But in spite of the fact that both Microsoft and third-party software vendors provide application-control mechanisms, there's still an unspoken assumption that there is nothing wrong with allowing users to run the applets built into Windows. Permitting users to run these default applets may not be such a good idea in organizations that require top-notch security.
So which applets should you lock down? It depends on your security needs. If your organization requires a minimal to a moderate degree of security, then you probably won't have to worry about locking down basic Windows applets like Notepad or Paint. But that doesn't mean you don't have to do anything.
Even in an organization with minimal security requirements, you should audit end-user accounts to make sure that they don't have access to the various tools built into Windows. For example, you wouldn't want users to access the Registry Editor or the Group Policy Editor.
Standard user accounts are blocked by default from being able to access utilities such as these. Even so, if you are going through the trouble of using AppLocker or a third-party desktop lockdown product, then it is worth ensuring that users are blocked from running administrative tools, even if they are accidentally given permission to run them.
If the idea of users accidentally getting permission to run admin tools seems a little far-fetched, consider this: In the early days of Windows XP, many applications would not function correctly unless a user was granted administrative permissions at the desktop level. Even though Microsoft changed this behavior in Windows Vista and Windows 7, some users may still have desktop-level admin rights. If, for example, a PC was upgraded from Windows XP to Windows Vista and then to Windows 7, then some users could still have permissions left over from Windows XP.
So what if your enterprise requires a high degree of security? In this case, my general rule of thumb is that users should have exactly the permissions that they need to do their jobs -- no more, no less. Therefore, if a user's job function does not explicitly require the user to use Notepad, then Notepad should be blocked.
I realize this probably sounds a bit harsh, but remember that good security is all about reducing a computer's potential attack surface. If the user has no job requirement for Notepad, then why not reduce the attack surface by blocking it? Besides, Notepad is usually the tool of choice for manually modifying Windows configuration files.
But why block Notepad or another applet? Why not just uninstall it?
Well, Windows 7 does not include an option for uninstalling built-in applets such as Notepad, Paint or Sound Recorder. It is possible to manually remove Notepad or other built-in applets, but blocking such applets may be more practical than removing them for several reasons.
For starters, imagine that you remove Notepad.exe from all of your desktop PCs, and a year later Microsoft releases a new service pack for Windows 7. There is a good chance that the service pack will include Notepad.exe and any other files that you have removed, which would require you to remove the files all over again. If you had simply blocked Notepad, then the block would remain in effect regardless of any patches that are applied to your desktops.
Another reason why it may be easier to block built-in applets than to remove them is because of Windows file associations. Suppose, for example, that you delete Notepad.exe from a system. Even after doing so, Windows still has a file association that associates .TXT files with the executable file you removed. If you want to get rid of built-in applets cleanly, then you have to hunt down any related file associations. Never mind the work that is involved in putting the executable file and the file associations back if a user suddenly needs access to the applet.
You might be wondering what is so evil about Notepad because I've used it in most of my examples. By itself, Notepad is completely benign. However, a malware component or a malicious user can sometimes come up with creative ways to use otherwise benign applets for purposes for which they were not intended.
A perfect example of this is a Windows applet called Sound Recorder. One organization that I used to work for removed Sound Recorder from all desktops after it caught an employee recording conversations involving sensitive information.
There are compelling reasons to prevent users from accessing built in applets. Even so, it usually isn't necessary to lock down every applet on the desktop. Users require a certain amount of software to do their jobs, and it is ultimately up to you to decide which applets are appropriate for use in your organization.
ABOUT THE AUTHOR
Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award seven times for his work with Windows Server, IIS and Exchange Server. He has served as CIO for a nationwide chain of hospitals and health care facilities and was once a network administrator for Fort Knox. You can visit his personal website at www.brienposey.com.
This was first published in September 2010