Controlling applications on individual workstations is one of the most critical -- and difficult -- tasks that administrators face.
The software restriction policies feature was designed to control which applications users could run. However, the group policy feature has many pitfalls, and as a result, administrators have had to rely on third-party utilities to manage workstations -- until now.
Windows Server 2008 R2 and Windows 7 include a next-generation application management feature called AppLocker. Software-restriction policies are still supported.
Like software-restriction policies, AppLocker is group policy-based and is designed to allow administrators to control the applications that users can run.
But the similarities end there.
Software restriction policies were meant to be a mechanism for blocking undesirable applications. The problem with this approach is that unless an administrator takes specific measures to block an individual app, Windows allows it to run. Needless to say, it is impossible for an administrator to create a set of rules that blocks every single unauthorized application. Even if an administrator developed such a collection, those rules would eventually be null as applications are patched and new apps are released.
AppLocker takes a different approach. Rather than having administrators specify which applications they want to block, AppLocker requires them to create rules that tell Windows which applications should be allowed to run. This makes it easier to achieve the desired level of application control.
As much of an improvement as AppLocker is over software restriction policies, creating all of the necessary AppLocker rules still involves a lot of work, which may be less than appealing to already overworked administrators.
However, the benefits are often worth the work. Below are certain advantages of fully controlling the applications that are allowed to run on your desktops.
Perhaps the single greatest benefit of AppLocker is applications cannot run unless you specifically authorize them to do so -- assuming that you enable the AppLocker feature -- making it more difficult for a malware infestation to occur.
I recently spoke to an administrator who decided to stop using antivirus software on network workstations and to use AppLocker instead. While personally I'm not sure I would use AppLocker in place of antivirus software since the feature hasn't been around that long, it is difficult to ignore the administrator's reasoning. The organization in question was paying about $30 per desktop, per year for antivirus software licenses. This amounted about $8,000 per year for antivirus protection. Since AppLocker is built into Windows, there is no cost for using it.
Lower support costs
AppLocker can also save organizations money in support costs. Most organizations use a standardized configuration when deploying new desktops. When problems occur, the help desk staff makes certain assumptions as to what software is running on the desktops. Unauthorized software installed by users could interfere with other applications on their workstations. It might also take help desk staffers longer than normal to fix the problem because they are not expecting or looking for the unauthorized software. AppLocker ensures that users can't run any applications that could interfere with their computers' stability.
Software license control
Many organizations go to great lengths to make certain that they own the appropriate number of software licenses for the applications they are running since software piracy penalties can be severe.
Organizations have had difficulty tracking software licenses because they're legally required to own licenses for every application running on their computers. If a user installs an unauthorized application, the organization is technically liable for a license for that application -- even though the application was installed without IT's knowledge or consent.
This type of situation can be prevented with AppLocker.
If you are considering AppLocker, remember that although AppLocker rules are implemented through group policy settings, those settings are effective only on computers running Windows 7 and Windows Server 2008 R2. All other versions of Windows will ignore AppLocker's rules.
|Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award four times for his work with Windows Server, IIS and Exchange Server. He has served as CIO for a nationwide chain of hospitals and healthcare facilities and was once a network administrator for Fort Knox. You can visit his personal website at www.brienposey.com.|
This was first published in January 2010