AppLocker is a new feature in Windows 7 and Windows Server 2008 R2 that replaces the Software Restriction Policies feature. AppLocker contains new capabilities and extensions that reduce administrative overhead and help administrators control how users can access and use files, such as executable files, scripts, Windows Installer files, and DLLs. Using AppLocker, you can:
- Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file.
- Assign a rule to a security group or an individual user.
- Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run except Registry Editor (Regedit.exe).
- Use audit-only mode to deploy the policy and understand its impact before enforcing it.
- Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, the existing policy is overwritten.
- Simplify creating and managing AppLocker rules by using AppLocker PowerShell cmdlets.
For more information about AppLocker rules, see Understanding AppLocker Rules.
What has changed?
The following table compares AppLocker to Software Restriction Policies.
Feature | Software Restriction Policies | AppLocker |
---|---|---|
Rule scope | All users | Specific user or group |
Rule conditions provided |
File hash, path, certificate, registry path, and Internet zone rules |
File hash, path, and publisher rules |
Rule types provided | Allow and deny | Allow and deny |
Default rule action | Allow or deny | Deny |
Audit-only mode |
No |
Yes |
Wizard to create multiple rules at one time |
No |
Yes |
Policy import or export |
No |
Yes |
Rule collection |
No |
Yes |
PowerShell support | No | Yes |
Custom error messages | No | Yes |
AppLocker requirements
AppLocker is available in all editions of Windows Server 2008 R2 and in and . To use AppLocker, you need:
- A computer running Windows Server 2008 R2, , , or to create the AppLocker rules. can be used to create the rules, but the rules cannot be enforced on computers running . The computer can be a domain controller.
- For Group Policy deployment, at least one computer with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules.
- Computers running Windows Server 2008 R2, , or to enforce the AppLocker rules that you create.