Lesson 2: Managing AppLocker and Software Restriction Policies CHAPTER 5 283
FIGURE 5-22 AppLocker path rule
Creating Rules Automatically
A significant advantage of AppLocker over Software Restriction Policies is the ability to
generate rules automatically. To configure rules for AppLocker, you can right-click either the
Executable Rules, Windows Installer Rules, or Script Rules node and then click Automatically
Generate Rules. You are asked to specify a directory for the wizard to scan. Your options,
shown in Figure 5-23, enable you to have Windows automatically generate publisher rules
for files that are digitally signed and give you the option of creating a hash rule or a path rule
if a file is not signed. Alternatively, you can create a file hash rule for all files of the type you
are configuring. The Automatically Generate Rules wizard scans a folder and all folders that it
contains when generating rules.
Configuring Exceptions
Exceptions allow specific applications to be exempt from more general rules. For example,
you could create a publisher rule that allows all versions of a Contoso application named
Alpha but then use an exemption to block the execution of version 42 of application Alpha.
You can use any method to specify an exception, and the method you choose does not
depend on the type of rule that you are creating. For example, as Figure 5-24 shows, you
can create a publisher rule that allows all applications published by Microsoft to execute on
a computer, but you also can configure a file hash exemption for Solitaire.exe. Of course,
this example rule would work only if the default path rule for the Program Files folder is not
created. You can create exemptions for Block rules as well as Allow rules.
2 8 4 CHAPTER 5 Managing Applications
FIGURE 5-23 Creating rules automatically
FIGURE 5-24 Configuring an exemption
Lesson 2: Managing AppLocker and Software Restriction Policies CHAPTER 5 285
AppLocker Auditing
As AppLocker can have a significant impact on the way that applications function in your
organization’s environment, it is often prudent to audit the way that AppLocker functions
prior to fully enforcing AppLocker policies. This allows you to verify which applications are
affected by AppLocker without actually blocking those applications from executing. To

configure AppLocker to audit rules rather than enforce them, configure each AppLocker rule
type to be audited only, as shown in Figure 5-25.
FIGURE 5-25 Configuring AppLocker auditing
AppLocker audit events are written to the AppLocker event log, which is found in Event
Viewer in the Applications and Service Logs\Microsoft\Windows node. Each event in the
AppLocker log contains detailed information about:
n
The rule name
n
The SID of the targeted user or group
n
Which file the rule affects and its path.
n
Whether the file is allowed or blocked
n
The rule type (publisher, path or file hash)
You will learn more about auditing in Chapter 8, “Branch Cache and Resource Sharing.”
2 8 6 CHAPTER 5 Managing Applications
More Info AppLocker AUDITING
To learn more about configuring auditing for AppLocker, consult the following Microsoft
TechNet article: />eXaM tIP
Understand why one user might be able to execute an application and another user is
unable to execute the same application.
Practice Restricting Applications
In this practice, you use two different methods to restrict the execution of applications:
Software Restriction Policies and AppLocker. Software Restriction Policies are used to
restrict the execution of applications on computers running Windows XP, Windows Vista,
and Windows 7. AppLocker is a feature that is new to Windows 7 and is available only in the
Ultimate and Enterprise editions of the product.
exercise 1 Configuring a Software Restriction Policy

