocker policies or SRP policies. SRP policies in the GPO are applied and supersede any local SRP policies. AppLocker policies not applied. SRP policies in the GPO are applied and supersede any local 13

Windows Vista

AppLocker policies are not applied.

SRP policies in the GPO are applied and supersede any local SRP policies. AppLocker policies are not applied. SRP policies in the GPO are applied and supersede any local

Windows XP

AppLocker policies are not applied.

Operating system

Tellers GPO with AppLocker policy

Tellers GPO with SRP policy

Tellers GPO with both AppLocker policy and SRP policy

SRP policies. AppLocker policies are not applied.

SRP policies. AppLocker policies not applied.

Note For information about supported versions and editions of the operating system, see Supported operating systems.

Testing and validating SRP policies and AppLocker policies that are deployed in the same environment
Because SRP policies and AppLocker policies function differently but can exist in the same GPO or in linked GPOs, testing the result of the policy is critical to successfully controlling application usage in the targeted organization. Configuring a testing and policy distribution system can aid in understanding the result of a policy. The effects of SRP policies and AppLocker policies need to be tested separately and by using different tools even when in the same GPO.

Step 1: Test the effect of SRP policies

You can use the Group Policy Management Console (GPMC) or the Resultant Set of Policy (RSoP) snap-in to determine the effect of applying SRP policies by using GPOs. For information about using RSoP, see Resultant Set of Policy. For information about using the GPMC, see Group Policy Management Console.

Step 2: Test the effect of AppLocker policies

You can test AppLocker policies by using Windows PowerShell cmdlets. For information about investigating the result of a policy, see Test an AppLocker Policy with Test-AppLockerPolicy and Review AppLocker Events with Get-AppLockerFileInformation. Another method to use when determining the result of a policy is to set the enforcement mode to audit-only. When the policy is deployed, events will be written to the AppLocker logs as if the policy was enforced. For information about using the audit-only mode, see Understanding AppLocker Enforcement Settings and Configure an AppLocker Policy for Audit Only.

14

Creating Your AppLocker Policies

This overview topic describes the steps to create an AppLocker policy and prepare it for deployment.

AppLocker policy deployment steps

Creating effective application control policies with AppLocker starts by creating the rules for each application. Rules are grouped into one of four rule collections. The rule collection then can be configured to be enforced or to run in an audit-only mode. An AppLocker policy includes the rules in the four rule collections and the enforcement settings for each rule collection.

Step 1: Use your plan

You can develop an application control policy plan to guide you in making successful deployment decisions. For more information about how to do this and what you should consider, see the AppLocker Policies Design Guide. The guide is intended for security architects, security administrators, and system administrators. It contains the following topics to help you create an AppLocker policy deployment plan for your organization that will address your specific application control requirements by department, organizational unit, or business group: 1. Understanding the AppLocker Policy Deployment Process 2. Understanding AppLocker Policy Design Decisions 3. Determining Your Application Control Objectives 4. Creating the List of Deployed Applications Deployed to Each Business Group 5. Selecting the Types of Rules to Create 6. Determining Group Policy Structure and Rule Enforcement 7. Planning for AppLocker Policy Management 8. Creating Your AppLocker Policy Deployment Design Document

Step 2: Create your rules and rule collections

Each rule applies to one or more applications and imposes a specific rule condition upon them. Rules can be created individually or can be generated by the Automatically Generate Rules wizard. For steps to create the rules, see Creating Your AppLocker Rules.

Step 3: Configure the enforcement setting

An AppLocker policy is a set of rule collections that are configured with a rule enforcement setting. The enforcement setting can be Enforce rules, Audit only, or Not configured. If an AppLocker policy has at least one rule and is set to Not configured, all the rules in that policy will be enforced. For information about configuring this setting, see Configure an AppLocker Policy for Audit Only and Configure an AppLocker Policy for Enforce Rules.

15

Step 4: Update the GPO

AppLocker policies can be defined locally on a computer or applied through Group Policy. To use Group Policy to apply AppLocker policies, you must either create a new Group Policy object (GPO) or you must update an existing GPO. You can create or modify AppLocker policies using the Group Policy Management Console (GPMC) or you can import an AppLocker policy into a GPO. For the procedure to do this, see Import an AppLocker Policy into a GPO.

Step 5: Test the effect of the policy

Either in a test environment, or with the enforcement setting set at Audit only, verify that the results of the policy are what you intended. For information about testing a policy, see Testing and Updating an AppLocker Policy.

