If an application isn't permitted by your rules, then AppLocker prevents it from executing.ĪppLocker logs verbose information to the Windows event log system, showing you which file was affected, whether it was blocked or allowed by a rule, the name of the rule, and so forth. Once enabled and running, the service reads application rules from Group Policy and evaluates every application that attempts to execute on the computer. In other words, this service basically makes AppLocker work. This service is designed to read application rules from Group Policy, and then identify applications accordingly. To begin with, inventorying applications requires configuring client computers to run the new Application Identity Service, something that ships with Windows 7 but isn't enabled by default. To be sure, AppLocker is still a complex piece of business, and it's far from perfect. You can, of course, edit that to remove the already-installed applications that you don't want to permit, and you can maintain the list going forward. On paper, AppLocker scans your environment to find the installed apps and automatically constructs the whitelist for you. It is a new feature of Windows 7 billed as the solution to SRP's tedious application whitelist maintenance. Many, many organizations simply didn't have the time or resources, and so they gave SRP a miss. Oh, organizations definitely used it, and it works as advertised, but the process of assembling and maintaining that list of approved applications was incredibly complicated and time-consuming. With SRPs, you'd make a big list of all the applications you wanted to permit, and nothing else could execute. In Windows XP and Windows Server 2003, Microsoft introduced a technology called Software Restriction Policies (SRP), a part of Group Policy that was intended to keep unwanted applications from running. Getting it to not run applications kind of goes against the grain. Windows' primary function, after all, is to run applications, and it does a pretty good job at it. Those can not only cause support issues, but outright financial damage if you're caught. There's also that whole class of 'quasi-business' applications that have an arguable business benefit ' but which your company hasn't paid for, isn't licensed to use, and doesn't want. And those are just the applications your users know they're not supposed to be running. These things kill productivity, hammer the network, and half the time seem packed with junkware, spyware, and who knows what else. Try as you might, you'll never stop your users from getting to all of them. For one, there are those our users aren't supposed to be running: Streaming video. None of us love all applications equally.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |