Windows 7 Migration
How Windows 7's AppLocker Group Policy Can Improve End-User Security
Any IT manager knows what kinds of hassles can arise when users install unauthorized third-party applications--like, say, Web browsers. You go to great...
Any IT manager knows what kinds of hassles can arise when users install unauthorized third-party applications--like, say, Web browsers. You go to great pains to make sure Internet Explorer is locked down, patched, and secure, then Joe Salesguy goes and loads Google Chrome. A hacker exploits a security hole, and now you're cleaning up viruses and who knows what other messes. (We're not saying Chrome is more vulnerable than IE, just that it's not typically a vetted enterprise app.)
Fortunately, if you've deployed Windows 7, there's an easy solution: AppLocker. As you may recall, this new feature allows IT managers to determine which programs a user (or group of users) can run. Or, to put it another way, AppLocker can block programs you don't want users to have.
The Group Policy Center blog (interesting niche, no?) offers instructions on how to configure AppLocker Group Policy in Windows 7 to block third-party browsers (and other third-party software). Here's an excerpt:
AppLocker is a new feature in Windows 7 that allows system administrators to block a particular executable from running on a computer. This is an enhanced version of Software Restriction Policy which did a similar thing in Windows XP/Vista, but it can only block programs based on either a file name, path or file hash. The AppLocker feature takes it a step further and allows administrators block executables based on its digital signature. The benefit of basing this on a digital signature is that you can block programs based on a combination of the version, program name or even vendor name. This means that even if the vendor updates the program with a new version (which happens often with browsers) the AppLocker rules will still apply greatly saving administrative overhead. You can also set the rule based on the program version which means you can set a minimum supported versions that is allowed to run. Another advantage is that AppLocker applies to any program that runs on a computer meaning that no matter where the program is being run from (e.g. USB Memory stick) it will prevent it from running.Sounds good, no? The author walks you through each step in the setup process, using Chrome as an example (while noting that the same steps apply for other browsers). If you've already put AppLocker to use in your organization, hit the comments and let us know how like the feature--or if you don't like it for some reason!
