AppLocker is a new feature in Windows 7 and Windows Server 2008 R2 that replaces the Software Restriction Policies feature. AppLocker contains new capabilities and extensions that reduce administrative overhead and help administrators control how users can access and use files, such as executable files, scripts, Windows Installer files, and DLLs. Using AppLocker, you can:
- Define rules based on file attributes derived
from the digital signature, including the publisher, product name,
file name, and file version. For example, you can create rules
based on the publisher attribute that is persistent through
updates, or you can create rules for a specific version of a
file.
- Assign a rule to a security group or an
individual user.
- Create exceptions to rules. For example, you
can create a rule that allows all Windows processes to run except
Registry Editor (Regedit.exe).
- Use audit-only mode to deploy the policy and
understand its impact before enforcing it.
- Import and export rules. The import and
export affects the entire policy. For example, if you export a
policy, all of the rules from all of the rule collections are
exported, including the enforcement settings for the rule
collections. If you import a policy, the existing policy is
overwritten.
- Simplify creating and managing AppLocker
rules by using AppLocker PowerShell cmdlets.
For more information about AppLocker rules, see Understanding AppLocker Rules.
What has changed?
The following table compares AppLocker to Software Restriction Policies.
| Feature | Software Restriction Policies | AppLocker |
|---|---|---|
|
Rule scope |
All users |
Specific user or group |
|
Rule conditions provided |
File hash, path, certificate, registry path, and Internet zone rules |
File hash, path, and publisher rules |
|
Rule types provided |
Allow and deny |
Allow and deny |
|
Default rule action |
Allow or deny |
Deny |
|
Audit-only mode |
No |
Yes |
|
Wizard to create multiple rules at one time |
No |
Yes |
|
Policy import or export |
No |
Yes |
|
Rule collection |
No |
Yes |
|
PowerShell support |
No |
Yes |
|
Custom error messages |
No |
Yes |
AppLocker requirements
AppLocker is available in all editions of Windows Server 2008 R2 and in Windows 7 Ultimate and Windows 7 Enterprise. To use AppLocker, you need:
- A computer running Windows
Server 2008 R2, Windows 7 Ultimate, Windows 7
Enterprise, or Windows 7 Professional to create the AppLocker
rules. Windows 7 Professional can be used to create the rules,
but the rules cannot be enforced on computers running
Windows 7 Professional. The computer can be a domain
controller.
- For Group Policy deployment, at least one
computer with the Group Policy Management Console (GPMC) or Remote
Server Administration Tools (RSAT) installed to host the AppLocker
rules.
- Computers running Windows
Server 2008 R2, Windows 7 Ultimate, or
Windows 7 Enterprise to enforce the AppLocker rules that you
create.