Home Home FAQ FAQ Updates Windows 7 Updates News Windows 7 Forums Forums Windows 7 News Advertise Resources Contact
    

 Sign up for Updates

Subscribe via Email Address:
Feedburner

 Advertisement

 Windows 7 Training

Windows 7 Training

Windows 7 Training

 Upgrade to Windows 7 from XP

Upgrade Windows XP to Windows 7

 User Comments


Ask questions at the User Forums

Also ask Windows 7 Questions here

 Test Drive Windows 7

Test Drive Windows 7

Test Windows 7 in a Virtual Environment

 FREE Windows 7 eBook offer

Windows 7 eBook

Get your FREE
 Windows 7 eBook

 Windows 7 Updates

Windows 7 Updates

Subscribe to RSS headline updates from:
Powered by FeedBurner

More Updates

Windows 7: AppLocker

Description of Windows 7 AppLocker

Date:

From Technet

Once deployed, the software configuration of a typical desktop begins to drift away from its desired state.

The inconsistencies come more often than not from the installation and execution of non-standard software within the desktop environment. Users bring software into the environment from a variety of sources: home, Internet downloads, peer-to-peer file sharing, and through e-mail.

The result is a higher incidence of malware infections, more help desk calls, and difficulty in ensuring that your desktops are running only approved, licensed software.

In addition, many non-productive applications installed by end users cause incompatibilities with business applications, cause performance degradation on the local desktop, or needlessly consume network bandwidth.

As a result, many organizations are looking to exert more control over their desktop environment through a variety of lockdown schemes. A leading analyst predicts that fifty percent of organizations with over 1000 desktops will deploy some desktop lockdown mechanism by the end of 2010.

As a first step in locking down their desktop environment, organizations typically look toward removing administrative privilege from their users.

Running as a standard, non administrative, user is a step in the right direction, because it does help limit the configuration changes that can be made in the desktop environment; however, running as a standard user does not eliminate unknown / unwanted software in your organization.

It is not uncommon for standard users to download and install applications that do not require any administrative privileges. Users are also able to download and run single file executables, like web browsers or malicious greeting cards that continually make the rounds. These threats put organizations at risk from malware that targets user data.

Once administrative access is removed, many organizations realize that it is not a total solution. In addition to the issues called out above, organizations also find that there is great benefit in allowing users the ability to install innocuous or approved software themselves but they still have a need to prevent users from installing software that is considered risky.

Application control solutions provide an alternative approach for allowing organizations to exert more control on the software that is executed in their desktop environment. Software Restriction Policies (SRP), in Windows XP and Windows Vista®, was one of the first application control solutions in the marketplace.

SRP gave IT administrators a coarse mechanism to define and enforce application control policies.

However, SRP could become a management burden in a very dynamic desktop environment where applications were installed and updated on a constant basis because they predominantly utilized hash rules. With hash rules, every time an application needs updating a new hash rule needs to be created.

Windows 7 AppLocker

Windows 7 addresses the growing desire for application control solutions in the enterprise with the introduction of AppLocker: a simple and flexible mechanism that allows administrators to specify exactly what is allowed to run in their desktop environment.

As a result, AppLocker provides not only security protections, but also operational and compliance benefits by:

  • Keeping unlicensed software from running in your desktop environment
  • Preventing vulnerable, unauthorized applications from running in your desktop environment, including malware
  • Stopping users from running applications that needlessly consume network bandwidth or otherwise impact the enterprise computing environment
  • Preventing users from running applications that destabilize their desktop environment and increase helpdesk support costs
  • Easing enterprise software deployments and maintenance through effective desktop configuration management
  • Allow users to install and run approved applications and software updates based upon their business needs
  • Helping ensure your desktop environment is in compliance with corporate policies and industry regulations such as PCI DSS, Sarbanes-Oxley, HIPAA, Basel II, and others

AppLocker provides a simple and powerful structure through three rule types: allow, deny, and exception. Allow rules limit execution of applications to a "known good list" of applications and block everything else.

Deny rules take the opposite approach and allow the execution of any application except those on a list of “known bad” applications. While many enterprises will likely use a combination of allow rules and deny rules, the ideal AppLocker deployment would use allow rules with built in exceptions.

Exception rules allow you to exclude files from an allow/deny rule that would normally be included. Using exceptions, you can create a rule to “allow everything in the Windows Operating System to run, except the built-in games.” Using allow rules with exceptions provides a robust way to build a “known good list” of applications without having to create an inordinate number of rules.

AppLocker introduces publisher rules that are based upon application digital signatures. Publisher rules make it possible to build rules that survive application updates by being able to specify attributes such as the version of an application.

For example, an organization can create a rule to “allow all versions greater than 9.0 of the program Acrobat Reader to run if it is signed by the software publisher Adobe.” Now when Adobe updates Acrobat, you can safely push out the application update without having to build another rule for the new version of the application.

AppLocker supports multiple, independently configurable policies: executables, installers, scripts & DLLs. The multiple policies allow an organization to build rules that go beyond the traditional executable only solutions, providing greater flexibility and enhanced protection.

For example, an organization could create a rule to “allow the Graphics Department to get updates directly from Adobe for Photoshop as long as it is still Adobe Photoshop version 14.*”.

This allows IT to retain control but empower users to keep their systems up to date based upon their business needs. In addition, each of these policies can be individually placed into an audit only mode allowing you to test your rules before they start blocking applications from running and potentially hurting end user productivity.

AppLocker rules can be associated with a specific user or group within an organization. This provides granular controls that allow you to support compliance requirements by validating and enforcing which users can run specific applications.

For example, you can create a rule to “allow people in the Finance Department to run the Finance line of business applications.” This blocks everyone who is not in your Finance Department from running your finance applications (including administrators), but still provides access for those that have a business need to run the applications.

AppLocker provides a robust experience for IT administrators through new rule creation tools and wizards. Using a step-by-step approach and fully integrated help, creating new rules, automatically generating rules and importing / exporting rules is intuitive so that rules are easy to create and maintain.

For example, IT administrators can automatically generate rules using a test reference machine and then import the rules into a production environment for widespread deployment. The IT administrator can also export policy to provide a backup of your production configuration or to provide documentation for compliance purposes.

AppLocker is a new technology in Windows 7 that will be part of the Enterprise SKU, while the legacy Software Restriction Policies will be available in the Business and Enterprise SKUs.

Summary

Your desktop environment is not only one of your top productivity tools, but it also represents a significant investment. You need tools that empower your users to run the applications they need to be productive while providing effective defenses against unknown and unwanted software.

Windows 7 addresses the growing desire for application control solutions in the enterprise with the introduction of AppLocker: a simple and flexible mechanism that allows administrators to specify exactly what is allowed to run in their desktop environment.

As a result, AppLocker provides not only security protections, but also operational and compliance benefits. Best of all, AppLocker is easy to administer, allowing your IT resources to concentrate on aligning your IT infrastructure with your dynamic business requirements.







Site Links
     
Nnigma.com BestAVreceiver.com Christian Healing Today
Learn about the web Nigeria Planet Nnigma.com
Windows 7 News Windows Vista Windows Tools & Guides
Cloud Computing Windows 8 PeopleSoft-Planet
Into Windows Windows 7 center Windows 7
AskVG.com Premium Wordpress Themes Blackbird Inc.