Step 6: Implement the policy

Depending upon your deployment method, either import the AppLocker policy to the GPO in your production environment or, if the policy is already deployed, change the enforcement setting to your production environment value, either Enforce rules or Audit only.

Step 7: Test the effect of the policy and adjust

Validate the effect of the policy by analyzing the AppLocker logs for application usage, and modify the policy as necessary. To do this, see Discovering the Effect of an AppLocker Policy.

Next steps
Follow the steps described in the topics below to continue the deployment process: 1. Creating Your AppLocker Rules 2. Testing and Updating an AppLocker Policy 3. Deploying the AppLocker Policy into Production

Creating Your AppLocker Rules

This topic describes what you need to know about AppLocker rules and the different methods to create rules.

Creating AppLocker rules

AppLocker rules apply to the targeted application and are the components that make up the AppLocker policy. Depending on your IT environment and the business group requiring application control policies, setting these access rules for each application can be timeconsuming and prone to error. With AppLocker, you can create rules by using either of the following methods. However, creating rules derived from your planning document can help you 16

avoid unintended results. For information about this planning document and other planning activities, see AppLocker Policies Design Guide.

Automatically generate your rules

With a reference computer, you can automatically create a set of default rules for each of the installed applications, test and modify each rule as necessary, and deploy the policies. Creating most of the rules for all the installed applications gives you a starting point to build and test your policies. For information about performing this task, see the following: Configure the AppLocker Reference Computer Run the Automatically Generate Rules Wizard Create AppLocker Default Rules Edit AppLocker Rules Configure Exceptions for an AppLocker Rule

Create your rules individually

You can create rules and set the mode to audit only for each of the installed applications, test and update each rule as necessary, and then deploy the policies. Creating rules individually might be best when you are targeting a small number of applications within a business group. Note AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For information about creating the default rules for the Windows operating system, see Create AppLocker Default Rules. You can edit the default rules. For information about performing this task, see the following: Create a Rule that Uses a Publisher Condition Create a Rule That Uses a Path Condition Create a Rule That Uses a File Hash Condition Edit AppLocker Rules Enforce AppLocker Rules Configure an AppLocker Policy for Audit Only

About selecting rules

AppLocker policies are composed of distinct rules for specific applications. These rules are grouped by collection and implemented through an AppLocker policy definition. AppLocker policies are managed either by using Group Policy or by using the Local Security Policy snap-in for a single computer.

17

When determining what types of rules to create for each of your business groups or organizational units (OUs), you should also determine what enforcement setting to use for each group. Different rule types are more applicable for some applications, depending on the way that the applications are deployed in a specific business group. For information about how to determine and document your AppLocker rules, see AppLocker Policies Design Guide. For information about AppLocker rules and AppLocker policies, see the following topics: Understanding AppLocker Rule Behavior Understanding AppLocker Rule Exceptions Understanding AppLocker Rule Collections Understanding AppLocker Allow and Deny Actions on Rules Understanding AppLocker Rule Condition Types Understanding AppLocker Default Rules

Next steps
1. Import an AppLocker Policy into a GPO or Import an AppLocker Policy from Another Computer 2. Testing and Updating an AppLocker Policy 3. Deploying the AppLocker Policy into Production

Testing and Updating an AppLocker Policy

This topic discusses the steps required to test an AppLocker policy prior to deployment. You should test each set of rules to ensure that the rules perform as intended. If you use Group Policy to manage AppLocker policies, complete the following steps for each Group Policy object (GPO) where you have created AppLocker rules. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules for simultaneous testing in all of your test GPOs.

Step 1: Enable the Audit only enforcement setting

By using the Audit only enforcement setting, you can ensure that the AppLocker rules that you have created are properly configured for your organization. This setting can be enabled on the Enforcement tab of the AppLocker Properties dialog box. For the procedure to do this, see Configure an AppLocker Policy for Audit Only.

Step 2: Configure the Application Identity service to start automatically

Because AppLocker uses the Application Identity service to verify the attributes of a file, you must configure it to start automatically in any one GPO that applies AppLocker rules. For the procedure 18

to do this, see Start the Application Identity Service. For AppLocker policies that are not managed by a GPO, you must ensure that the service is running on each computer in order for the policies to be applied.

