Windows 7 AppLocker is a great leap forward compared to its predecessor Software Restrictions which is good because the risks of uncontrolled software on desktops and laptops have never been greater. In this presentation, Randy Franklin Smith of UltimateWindowsSecurity highlights what AppLocker can do: how to deny all executables, scripts and Windows installer files other than those that you specifically allow on a user, group or organizational unit basis. Randy also highlights the limitations of AppLocker, including how this native functionality stacks up against the realities of today’s desktop/laptop environments where:
•there are many exceptions to the rule;
•many users have unique needs;
•you have multiple configurations, multiple OS versions and applications;
•and, where change is a constant.
Depending on your environment these limitations can be significant, adding up to broken workstations and extra care and feeding. For instance, AppLocker is designed for fairly homogenous environments but in many real world environments each PC is really unique which stretches the exception capabilities of AppLocker. AppLocker’s limitations carry over to handling system and application updates - endpoint change is constant and you don’t want user productivity to screech to a halt due to updating an application without updating the AppLocker policy. Then there’s the issue of reporting and visibility into what your software restriction policies are actually doing and what impact there is to your end-users.
The presentation highlights other caveats and includes a demonstration of Lumension Intelligent Whitelisting and how this innovative solution takes you beyond AppLocker and addresses the gaps and risks identified in Randy's presentation.