>Windows Server 2008 R2’s AppLocker feature allows additional policy configuration for software use on servers. IT pro Rick Vanover provides an overview of this enhanced functionality.

Windows Server 2008 R2’s AppLocker feature allows additional policy configuration for software use on servers. IT pro Rick Vanover provides an overview of this enhanced functionality.

Starting with Windows Server 2008 R2 for server platforms and Windows 7 for desktop platforms, the Software Restrictions policies functionality has been replaced with AppLocker. With AppLocker and Group Policy, you can define what files to prohibit from being executed; this can include scripts, installation files, and standard executables.

The management goodness of AppLocker is that it can be applied via Group Policy locally or via a domain-based GPO. AppLocker exists in the Computer Configuration section of Group Policy under Windows Settings | Security Settings | Application Control Policies. From there, the AppLocker configuration provides an enhanced Group Policy configuration as shown in Figure A.

Figure A

Click the image to enlarge.

Within this section of Group Policy, you can craft myriad individual configurations, including policies that permit or deny users or groups the ability to run a file, an installation, or a script. Further, you can set this with exceptions and apply it in a granular fashion in Active Directory. If you don’t want a full deny, you can configure AppLocker to only audit the iteration of an installation file, a script, or a standard executable.

The AppLocker feature is new to Windows Server 2008 R2 and will not apply to operating systems older than Windows Server 2008 R2 or Windows 7. For older OSs, you can apply Software Restriction Policies via a separate group policy object.]

Visit Microsoft’s site for more information about AppLocker.

Stay on top of the latest Windows Server 2003 and Windows Server 2008 tips and tricks with our free Windows Server newsletter, delivered each Wednesday. Automatically sign up today!

AppLocker is what I would use. I would create a directory that’s «acceptable» like c:GoodCommands and put all the stuff allowed to run in there. Then, use AppLocker to specify that c:GoodCommands is an acceptable place to run. AppLocker’s «brain» does the rest, and everything else is prevented.