Step 3: Test the policy

Test the AppLocker policy to determine if your rule collection needs to be modified. Because you have created AppLocker rules, enabled the Application Identity service, and enabled the Audit only enforcement setting, the AppLocker policy should be present on all client computers that are configured to receive your AppLocker policy. The Test-AppLockerPolicy Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference computers. For the procedure to do this, see Test an AppLocker Policy with Test-AppLockerPolicy.

Step 4: Analyze AppLocker events

You can either manually analyze AppLocker events or use the Get-AppLockerFileInformation Windows PowerShell cmdlet to automate the analysis. To manually analyze AppLocker events You can view the events either in Event Viewer or a text editor and then sort those events to perform an analysis, such as looking for patterns in application usage events, access frequencies, or access by user groups. If you have not configured an event subscription, then you will have to review the logs on a sampling of computers in your organization. For more information about using Event Viewer, see View the AppLocker Log in Event Viewer. To analyze AppLocker events by using Get-AppLockerFileInformation You can use the Get-AppLockerFileInformation Windows PowerShell cmdlet to analyze AppLocker events from a remote computer. If an application is being blocked and should be allowed, you can use the AppLocker cmdlets to help troubleshoot the problem. For both event subscriptions and local events, you can use the Get-AppLockerFileInformation cmdlet to determine which files have been blocked or would have been blocked (if you are using the Audit only enforcement mode) and how many times the event has occurred for each file. For the procedure to do this, see Review AppLocker Events with Get-AppLockerFileInformation. After using Get-AppLockerFileInformation to determine how many times that a file would have been blocked from running, you should review your rule list to determine whether a new rule should be created for the blocked file or whether an existing rule is too strictly defined. Ensure that you check which GPO is currently preventing the file from running. To determine this, you can use the Group Policy Results Wizard to view rule names.

Step 5: Modify the AppLocker policy

After you have identified which rules need to be edited or added to the policy, you can use the Group Policy Management Console to modify the AppLocker rules in the relevant GPOs. For 19

AppLocker policies that are not managed by a GPO, you can use the Local Security Policy snapin. For information how to modify an AppLocker policy, see, Editing an AppLocker Policy.

Step 6: Repeat policy testing, analysis, and policy modification

Repeat the previous steps 35 until all the rules perform as intended before applying enforcement.

Deploying the AppLocker Policy into Production

This topic describes the tasks that should be completed before deploying AppLocker application control settings. After successfully testing and modifying the AppLocker policy for each Group Policy object (GPO), you are ready to deploy the enforcement settings into production. For most organizations, this means switching the AppLocker enforcement setting from Audit only to Enforce rules. However, it is important to follow the deployment plan that you created earlier. For more information, see the AppLocker Policies Design Guide. Depending upon the needs of different business groups in your organization, you might be deploying different enforcement settings for linked GPOs.

Understanding your design decisions

Before deploying an AppLocker policy, you should have determined: For each business group, which applications will be controlled and in what manner. For more information, see Create the List of Applications Deployed to Each Business Group. How to handle requests for application access. For information about what to consider when developing your support policies, see Planning for AppLocker Policy Management. How to manage events, including forwarding events. For information about event management in AppLocker, see Monitoring Application Usage with AppLocker. Your GPO structure, including how to include both Software Restriction Policies (SRP) policies and AppLocker policies. For more information, see Determine Group Policy structure and rule enforcement. For information about how AppLocker deployment is dependent upon design decisions, see Understanding AppLocker Policy Design Decisions.

AppLocker deployment methods

If you have configured a reference computer, you can create and update your AppLocker policies on this computer, test the policies, and then export the policies to the appropriate GPO for 20

distribution. The other method is to create the policies with the enforcement setting set at Audit only and observe the events generated. Using a Reference Computer to Create and Maintain AppLocker Policies This topic describes the steps to use an AppLocker reference computer to prepare application control policies for deployment by using Group Policy or other means. Deploying AppLocker Policies by Using the Enforce Rules Setting This topic describes the steps to deploy the AppLocker policy by changing the enforcement setting to either Audit only or Enforce rules.

Deploying AppLocker Policies by Using the Enforce Rules Setting

This topic describes the steps to deploy AppLocker policies by using the enforcement setting method.

Background and prerequisites

These procedures assume that you have already deployed AppLocker policies with the enforcement set to Audit only, and you have been collecting data through the AppLocker event logs and other channels to determine what effect these policies have on your environment and the policy's adherence to your application control design. For information about the AppLocker policy enforcement setting, see Understanding AppLocker Enforcement Settings. For information about how to plan an AppLocker policy deployment, see AppLocker Policies Design Guide.