In this exercise, you create a Software Restriction Policy hash rule to block the execution
of the Windows calculator application. To complete this exercise, perform the following
steps:
1. Log on to computer Canberra using the Kim_Akers user account.
2. Click Start, type Calculator, and then press Enter. Verify that the Calculator application
starts and then close it.
3. Click Start and then type gpedit.msc and press Enter. This opens the Local Group
Policy Editor console.
4. Navigate to the Computer Configuration\Windows Settings\Security Settings node.
5. Select and then right-click the Software Restriction Policies node. Choose New
Software Restriction Policies.
6. Right-click the Additional Rules node and then choose New Hash Rule. This will open
the New Hash Rule dialog box. Click Browse. Navigate to the \Windows\System32
folder.
7. In the Open dialog box, type calc.exe in the File Name text box and then click Open.
Ensure that the Security Level is set to Disallowed, as shown in Figure 5-26, and then
click OK.
8. Close the Local Group Policy Editor and then reboot the computer. Log back on using
the Kim_Akers user account.
Lesson 2: Managing AppLocker and Software Restriction Policies CHAPTER 5 287
FIGURE 5-26 Creating a hash rule
9. Click Start, type Calculator, and then press Enter. You should get the message shown
in Figure 5-27.
FIGURE 5-27 Calculator application blocked by policy
10. Click Start, type gpedit.msc, and then press Enter. This opens the Local Group Policy
Editor console. Navigate to the Computer Configuration\Windows Settings\Security
Settings\Software Restriction Policies\Additional Rules node and then delete the policy
for Calc.exe.
11. Close the Local Group Policy Editor console and then reboot the computer. Log on as
Kim_Akers and verify that you can again open the Calculator application.

exercise 2 Configuring AppLocker
In this exercise, you configure an AppLocker policy to block the Solitaire application.
To complete the exercise, perform the following steps:
1. If you are not already logged on to computer Canberra, log on as Kim_Akers.
2. Click Start, type Solitaire, and then press Enter. Verify that the Solitaire application
opens. Close Solitaire.
2 8 8 CHAPTER 5 Managing Applications
3. Click Start, type services.msc, and then press Enter. This opens the Services console.
4. Double-click the Application Identity service. Set the Startup Type to Automatic, as
shown in Figure 5-28, click Start, and then click OK. Close the Services console.
FIGURE 5-28 Configuring the startup properties of the Application
Identity service
5. Click Start, type gpedit.msc, and press Enter. This opens the Local Group Policy Editor
console.
6. Navigate to the Computer Configuration\Windows Settings\Security Settings\
Application Control Policies node and then select the AppLocker item.
7. Right-click Executable Rules and then choose Create New Rule. On the Before You
Begin page of the Create Executable Rules wizard, click Next.
8. On the Permissions page, select Deny and then click Next.
9. On the Conditions page, select Publisher and then click Next.
10. On the Publisher page, click Browse. Navigate to the \Program Files\Microsoft Games\
Solitaire folder and then double-click Solitaire.exe.
11. On the Publisher page, select the Use Custom Values check box, and then verify that
the settings match those shown in Figure 5-29. Click Create.
12. When prompted to create the default rules, click Yes.
13. Close the Local Group Policy Editor console, turn off the computer, and then restart it.
Lesson 2: Managing AppLocker and Software Restriction Policies CHAPTER 5 289
FIGURE 5-29 A rule blocking the Solitaire application
14. Log on with the Kim_Akers user account and attempt to access the Solitaire
application. You should receive a message informing you that it has been blocked by

policy, as shown in Figure 5-30.
FIGURE 5-30 Solitaire blocked by policy
15. Click Start, type services.msc, and then press Enter. This opens the Services console.
16. Double-click the Application Identity service. Set the Startup Type to Disabled. Close
the Services console.
2 9 0 CHAPTER 5 Managing Applications
Lesson Summary
n
Software Restriction Policies can be used on computers running Windows XP, Windows
Vista, Windows Server 2003, Windows Server 2008, and Windows 7.
n
You can choose a Software Restriction Policy default rule that blocks all applications
that are not allowed or choose a default rule that allows all applications that are not
subject to any other rules.
n
Software Restriction Policy rules that are more specific override rules that are less
specific. A hash rule that sets an application to unrestricted overrides a path rule that
sets the same application to Disallowed.
n
Hash rules are analogous to digital fingerprints of specific files. You must create a new
hash rule if you apply a software update to a file.
n
AppLocker policies are a type of application control policy.
n
AppLocker policies can be used only on computers running Windows 7 Enterprise and
Ultimate editions.
n
AppLocker path and hash rules work in the same way that Software Restriction Policy
path and hash rules work.
n

