If you share a computer and don’t want other users accessing certain
applications, there is a new feature in Windows 7 that allows you to
block them. Today we take a quick look at restricting what programs
other users can access using AppLocker.
Note: AppLocker is only available in Ultimate and Enterprise versions of Windows 7.
Using AppLocker
To access Group Policy Editor and create rules in AppLocker you’ll
need to be logged in as Administrator. Click on Start and type gpedit.msc into the search box and hit Enter.
Under Local Computer Policy go to Computer Configuration \ Windows
Settings \ Security Settings \ Application Control Policies \ AppLocker.
Now you will see the overall controls for the applications.
Under Configure Rule Enforcement click on the Configure rule enforcement link.
Now under AppLocker Properties check the boxes next to Configured under Executable rules then click Ok.
Blocking Apps from Running
In this scenario, Jack wastes time playing games like Minesweeper and
Solitaire when he should be doing his homework, so we are going to
block all of the games. After completing the steps above, under the
Overview section click on Executable Rules.
Since this is your first time accessing AppLocker, there will be no rules listed. Right-click and select Create New Rule…
This opens up the Create Executable Rules wizard and you can select
not to show the introduction screen at start up for the next time you
access it.
Select Permissions under Action select Deny.
Add the user you want to block, in this case it’s Jack.
After you’ve selected the deny action and selected the user continue to the next step.
In Conditions you can select from Publisher, Path or File hash. We
don’t want Jack to have access to any of the games. so we will select
Path.
Click on Browse Folders and select the Microsoft Games folder.
In the next screen you could add Exceptions like allowing certain
files, but because we are blocking the entire games directory we’ll skip
to the next screen.
Here you can add a description to the rule so you can keep track of
them is there are several rules configured. When everything looks right
click on Create.
A message pops up saying default rules haven’t been created yet. It
is important to make sure they are created so click Yes to this message.
Now you will see the default rules and the new one you created showing Jack is denied access to the Microsoft Games directory.
After creating the rule make sure and go into services and make Application Identification is
started and that it’s set to automatically start as well otherwise the
rules won’t work. By default this service is not started so you will
need to enable it.
Now, when Jack logs into his user account and tries to access the
games he will only see the following message. Only an Administrator can
go in and change the rule.
Conclusion
Use caution when configuring the rules and only start the Application
Identity service after everything looks right. Otherwise you have the
potential of locking yourself out of all applications including
AppLocker.AppLocker is a powerful feature included in Windows 7 and we
showed you a basic rule so you can get an idea of how it works. In the
future we’ll take a look at more complex tasks to accomplish and gain
tight control over what programs each user is able to access.
No comments:
Post a Comment