Step 1: Retrieve the AppLocker policy

Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Using Group Policy, you can export the policy from the Group Policy object (GPO) and then update the rule or rules by using AppLocker on your AppLocker reference or test computer. For the procedure to do this, see Export an AppLocker Policy from a GPO and Import an AppLocker Policy into a GPO. For local AppLocker policies, you can update the rule or rules by using the Local Security policy snap-in on your AppLocker reference or test computer. For the procedures to do this, see Export an AppLocker Policy to an XML File and Import an AppLocker Policy from Another Computer.

Step 2: Alter the enforcement setting

Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. By 21

default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced. For information about the enforcement setting, see Understanding AppLocker Enforcement Settings. For the procedure to alter the enforcement setting, see Configure an AppLocker Policy for Audit Only.

Step 3: Update the policy

You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. For more information about Advanced Group Policy Management, see Advanced Group Policy Management Overview (http://go.microsoft.com/fwlink/?LinkId=145013). Caution You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior. For the procedure to update the GPO, see Import an AppLocker Policy into a GPO. For the procedures to distribute policies for local computers by using the Local Security Policy snap-in, see Export an AppLocker Policy to an XML FIle and Import an AppLocker Policy from Another Computer.

Step 4: Monitor the effect of the policy

When a policy is deployed, it is important to monitor the actual implementation of that policy. You can do this by monitoring your support organization's application access request activity and reviewing the AppLocker event logs. To monitor the effect of the policy, see View the AppLocker Log in Event Viewer and Review AppLocker Events with Get-AppLockerFileInformation.

Using a Reference Computer to Create and Maintain AppLocker Policies

This topic describes the steps to create and maintain AppLocker policies by using a reference computer.

22

Background and prerequisites

An AppLocker reference computer must be configured before it can be used to create and maintain AppLocker policies. For the procedure to do this, see Configure the AppLocker Reference Computer. An AppLocker reference computer used for AppLocker policy creation and maintenance should contain the corresponding applications for each organizational unit (OU) to mimic your production environment. Important The reference computer must be running one of the supported editions of Windows 7. For information about operating system requirements for AppLocker, see Requirements to Use AppLocker. You can perform AppLocker policy testing on the reference computer, either by using the Audit only enforcement setting or Windows PowerShell cmdlets. You can also use the reference computer as part of a testing configuration that might include policies created by using Software Restriction Policies.

Step 1: Automatically generate rules on the reference computer

AppLocker allows you to automatically generate rules for all files within a folder. AppLocker scans the specified folder and creates the condition types that you choose for each file in that folder. For the procedure to do this, see Run the Automatically Generate Rules Wizard. Note If you are running the wizard to create your first rules for a Group Policy object (GPO), you will be prompted to create the default rules, which allow critical system files to run, after completing the wizard. You may edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after replacing them with your custom rules.

Step 2: Create the default rules on the reference computer

AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You must run the default rules for each rule collection. For information about default rules and considerations when using them, see Understanding AppLocker Default Rules. For the procedure to create default rules, see Create AppLocker Default Rules.

23

Important You can use the default rules as a template when creating your own rules to allow files within the Windows directory to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules.

Step 3: Modify rules and the rule collection on the reference computer
If AppLocker policies are currently in your production environment, export the policy from the corresponding GPO and save it to the reference computer. For the procedure to do this, see Export an AppLocker Policy from a GPO. If no AppLocker policies have been deployed, then create the rules and develop the policies by using the following procedures: Create a Rule that Uses a Publisher Condition Create a Rule that Uses a File Hash Condition Create a Rule that Uses a Path Condition Edit AppLocker Rules Configure Exceptions for an AppLocker Rule Delete an AppLocker Rule Enable the DLL Rule Collection Enforce AppLocker Rules

Step 4: Test and update the policy on the reference computer

You should test each set of rules to ensure that they perform as intended. The TestAppLockerPolicy Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference computer. Perform the steps on each reference computer that you used to define the AppLocker policy. Ensure that the reference computer is joined to the domain and is receiving the AppLocker policy from the appropriate GPO. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules for simultaneous testing in all of your test GPOs. Use the following procedures to complete this step: Test an AppLocker Policy with Test-AppLockerPolicy Discover the Effect of an AppLocker Policy

Caution If you have set the enforcement setting on the rule collection to Enforce rules or have not configured the rule collection, the policy will be implemented when the GPO is updated in the next step. If you have set the enforcement setting on the rule collection to

24

Audit only, then application access events are written to the AppLocker log and the policy will not take effect.