AppLocker publisher rules allow you to create rules based on which vendor digitally
signed an application. You can allow all applications from that vendor, all versions of
a specific application, or just a specific version of a specific application using publisher
rules.
n
Some AppLocker rule types allow exceptions. Exceptions allow you to exempt a specific
application from the scope of a general AppLocker rule.
n
An AppLocker block rule always overrides an AppLocker allow rule. The fallback rule
for AppLocker blocks the execution of any application not explicitly allowed by another
rule.
n
AppLocker overrides Software Restriction Policies when both are applied to the same
computer.
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 2,
“Managing AppLocker and Software Restriction Policies.” The questions are also available on
the companion DVD if you prefer to review them in electronic form.
note ANSWERS
Answers to these questions and explanations of why each answer choice is correct or
incorrect are located in the “Answers” section at the end of the book.
Lesson 2: Managing AppLocker and Software Restriction Policies CHAPTER 5 291
1. Your organization has 50 computers running Windows Vista Enterprise and 40
computers running Windows 7 Professional. You want to stop users from accessing
the Solitaire game application. Which of the following strategies should you pursue to
accomplish this goal?
a. Use AppLocker to create a publisher rule to block Solitaire.exe.
B. Use AppLocker to create a hash rule to block Solitaire.exe.
c. Use AppLocker to create a path rule to block Solitaire.exe.
D. Use Software Restriction Policies to create a path rule to block Solitarie.exe.

2. What type of AppLocker rule should you create to block all applications that are
created by a specific software vendor?
a. Publisher rules
B. Path rules
c. Hash rules
3. You want to configure a set of AppLocker rules to block the execution of application
software that is not digitally signed by the software vendor. You want to test that
these rules work before enforcing them. Which of the following settings should you
configure to accomplish this goal? (Choose all that apply; each answer forms part of
a complete solution.)
a. Create AppLocker publisher rules.
B. Create AppLocker hash rules.
c. Configure AppLocker enforcement to audit executable rules.
D. Configure AppLocker enforcement to audit Windows Installer rules.
4. Your organization has a mix of computers running Windows 7 Ultimate and Windows 7
Professional. Each group of computers is located in a separate organizational unit (OU)
in your Windows Server 2008 R2 Active Directory Domain Services environment. You
have configured AppLocker policies to block application execution to the OU hosting
the Windows 7 Ultimate computer accounts. You have configured Software Restriction
Policy rules and applied them to the OU hosting the Windows 7 Professional accounts.
The Software Restriction Policy rules block the required applications. The applications
blocked by the AppLocker policies function normally—that is, they are not blocked.
Which of the following steps should you take to ensure that the AppLocker policies
function properly?
A. Configure Group Policy to set the Application Management service to start
automatically. Apply this policy to the OU hosting the computer accounts of the
computers running Windows 7 Ultimate.
B. Configure Group Policy to set the Application Management service to start
automatically. Apply this policy to the OU hosting the computer accounts of the
computers running Windows 7 Professional.

2 9 2 CHAPTER 5 Managing Applications
C. Configure Group Policy to set the Application Identity service to start
automatically. Apply this policy to the OU hosting the computer accounts of the
computers running Windows 7 Ultimate.
D. Configure Group Policy to set the Application Identity service to start
automatically. Apply this policy to the OU hosting the computer accounts of the
computers running Windows 7 Professional.
5. You have configured AppLocker policies to allow the execution of specific applications
only. If an AppLocker policy hasn’t been created for it, an application cannot execute.
After a recent software update, users are unable to execute one of the applications for
which you have configured a rule. Other applications function normally. This applica-
tion is not signed digitally by the software vendor. Which of the following strategies
should you pursue to ensure that the application is able to execute on the computers
running Windows 7?
a. Create a new hash rule for the application.
B. Create a new publishing rule for the application.
c. Ensure that you enable the Application Identity service on the computers running
Windows 7.
D. Ensure that you enable the Application Management service on the computers
running Windows 7.