1
00:00:03,060 --> 00:00:07,860
So finally, what I want to talk about is application control policies or App Locker.

2
00:00:08,760 --> 00:00:16,140
Which is a feature that was introduced in Windows seven and server 2008 or two under computer configuration,

3
00:00:16,140 --> 00:00:20,490
Windows Settings, Security Settings, Application Control Policies.

4
00:00:21,390 --> 00:00:26,640
This is a successor to the software restriction policies that were available since the early days of

5
00:00:26,640 --> 00:00:27,180
Windows.

6
00:00:28,110 --> 00:00:30,300
Windows XP and even Vista.

7
00:00:31,160 --> 00:00:37,550
And it provides application whitelisting and blacklisting, which is basically the ability to allow

8
00:00:37,550 --> 00:00:40,790
or deny applications from running based on different rules.

9
00:00:41,720 --> 00:00:47,030
So here's a screenshot that kind of gives you an idea of how app blockers laid out in the editor.

10
00:00:47,930 --> 00:00:50,360
You can create four different types of rules.

11
00:00:51,230 --> 00:00:58,190
And those rule types are executable rules, which are, as the name implies, based on a particular

12
00:00:58,190 --> 00:01:02,180
executable or path that could reference the publisher of the executable.

13
00:01:02,210 --> 00:01:08,660
The path or the file hash and file hash is just kind of a unique signature so that you can say this

14
00:01:08,660 --> 00:01:11,750
particular version of PowerPoint is allowed or denied.

15
00:01:12,620 --> 00:01:19,040
Installer rules apply to MSI files so you can control what kind of MSI files are executed based on publisher

16
00:01:19,040 --> 00:01:20,330
path or file hash.

17
00:01:21,260 --> 00:01:28,400
Script rules apply to pretty much any type of script file you can run PowerShell Batch Command, VBS,

18
00:01:28,460 --> 00:01:30,410
VB script or JavaScript.

19
00:01:31,300 --> 00:01:34,570
And again, based on publisher path or file hash.

20
00:01:35,440 --> 00:01:40,960
And then for Windows eight X modern apps, you can apply app locker rules to those as well to control

21
00:01:40,960 --> 00:01:43,480
which modern apps can either be installed or run.

22
00:01:44,350 --> 00:01:49,630
And that's, you know, something like saying that the Bing Travel app or MSN Travel app, as I think

23
00:01:49,630 --> 00:01:55,480
it's called now, is not allowed to run on these particular machines that received this policy.

24
00:01:56,380 --> 00:01:58,150
So how does App Locker work?

25
00:01:59,080 --> 00:02:02,020
So rules can either allow or deny execution.

26
00:02:02,890 --> 00:02:07,330
They can be targeted at specific users or groups, and they can have exceptions.

27
00:02:08,260 --> 00:02:15,310
So you can say all software from Adobe published by Adobe is allowed to run except for some particular,

28
00:02:15,310 --> 00:02:19,960
you know, Photoshop version that you don't want to have being used in your environment.

29
00:02:20,890 --> 00:02:23,170
You can also enforce rules actively.

30
00:02:24,070 --> 00:02:30,790
So you can have windows basically shut down execution of that application or allow it, or you can just

31
00:02:30,790 --> 00:02:31,960
audit activities.

32
00:02:32,860 --> 00:02:38,350
So that App Locker will throw off logs that says, you know, essentially this app would have been would

33
00:02:38,350 --> 00:02:41,560
have been restricted or met the rule met a particular rule.

34
00:02:42,450 --> 00:02:45,990
And therefore what have been affected by App Locker policy.

35
00:02:46,890 --> 00:02:52,680
So the default rules, when you first create an App Locker policy, allow kind of blanket executions.

36
00:02:53,610 --> 00:02:57,750
So you can then add blacklisting rules to deny particular executions.

37
00:02:58,680 --> 00:03:01,860
So blacklisting is simply as the name implies.

38
00:03:02,760 --> 00:03:06,780
Putting applications on a list to say these applications cannot run.

39
00:03:07,620 --> 00:03:10,680
And of course, it's easier to create a blacklist rule.

40
00:03:11,550 --> 00:03:15,720
But it's also less secure because you don't necessarily know what you don't want to run.

41
00:03:15,870 --> 00:03:18,240
And that list is probably always changing.

42
00:03:19,110 --> 00:03:24,480
Now, the more secure approach is to change the default rule, to deny execution of everything as a

43
00:03:24,480 --> 00:03:31,200
default state, and then add white list rules to selectively allow the execution of those approved applications

44
00:03:31,200 --> 00:03:32,910
and processes on your systems.

45
00:03:33,810 --> 00:03:40,530
Now, this is definitely more secure, but it's also a lot harder to implement because you really do

46
00:03:40,530 --> 00:03:47,010
have to know every single process that is legitimate and that has a legitimate need to run on your given

47
00:03:47,010 --> 00:03:49,610
systems in order to create a white list rule.

48
00:03:50,540 --> 00:03:54,710
So let's let's do a quick demo of App Locker and then we'll wrap up this module.