The following procedure shows how to restrict an application from running using AppLocker. For more details about AppLocker and the available options read articles Part 1, Part 2 and Part 3. The following example shows how to restrict the windows notepad application from executing :
- Use an administrator account to perform these while make sure that a standard user account without administrative privileges exists on the computer. Verify that the Notepad application runs before starting configuring AppLocker.
- From the services snap-in (type services.msc in the Start text box) start the Application Identity service. Make sure to set the Startup type to Automatic when implementing AppLocker rules in a production environment but for testing purposes it is better to turn on/off the service as required.
- Open the Local Group Policy snap-in by typing gpedit.msc in the Start text box.
- Navigate to Computer Configuration\Windows Settings\Security Settings\Application Control Policies\AppLocker\Executable Rules node
- Right click on the right hand side pane and select Create Default Rules – check and leave default rules as is.
- Right click Executable Rules and select Create New Rule… Click Next on the first (default) page.
- On the Permissions page select Deny under Action: and click Next – Under User or group: you can select a specific user such as a standard user.
- On the Condition page select Publisher and click Next.
- On the Publisher page, from the Browse option find and select Notepad.exe – check the Use custom values option if you want to specify file version parameters. With the Use custom values unchecked and using the slider, you can set a rule that applies to any application or file signed by a specific or any publisher. (Asterisk means all)
- On the Exceptions page click Next – if in the previous step you have selected a group of files through the slider option then you can add exceptions here.
- You can set a name and a description for your rule in the Text box provided, and then click Create.
- The policy should take effect immediately after you hit the Create button, try to run Notepad.exe and it should be blocked by the executable rule just created – you may need to type gpudate.exe from Start text box or restart your computer. If you restart your computer remember to start the Application Identity service! Also, you can test the rule with a standard user if you have specified a user account in step 7.
Performing an audit exercise
- Right click the Computer Configuration\Windows Settings\Security Settings\Application Control Policies\AppLocker node and select properties
- On the AppLocker Properties window check the Executable rules: Configured option and select Audit only. Click OK
- Now, you should be able to run Notepad.exe without any problems – we have shifted the rule from the Enforced state to Audit only
- Open Event Viewer by typing Event Viewer from the Start text box – an event is recorded for audit purposes
- Navigate to Applications and Services Logs\ Microsoft \Windows\AppLocker\EXE and DLL node – on the details page you should be able to see the recorded event stating that Notepad.exe was allowed to run but would have been prevented if the policy were enforced.
In case you end up the testing exercise at this point, make sure to set the Application Identity service to Disabled and delete the rule created in this exercise by right clicking on it and selecting Delete.