Windows 7 to lock down application permissions

Windows 7 will improve the way the OS handles unauthorised applications and allow the creation of fine policies to control the desktop.

One Windows management problem that has plagued companies for as long as PCs have been around is having unauthorised software on users' desktops. In Windows 7, though, Microsoft is hoping that AppLocker, an improvement on software restriction policies, will make this problem a thing of the past.

Unauthorised software issues present a number of problems. It may conflict with an existing application or it may deprive the PC of disk, CPU or memory resources. Another issue is the fact that an organisation is responsible for having a license for every application installed on each computer in its network. If a user installs an unauthorised application, it is the organisation that is ultimately responsible for licensing that application.

Software restriction policies

I could go on and on about the problems associated with unauthorised applications, but I would rather talk about how AppLocker helps admins deal with them instead.

Both Windows XP and Windows Vista allow organisations to control applications through software restriction policies -- the predecessor to AppLocker. Software restriction policies are Group Policy settings that let organisations specify which applications users are allowed to run.

So why aren't software restriction policies used more often? Well, the truth is that prior to the creation of AppLocker, software restriction policies were difficult to use effectively and were easy to circumvent. These days, most organisations don't even bother using them.

There are four different types of software restriction policy settings:

  • A hash policy -- A fingerprint of a specific file.
  • A certificate policy -- A policy based on a software publisher's digital signature.
  • A path policy -- One that looks for certain file or registry paths.
  • A zone policy -- A policy that checks to see which Internet zone a user is downloading an application from.

All of those policies are easy to circumvent. For example, a hash policy is only effective as long as a file remains in a consistent state. Today, applications are updated routinely, so hash policies can become obsolete in a matter of days as new versions of files are released.

Path policies are also easy to circumvent because it's easy to install an application into a nonstandard location. Registry path policies are more difficult to circumvent, but they are also harder to create because the administrator must have detailed knowledge of which registry keys a specific application creates.

Certificate policies are probably the most effective kind of software restriction policies, but even they have their limits. For starters, not all application publishers use certificates and even if the publisher does use certificates, you may not want to allow every application that the publisher makes to run in your network. For example, you might not have a problem with your users having Microsoft Office, but you probably don't want them installing Microsoft Flight Simulator.

Zone policies are probably the least effective type of policy because they are only effective if an application is run as it's downloaded. If an application has already been saved to disk, then a zone policy has no way of knowing the application's origin.

On top of all of these limitations, an administrator has to be very careful when creating software restriction policies because it's so easy to accidentally create contradictory policies or policies that interfere with the company's business needs.

Microsoft improves on software restriction policies with AppLocker

Fortunately, Microsoft has finally realised the frustration associated with using software restriction policies and is making significant improvements to them in Windows 7. The first change the company made was to the name. Software restriction policies have been rebranded as AppLocker.

Windows 7's AppLocker will be much more flexible than software restriction policies were. Perhaps the biggest improvement we will see in AppLocker is that software restriction policies will be version aware. I mentioned that hash rules quickly become invalidated as application updates are released. Depending on how a hash rule is applied, this means that a user could potentially install an unauthorised update or be prevented from installing a much needed update that he or she would normally be allowed to apply.

Version control allows an organisation to specify a minimum version of an application for users to install or run. For example, companies can now create a rule that allows users to install versions 9.0 or above of Adobe Acrobat Reader. That way, users can apply updates at will, but they can't install legacy versions of Acrobat Reader unless they are specifically authorised to do so.

Keep in mind that there will be no such thing in Windows 7 as a "Version Control Rule." Versioning is achieved through publisher rules. Publisher rules are similar to the certificate rules that we have now, in that they are based on a publisher's digital signature. The difference is that a certificate rule only validates the publisher's identity. A publisher rule is able to determine the individual application and its version through information stored in the certificate.

There are some other nice new features as well. Software restriction policies were implemented through a set of obscure Group Policy settings. AppLocker is still based on Group Policy, but it also contains a rule generation wizard that makes the process of creating policies much easier. There is even an automatic rule-making tool that can scan a hard disk for applications and then build a whitelist for you.

Another feature of AppLocker is an import and export capability, which allows you to create a set of rules and then export them to a file that can be imported onto another computer. It's a handy feature if you have computers that are not domain members and therefore not subject to a centralised set of Group Policy rules.

Windows 7 is still in the very early stages of testing, so anything could potentially be changed by the time it is released. For now, though, it appears as though AppLocker may finally make software restriction policies practical.

Read more on Security policy and user awareness