Requirements for Deploying AppLocker Policies
Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
This deployment topic lists the requirements you need to meet before deploying AppLocker policies.
The following requirements must be met or addressed before deploying your AppLocker policies:
Your deployment plan
Supported operating systems
Your policy distribution mechanism
Your event collection and analysis system
Your deployment plan
An AppLocker policy deployment plan is the result of investigating what applications are required and necessary in your organization, what applications are optional, and what applications are forbidden. To develop this plan, see AppLocker Policies Design Guide. The following table is an example of the data you need to collect and the decisions you need to make in order to successfully deploy AppLocker policies on Supported operating systems.
| Business group | Organizational unit | Implement AppLocker? | Applications | Installation path | Use default rule or define new rule condition | Allow or deny | GPO name | Support policy |
|---|---|---|---|---|---|---|---|---|
Bank Tellers |
Teller-East and Teller-West |
Yes |
Teller software |
C:\Program Files\Woodgrove\Teller.exe |
File is signed; create a publisher condition |
Allow |
Tellers |
Web help |
Windows files |
C:\Windows |
Create a path exception to the default rule to exclude \Windows\Temp |
Allow |
Help desk |
||||
Time Sheet Organizer |
C:\Program Files\Woodgrove\HR\Timesheet.exe |
File is not signed; create a file hash condition |
Allow |
Web help |
||||
Human Resources |
HR-All |
Yes |
Check Payout |
C:\Program Files\Woodgrove\HR\Checkcut.exe |
File is signed; create a publisher condition |
Allow |
HR |
Web help |
Internet Explorer 7 |
C:\Program Files\Internet Explorer\ |
File is signed; create a publisher condition |
Deny |
Help desk |
||||
Windows files |
C:\Windows |
Use the default rule for the Windows path |
Allow |
Help desk |
Event processing policy
| Business group | AppLocker event collection location | Archival policy | Analyzed? | Security policy |
|---|---|---|---|---|
Bank Tellers |
Forwarded to: srvBT093 |
Standard |
None |
Standard |
Human Resources |
DO NOT FORWARD |
60 months |
Yes; summary reports monthly to managers |
Standard |
Policy maintenance policy
| Business group | Rule update policy | Application decommission policy | Application version policy | Application deployment policy |
|---|---|---|---|---|
Bank Tellers |
Planned: Monthly through business office triage Emergency: request through help desk |
Through business office triage; 30-day notice required |
General policy: keep past versions for 12 months List policies for each application |
Coordinated through business office; 30-day notice required |
Human Resources |
Planned: through HR triage Emergency: request through help desk |
Through HR triage; 30-day notice required |
General policy: keep past versions for 60 months List policies for each application |
Coordinated through HR; 30-day notice required |
Supported operating systems
AppLocker is supported only on the following editions of these operating systems:
| Operating system/edition | AppLocker policies created and maintained | AppLocker policies deployed |
|---|---|---|
Windows Server 2012 |
Yes |
Yes |
Windows 8 |
Yes |
Yes |
Windows Server 2008 R2 Standard |
Yes |
Yes |
Windows Server 2008 R2 Enterprise |
Yes |
Yes |
Windows Server 2008 R2 Datacenter |
Yes |
Yes |
Windows Server 2008 R2 for Itanium-Based Systems |
Yes |
Yes |
Windows 7 Professional |
Yes |
No |
Windows 7 Ultimate |
Yes |
Yes |
Windows 7 Enterprise |
Yes |
Yes |
Software Restriction Policies are supported on versions of Windows beginning with Windows XP and Windows Server 2003 including the above versions. However, the SRP Basic User feature is not supported on the above operating systems.
Your policy distribution mechanism
AppLocker uses Group Policy management architecture to effectively distribute application control policies. AppLocker policies can also be configured on individual computers by using the Local Security Policy snap-in. You will need a way to distribute the AppLocker policies throughout the targeted business group.
Your event collection and analysis system
Event processing is important to understand application usage. You must have a process in place to collect and analyze AppLocker events so that application usage is appropriately restricted and understood. For procedures to monitor AppLocker events, see:
Windows Server 2008 R2 and Windows 7
Windows Server 2012 and Windows 8