Software Restriction Policies have been around since the release of Windows XP. They allow you to limit which applications can execute on a computer either by path, publisher’s certificate or a hash value of the application executable’s binary file. The drawback to software restriction policies is that they can be cumbersome to implement properly. The most secure type of policy, the hash policy, needs to be updated every time an application is updated. If you think about the number of applications that need to run on a standard desktop system, the number of hash values that you need to generate to get the most secure form of software restriction policy is quite significant. Path rules are easier to implement, but they are easier for the cunning attacker to get around.
AppLocker, a feature available only in the Enterprise and Ultimate editions of Windows 7, is Software Restriction Policies “The Next Generation”. There are four big differences with AppLocker. Publisher Rules, Granularity, Exceptions and Automatic Rule Creation.
At a glance, Publisher Rules are similar to Certificate Rules in that you allow or deny applications based on a publisher’s digital certificate. Where AppLocker goes further is that it allows you modify the scope of a rule based on that publisher’s certificate. You can allow/deny a specific version of an application, all versions of an application after a particular release, or all applications from that particular publisher. Exceptions allow you to block all applications from a specific publisher with exceptions that allow execution.
AppLocker also allows for the automatic generation of baseline rules based on the current configuration of the computer. This can save a massive amount of time when it comes to generating the rules. Publisher rules will be automatically created for applications that have publisher certificates and file hash rules will be automatically created for applications that do not have certificates.