Step 5: Export and import the policy into production

When the AppLocker policy has been tested successfully, it can be imported into the GPO (or imported into individual computers that are not managed by Group Policy) and once again checked for its intended effectiveness. To do this, perform the following procedures: Export an AppLocker Policy to an XML FIle Import an AppLocker Policy into a GPO or Import an AppLocker Policy onto Another Computer Discover the Effect of an AppLocker Policy If the AppLocker policy enforcement setting is Audit only and you are satisfied that the policy is fulfilling your intent, you can change it to Enforce rules. For information about how to change the enforcement setting, see Configure an AppLocker Policy for Enforce Rules.

Step 6: Monitor the effect of the policy in production

If additional refinements or updates are necessary after a policy is deployed, use the appropriate procedures below to monitor and update the policy: Discover the Effect of an AppLocker Policy Review AppLocker Events with Get-AppLockerFileInformation Editing an AppLocker Policy Refresh an AppLocker Policy

Determine Which Applications Are Digitally Signed on a Reference Computer

This topic describes how to use AppLocker logs and tools to determine which applications are digitally signed. The Windows PowerShell cmdlet Get-AppLockerFileInformation can be used to determine which applications installed on your reference computers are digitally signed. Perform the following steps on each reference computer that you used to define the AppLocker policy. The computer does not need to be joined to the domain. Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

25

To determine which applications are digitally signed on a reference computer 1. From the command line on the reference computer, run GetAppLockerFileInformation with the appropriate parameters. The Get-AppLockerFileInformation cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information. 2. Analyze the publisher's name and digital signature status from the output of the command. For command parameters, syntax, and examples, see Get-AppLockerFileInformation.

Configure the AppLocker Reference Computer

This topic describes steps to create an AppLocker policy platform structure on a reference computer running Windows 7. An AppLocker reference computer used for the development and deployment of AppLocker policies should mimic the directory structure and corresponding applications in the organizational unit (OU) or business group for the production environment. On a reference computer, you can: Maintain an application list for each business group. Develop AppLocker policies by either creating individual rules or creating a policy by automatically generating rules. Create the default rules to allow the Windows system files to run properly. Run tests and analyze the event logs to determine the affect of the policies you intend to deploy. The reference computer does not need to be joined to a domain but must be able to import and export AppLocker policies in XML format. The reference computer must be running one of the supported editions of Windows 7. For information about the supported editions, see Requirements to Use AppLocker. To configure a reference computer 1. If the operating system is not already installed, install one of the supported editions of Windows 7 on the computer. Note If you use another computer to test your implementation of AppLocker policies by using Group Policy, you can export the policies to the other computer on which the Group Policy Management Console (GPMC) is installed. 26

2. Configure the administrator account. To update local policies, you must be a member of the local Administrators group. To update domain policies, you must be a member of the Domain Admins group or have delegated privileges to use Group Policy to update a Group Policy object (GPO). 3. Install all applications that run in the targeted business group or OU by using the same directory structure. The reference computer should be configured to mimic the structure of your production environment. It is dependent upon the same applications in the same directories as they are in production in order to accurately create the rules. 4. Import the AppLocker Windows PowerShell cmdlet module. To use the AppLocker cmdlets, you must first import the AppLocker module by using the following command at the Windows PowerShell command prompt: C:\PS> Import-Module AppLocker. Scripting must be enabled on the computer. For information about Windows PowerShell, see the Windows PowerShell Help file (WindowsPowerShellHelp.chm). For information about using the cmdlets, see Using the AppLocker Windows PowerShell Cmdlets.

Additional resources
After you configure the reference computer, you can now create the AppLocker rule collections. You can build, import, or automatically generate the rules. For procedures to do this, see AppLocker Rule Procedures.

