Application Lockdown with AppLocker on Standard 7

A common requirement for Windows Embedded Standard 7 devices is controlling what applications can run on the system. If the device only runs your own custom application, such as a kiosk or set-top box, then you might want to ensure that no other applications could be run to break out of the experience. If the device runs a more open shell, such as thin clients, you may want to restrict the set of applications that are allowed to run.

Since Windows Embedded Standard 7 is based on Windows 7, we can leverage a new technology that has been introduced: AppLocker. AppLocker builds and improves on Software Restriction Policies (SRPs) to allow for easy and flexible application lockdown. You can find a thorough summary of AppLocker at its Executive Overview and other articles around the web, but I will offer some highlights and an example. Some of its features are:

• AppLocker can enforce four different kinds of rules. The first is applications (.exe), which I’m focusing on in this article. However, in addition to applications, AppLocker can also block scripts (.ps1, .bat, .cmd, .vbs, and .js), installer files (.msi, .msp), and even libraries (.dll, .ocx).
• You can configure AppLocker to either enforce the rules you define and block applications from running, or just audit events that break your rules to review in Event Viewer. Audit mode can be especially useful during testing, but can also be used to monitor undesired activity remotely.
• AppLocker rules can be pushed down by Group Policy in a domain environment; however, they can also be applied individually to a device through Local Group Policy, even if the device is not in a domain environment or even connected to a network.

In terms of Windows Embedded Standard 7 specific information, in order to get AppLocker to work you must include the Application Security, Windows Installer, and Group Policy packages at a minimum. The packages necessary to configure it depend on which of its two configuration methods you want to use:

1. AppLocker can be controlled through a series of Powershell commandlets, which can get, set, and test application control policies. You can find much more information about them at https://blogs.msdn.com/powershell/archive/2009/06/02/getting-started-with-applocker-management-using-powershell.aspx. The Powershell package is of course required to use this method.
2. The next method is by using easy step-by-step wizards that simplify AppLocker’s configuration. To configure AppLocker through wizards, you must include Group Policy’s optional dependencies that allow you to run Local Group Policy Editor, which you can start by running “gpedit.msc”. AppLocker is located under “Computer Configuration -> Windows Settings -> Security Settings -> Application Control Policies” in that window.

AppLocker is a powerful tool that you can use to help lock down your Windows Embedded Standard 7 devices. In my next tutorial, I will walk through using AppLocker on your device.

- Robert

Technorati Tags: Embedded Standard,Applocker

Comments

• Anonymous
  March 16, 2010
  AppLocker may be exactly what I have been looking for when trying to build a very locked-down embedded device. My main concern with Windows Embedded is that owners of the device get other software on it than we have verified it for, which is a big no-no for e.g. medical devices. However, I wonder if there is another programmatic way, with a smaller footprint, of configuring AppLocker besides PowerShell. Now, a downside seems to be that a domain GP can override the device AppLocker settings. Is it possible to be a member of a domain and only get a limited set of Group Policies applied? As a device maker, I want to be very much in control over which configuration changes that can be made, and among other things that means making it impossible to (even accidentally) push out e.g. Office to the device and disabling AppLocker (so the install runs).

• Anonymous
  March 23, 2010
  David,

1. PowerShell is the only supported scripting interface for AppLocker.
2. As for preventing domain Group Policy from being pushed down to your device, this article may be useful - http://blogs.technet.com/markrussinovich/archive/2005/04/30/circumventing-group-policy-settings.aspx Robert