App Locker and Software Restriction Policies

Windows 7 provides different policies to block particular applications. If you want to limit the applications that a user can run on a computer with windows 7, there are two features to restrict the execution of applications in Windows 7. They are App locker policies and Software restriction policies.

Software Restriction policies:

Software restriction policies are used to protect computers against conflicts and security threats such as malicious viruses and Trojan horse programs. You can manage software restriction policies through group policies.
Steps to configure Software Restriction policies are:
1. Click ‘Start’ – ‘Control Panel’ – ‘System and Security’ – ‘Administrative Tools’ – ‘Local security Policy’ – ‘Software Restriction Policies’.
2. To create a new ‘Software restriction policy’, open ‘Group policy’ Wizard and click ‘Software Restriction Policy’ node.
3. In the ‘Action’ menu, select ‘New Software Restriction Policies’. Here you will have to manually design the software restriction policy depending on the rules. This policies will apply in the following order:
a. Hash rules
b. Certificate rules
c. Path rules
d. Zone rules
e. Default rules

The different types of Software restriction policies are:

1. Security Levels: This level allows you to set the default rules. When there is no ‘Software Restriction Policies’ rule that matches the application, then you can apply this default rule. The three different default rules are: Disallowed, Basic user and Unrestricted.
2. Enforcement: This rule allows you to apply software restriction policies to all users except for members of local administrator groups. You can apply this rule to all software files
3. Designated file types: It determines the type of file that you want to execute according to Software restriction policy
Note: A user cannot remove standard file types such as .com, .exe, and .vbs even when he has administrator rights.
App locker policies: (App locker is available only in Enterprise and Ultimate editions)

App locker policies are used to block some specific applications on a computer. We can apply this policy to all future version of product, which are already blocked by app locker. They are also known as Application Control Policies.
1. Click ‘Start’ – ‘Control Panel’ – ‘System and Security’ – ‘Administrative tools’ – ‘Local security Policy’ – ‘Application Control Policies’.
2. Open ‘Application Control Policies’ double click ‘App locker’.

The different rules in App Locker are:

A. Executable Rules:
This rule can apply only to .exe and .com files. The default rule allows everyone to execute all the application in the program file folder and windows folder.
B. Windows Installer Rules:
This rule is applicable for .msi and .msp files. It can allow or block software installation on the computer.
C. Script Rules: This rule is applicable to .ps1, .bat, .cmd, .vbs, and .js files. The default script rule allows the execution of all scripts located in the Program file folder and windows folder.
D. DLL Rule: This rule is applicable for library files which have .dll and .ocx file extensions. By default the DLL rules are not enabled in Windows 7.

Note: Working of Hash rule and path rule in app locker policy is same as that of Software restriction policy. The default Windows installer rule allows installation of any software updates through group policy.

Steps to restrict application through group policy:

1. Click ‘Start’ – enter ‘gpedit.msc’ in the search box. Open the ‘gpedit’ application from the search result.
2. In ‘Local group policy’ editor, expand ‘User configuration’, click on ‘Administrative templates’ and select ‘system’.
3. In the right pane, double click on ‘Don’t run specified Windows applications’. Select ‘Enabled’.
4. Click ‘Show’ button and type the executable filename of the program that you want to restrict, (for e.g. calc.exe for calculator). Click ‘Ok’ for the changes to apply.