Maintaining AppLocker Policies

This topic describes how to maintain rules within AppLocker policies. Common AppLocker maintenance scenarios include: A new application is deployed, and you need to update an AppLocker policy. A new version of an application is deployed, and you need to either update an AppLocker policy or create a new rule to update the policy. An application is no longer supported by your organization, so you need to prevent it from being used. An application appears to be blocked but should be allowed. An application appears to be allowed but should be blocked. A single user or small subset of users needs to use a specific application that is blocked. Maintaining AppLocker policies by using Group Policy Maintaining AppLocker policies by using the Local Security Policy snap-in

There are two methods you can use to maintain AppLocker policies:

As new applications are deployed or existing applications are removed by your organization or updated by the software publisher, you might need to make revisions to your rules and update the Group Policy object (GPO) to ensure that your policy is current. 27

You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs, such as Microsoft Advanced Group Policy Management (AGPM). For more information about AGPM, see Advanced Group Policy Management Overview (http://go.microsoft.com/fwlink/?LinkId=145013). Caution You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.

Maintaining AppLocker policies by using Group Policy

For every scenario, the steps to maintain an AppLocker policy distributed by Group Policy include the following tasks.

Step 1: Understand the current behavior of the policy

Before modifying a policy, evaluate how the policy is currently implemented. For example, if a new version of the application is deployed, you can use Test-AppLockerPolicy to verify the effectiveness of your current policy for that application. To read the procedures necessary to understand the current behavior of the policy, see Discovering the Effect of an AppLocker Policy. Updating your AppLocker planning document will help you track your findings. For information about creating this document, see Creating Your AppLocker Planning Document. For information about Test-AppLockerPolicy and examples of how to use it, see TestAppLockerPolicy (http://go.microsoft.com/fwlink/?LinkId=169000).

Step 2: Export the AppLocker policy from the GPO

Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Therefore, export the policy from the GPO and update the rule or rules by using AppLocker on your AppLocker reference or test computer. To prepare an AppLocker policy for modification, see Export an AppLocker Policy from a GPO.

Step 3: Update the AppLocker policy by editing the appropriate AppLocker rule
After the AppLocker policy has been exported from the GPO into the AppLocker reference or test computer, or has been accessed on the local computer, the specific rules can be modified as required. To modify AppLocker rules, see the following: Edit AppLocker Rules 28

 Merge AppLocker Policies by Using Set-ApplockerPolicy or Merge AppLocker Policies Manually Delete an AppLocker Rule Enforce AppLocker Rules

Step 4: Test the AppLocker policy

You should test each collection of rules to ensure that the rules perform as intended. (Because AppLocker rules are inherited from linked GPOs, you should deploy all rules for simultaneous testing in all test GPOs.) For steps to perform this testing, see Testing and Updating an AppLocker Policy.

Step 5: Import the AppLocker policy into the GPO

After testing, import the AppLocker policy back into the GPO for implementation. To update the GPO with a modified AppLocker policy, see Import an AppLocker Policy into a GPO.

Step 6: Monitor the resulting policy behavior

After deploying a policy, evaluate the policy's effectiveness. For steps to understand the new behavior of the policy, see Discovering the Effect of an AppLocker Policy.

Maintaining AppLocker policies by using the Local Security Policy snap-in

For every scenario, the steps to maintain an AppLocker policy distributed by using the Local Security Policy snap-in include the following tasks.

Step 1: Understand the current behavior of the policy

Before modifying a policy, evaluate how the policy is currently implemented. To read the procedures necessary to understand the current behavior of the policy, see Discovering the Effect of an AppLocker Policy. Updating your AppLocker planning document will help you track your findings. For information about creating this document, see Creating Your AppLocker Planning Document.

Step 2: Update the AppLocker policy by modifying the appropriate AppLocker rule
Rules are grouped into a collection, which can have the policy enforcement setting applied to it. By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. To modify AppLocker rules, see the appropriate topic in the AppLocker Rule Procedures collection.

29

Step 3: Test the AppLocker policy

You should test each collection of rules to ensure that the rules perform as intended. For steps to perform this testing, see Testing and Updating an AppLocker Policy.

Step 4: Deploy the policy with the modified rule

You can export and then import AppLocker policies to deploy the policy to other computers running Windows 7 or Windows Server 2008 R2. To perform this task, see Export an AppLocker Policy to an XML File and Import an AppLocker Policy from Another Computer.

Step 5: Monitor the resulting policy behavior

After deploying a policy, evaluate the policy's effectiveness. For steps to understand the new behavior of the policy, see Discovering the Effect of an AppLocker Policy.

Additional resources
For steps to perform other AppLocker policy tasks, see Administering AppLocker.

30