AppLocker in Windows 7: Restricting Program Access
Restricting Application Access with AppLocker in Windows 7
When multiple users share a computer, it's often desirable to prevent certain individuals from running specific applications. Windows 7 offers a feature called AppLocker that facilitates this control. This guide details how to restrict program access using AppLocker. Please note that AppLocker functionality is limited to the Ultimate and Enterprise editions of Windows 7.
Accessing AppLocker Configuration
To begin configuring AppLocker rules, administrative privileges are required. Launch the Group Policy Editor by clicking Start and typing 'gpedit.msc' into the search field, then pressing Enter.
Navigating to AppLocker Policies
Within the Local Computer Policy, navigate through the following path: Computer Configuration \ Windows Settings \ Security Settings \ Application Control Policies \ AppLocker.
Configuring Rule Enforcement
The AppLocker interface provides the central controls for managing application access. To activate rule enforcement, click on the 'Configure rule enforcement' link.
Enabling Executable Rules
In the AppLocker Properties window, ensure the box next to 'Configured' is checked under 'Executable rules'. Then, click 'Ok' to save the changes.
Blocking Applications
Consider a scenario where a user, such as Jack, is spending excessive time playing games instead of completing homework. AppLocker can be used to block access to all games on the system.
Creating a New Rule
After completing the initial configuration steps, select 'Executable Rules' under the Overview section. As this is likely the first time accessing AppLocker, no rules will currently be listed. Right-click within the window and choose 'Create New Rule…'.
The Create Executable Rules Wizard
The 'Create Executable Rules' wizard will appear. You can opt to suppress the introductory screen for future sessions.
Defining Rule Action and User
Select 'Deny' under the 'Action' section. This will prevent the specified user from running the targeted applications. Next, specify the user to whom the rule will apply – in this case, 'Jack'.
Specifying Rule Conditions
Proceed to the next step. Under 'Conditions', you can choose from Publisher, Path, or File hash. To block all games, select 'Path'.
Selecting the Games Folder
Click the 'Browse Folders' button and navigate to the directory containing the games, such as the 'Microsoft Games' folder.
Completing Rule Creation
The subsequent screen allows for the addition of exceptions, permitting specific files within the blocked directory. However, since the intention is to block the entire games directory, proceed to the next screen.
Add a descriptive name to the rule for easy identification, especially when multiple rules are configured. Once everything is verified, click 'Create'.
Default Rule Creation
A message may appear indicating that default rules have not yet been created. It is crucial to create these default rules; therefore, click 'Yes' to proceed.
Reviewing the Created Rule
The AppLocker interface will now display the default rules alongside the newly created rule, showing that Jack is denied access to the selected directory.
Ensuring Application Identification Service is Running
After creating the rule, verify that the 'Application Identification' service is running and configured to start automatically. This service is not started by default and is essential for the rules to function correctly.
User Experience After Rule Application
When Jack logs into his user account and attempts to launch a game, he will encounter a message indicating access is denied. Only an administrator can modify or remove the rule.
Conclusion
Exercise caution when configuring AppLocker rules. It is recommended to only start the Application Identity service after all rules have been thoroughly reviewed. Incorrect configuration could potentially lock you out of applications, including AppLocker itself. This guide demonstrated a basic AppLocker rule; future explorations will cover more complex configurations for enhanced user access control.
