One of the exciting features introduced in Windows 7 is AppLocker, that allows you from a high level (Publisher) to a granular level (Version) to choose what applications you would like to allow users to run (white listing) rather than creating long lists of what applications they cannot use (black listing). If you’re running a Windows 7 machine you can see AppLocker by typing gpedit.msc into your search bar and pressing enter.
-You can define policies based on executables, Windows installers, and scripts. Creating a new policy is simple. Right-click on any of the 3 categories and click Create New Rule.
-You can create a policy to allow or deny an executable. You can also select which groups the rule’ll apply to.
-You can choose to create a rule based on a publisher (the program needs to be signed), a program path, or a file hash (usually a good choice if the program isn’t signed).
For this example we chose publisher. The Rule Wizard uses the information stored application signing certificate to learn about the application. You can adjust what level of information you’ll allow for an application. In the example the policy’ll only allow Internet Explorer 18.104.22.168 and above to run on the computer. You can use the same steps to create exceptions for specific applications. One of the more convenient features is the ability to automatically generate rules. If you right click on any of the 3 categories and click Automatically Generate Rules you can quickly generate a list of rules based on applications that are already install on the computer (saving you a lot of work to get going with AppLocker!). In example, we scan your applications in the Program Files directory and create rules for those programs to run. Perfect for creating a baseline set of rules for applications on a gold image or group policy quickly.