Window 7 RC has been out for a few weeks now the TLA team has been busy learning and testing all the great new features. Your tip for today is on Windows 7 App Locker. Many of you know about Software Restriction Policies. They allow you to block the execution of a program by file name or hash calculation. Many of you probably also know how it was a race to block applications in our network with these methods. Users could change the name of the file, or applications updates so frequently that you would constantly need to generate new hash files.

Windows 7 introduces a great new feature called App Locker. App locker works under the premise that it’s easier to allow the applications you want and block the rest. If you’re running a Windows 7 machine you can see App Locker by typing gpedit.msc into your search bar and pressing enter.

You can define policies based on Executables, Windows Installers, and scripts. Creating a new policy is really simple. right click on any of the 3 categories and click new.

You can create a policy to allow or deny an executable. You can also select witch groups the rule will apply to.

You can choose to create a rule based on a publisher (the program needs to be signed) or a program path, or a file hash (usually a good choice if the program isn’t signed)

For this example I chose publisher. the Rule wizard uses the information stores application signing certificate to learn about the application. You can adjust what level of information you’ll allow for an application.

 
In the above example I set the level to allow any version of Internet Explorer. (regardless of the file name used or the version)

You can use the same steps to create exceptions for specific applications. One of the best features is the ability to automatically generate rules.

This scans your applications in the program files directory and creates permissions for those programs to run. Perfect for quickly creating a baseline set of rules for a gold image.