Upload
mparmer3
View
227
Download
0
Embed Size (px)
Citation preview
8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker
1/22
Lesson 7: ControllingAccess to Local Hardware
and ApplicationsMOAC 70-687: Configuring Windows 8
8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker
2/22
Controlling DeviceInstallation
The Device Installation Restrictions folder in aGPO contains policy settings that enable you toprevent Windows computers from installing andupdating device drivers under specific
conditions. The policies in the Computer
Configuration/Policies/AdministrativeTemplates/System/Device Installation/Device
Installation Restrictions folder enable you tospecify if or when the computers on yournetwork can install drivers for hardware devices.
2013 John Wiley & Sons, Inc. 2
8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker
3/22
Controlling Device Installation
The Device Installation Restrictions policies
2013 John Wiley & Sons, Inc. 3
8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker
4/22
Controlling RemovableStorage Access
For control over access to specific types ofremovable storage at the computer level,use the policy settings in the ComputerConfiguration/Policies/AdministrativeTemplates/System/Device Installation/Removable Storage Access folder.
For control at the user level, the samepolicies appear in the UserConfiguration/Policies/AdministrativeTemplates/System/Removable StorageAccess folder.
2013 John Wiley & Sons, Inc. 4
8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker
5/22
Controlling RemovableStorage Access
The Removable Storage Access policies
2013 John Wiley & Sons, Inc. 5
8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker
6/22
Configuring ApplicationRestrictions
Lesson 7: Controlling Access to Local Hardware
and Applications
2013 John Wiley & Sons, Inc. 6
8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker
7/22
Software RestrictionPolicies
Software restriction policies are Group Policysettings that enable administrators to specifythe programs that are allowed to run on
workstations by creating rules of varioustypes.
2013 John Wiley & Sons, Inc. 7
8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker
8/22
Software RestrictionPolicy Rules
The software restriction policy rules that youcan create include:
o Certificate rules
o Hash ruleso Network zone rules
o Path rules
2013 John Wiley & Sons, Inc. 8
8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker
9/22
Creating Rules To create rules:
1. Open a Group Policy object (GPO) and browseto Computer Configuration\Policies\WindowsSettings\Security Settings\Software Restriction
Policies.2. Right-click the Software Restriction Polices
object.
3. From the context menu, select New Software
Restriction Policies. You create new rules of your own in the
Additional Rules folder, using the dialog box.
2013 John Wiley & Sons, Inc. 9
8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker
10/22
Creating Rules
Software Restriction Policies
2013 John Wiley & Sons, Inc. 10
8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker
11/22
Creating Rules
The New Path Rule dialog box
2013 John Wiley & Sons, Inc. 11
8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker
12/22
Rule SettingsThe three possible settings are
Disallowed:Prevents an applicationmatching a rule from running.
Basic user:Allows all applications notrequiring administrative privileges to run.Allows applications that do requireadministrative privileges to run only if they
match a rule. Unrestricted:Allows an application
matching a rule to run.
2013 John Wiley & Sons, Inc. 12
8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker
13/22
Using AppLocker AppLocker, also known as application
control policies, is essentially an updatedversion of the concept implemented in
software restriction policies. AppLocker uses rules, which administrators
must manage.
Creating the rules is much easier because ofa wizard-based interface.
2013 John Wiley & Sons, Inc. 13
8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker
14/22
Understanding RuleTypes
The AppLocker settings are located in GroupPolicy objects in the ComputerConfiguration\Policies\WindowsSettings\Security Settings\Application Control
Policies\AppLocker container. In the AppLocker container, there are four
nodes that contain the basic rule types:o Executable Rules
o Windows Installer Ruleso Script Rules
o Packaged app Rules
2013 John Wiley & Sons, Inc. 14
8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker
15/22
Understanding Rule Types
The AppLocker container in a GPO
2013 John Wiley & Sons, Inc. 15
8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker
16/22
Creating Default Rules To use AppLocker, create rules that enable
users to access the files needed for Windowsand the systems installed applications to
run. The simplest way to do this is to right-click
each of the three rules containers andselect Create Default Rules from the context
menu.
2013 John Wiley & Sons, Inc. 16
8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker
17/22
Creating Default Rules
The default AppLocker executable rules
2013 John Wiley & Sons, Inc. 17
8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker
18/22
Creating RulesAutomatically
When you right-click one of the three rulescontainers and select Create RulesAutomatically from the context menu, anAutomatically Generate Rules Wizard appears.
After specifying the folder to be analyzed andthe users or groups to which the rules shouldapply, a Rule Preferences page appears.
The wizard then displays a summary of its resultsin the Review Rules page and adds the rules tothe container.
2013 John Wiley & Sons, Inc. 18
8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker
19/22
Creating Rules Automatically
The Automatically Generate Executable Rules Wizard
2013 John Wiley & Sons, Inc. 19
8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker
20/22
Creating Rules Automatically
The Rule Preferences page of the AutomaticallyGenerate Executable Rules Wizard
2013 John Wiley & Sons, Inc. 20
8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker
21/22
Creating Rules Automatically
The Review Rules page of the Automatically GenerateExecutable Rules Wizard
2013 John Wiley & Sons, Inc. 21
8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker
22/22
Creating Rules Manually You can create rules manually using a
wizard.
To start the wizard, select Create New Rule
from the context menu for one of the threerule containers.
The wizard prompts you for:o Action
o User or groupo Conditions
o Exceptions
2013 John Wiley & Sons, Inc. 22