MOAC 70-687 L07 Software Restriction and App Locker

Embed Size (px)

Citation preview

  • 8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker

    1/22

    Lesson 7: ControllingAccess to Local Hardware

    and ApplicationsMOAC 70-687: Configuring Windows 8

  • 8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker

    2/22

    Controlling DeviceInstallation

    The Device Installation Restrictions folder in aGPO contains policy settings that enable you toprevent Windows computers from installing andupdating device drivers under specific

    conditions. The policies in the Computer

    Configuration/Policies/AdministrativeTemplates/System/Device Installation/Device

    Installation Restrictions folder enable you tospecify if or when the computers on yournetwork can install drivers for hardware devices.

    2013 John Wiley & Sons, Inc. 2

  • 8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker

    3/22

    Controlling Device Installation

    The Device Installation Restrictions policies

    2013 John Wiley & Sons, Inc. 3

  • 8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker

    4/22

    Controlling RemovableStorage Access

    For control over access to specific types ofremovable storage at the computer level,use the policy settings in the ComputerConfiguration/Policies/AdministrativeTemplates/System/Device Installation/Removable Storage Access folder.

    For control at the user level, the samepolicies appear in the UserConfiguration/Policies/AdministrativeTemplates/System/Removable StorageAccess folder.

    2013 John Wiley & Sons, Inc. 4

  • 8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker

    5/22

    Controlling RemovableStorage Access

    The Removable Storage Access policies

    2013 John Wiley & Sons, Inc. 5

  • 8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker

    6/22

    Configuring ApplicationRestrictions

    Lesson 7: Controlling Access to Local Hardware

    and Applications

    2013 John Wiley & Sons, Inc. 6

  • 8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker

    7/22

    Software RestrictionPolicies

    Software restriction policies are Group Policysettings that enable administrators to specifythe programs that are allowed to run on

    workstations by creating rules of varioustypes.

    2013 John Wiley & Sons, Inc. 7

  • 8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker

    8/22

    Software RestrictionPolicy Rules

    The software restriction policy rules that youcan create include:

    o Certificate rules

    o Hash ruleso Network zone rules

    o Path rules

    2013 John Wiley & Sons, Inc. 8

  • 8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker

    9/22

    Creating Rules To create rules:

    1. Open a Group Policy object (GPO) and browseto Computer Configuration\Policies\WindowsSettings\Security Settings\Software Restriction

    Policies.2. Right-click the Software Restriction Polices

    object.

    3. From the context menu, select New Software

    Restriction Policies. You create new rules of your own in the

    Additional Rules folder, using the dialog box.

    2013 John Wiley & Sons, Inc. 9

  • 8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker

    10/22

    Creating Rules

    Software Restriction Policies

    2013 John Wiley & Sons, Inc. 10

  • 8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker

    11/22

    Creating Rules

    The New Path Rule dialog box

    2013 John Wiley & Sons, Inc. 11

  • 8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker

    12/22

    Rule SettingsThe three possible settings are

    Disallowed:Prevents an applicationmatching a rule from running.

    Basic user:Allows all applications notrequiring administrative privileges to run.Allows applications that do requireadministrative privileges to run only if they

    match a rule. Unrestricted:Allows an application

    matching a rule to run.

    2013 John Wiley & Sons, Inc. 12

  • 8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker

    13/22

    Using AppLocker AppLocker, also known as application

    control policies, is essentially an updatedversion of the concept implemented in

    software restriction policies. AppLocker uses rules, which administrators

    must manage.

    Creating the rules is much easier because ofa wizard-based interface.

    2013 John Wiley & Sons, Inc. 13

  • 8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker

    14/22

    Understanding RuleTypes

    The AppLocker settings are located in GroupPolicy objects in the ComputerConfiguration\Policies\WindowsSettings\Security Settings\Application Control

    Policies\AppLocker container. In the AppLocker container, there are four

    nodes that contain the basic rule types:o Executable Rules

    o Windows Installer Ruleso Script Rules

    o Packaged app Rules

    2013 John Wiley & Sons, Inc. 14

  • 8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker

    15/22

    Understanding Rule Types

    The AppLocker container in a GPO

    2013 John Wiley & Sons, Inc. 15

  • 8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker

    16/22

    Creating Default Rules To use AppLocker, create rules that enable

    users to access the files needed for Windowsand the systems installed applications to

    run. The simplest way to do this is to right-click

    each of the three rules containers andselect Create Default Rules from the context

    menu.

    2013 John Wiley & Sons, Inc. 16

  • 8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker

    17/22

    Creating Default Rules

    The default AppLocker executable rules

    2013 John Wiley & Sons, Inc. 17

  • 8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker

    18/22

    Creating RulesAutomatically

    When you right-click one of the three rulescontainers and select Create RulesAutomatically from the context menu, anAutomatically Generate Rules Wizard appears.

    After specifying the folder to be analyzed andthe users or groups to which the rules shouldapply, a Rule Preferences page appears.

    The wizard then displays a summary of its resultsin the Review Rules page and adds the rules tothe container.

    2013 John Wiley & Sons, Inc. 18

  • 8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker

    19/22

    Creating Rules Automatically

    The Automatically Generate Executable Rules Wizard

    2013 John Wiley & Sons, Inc. 19

  • 8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker

    20/22

    Creating Rules Automatically

    The Rule Preferences page of the AutomaticallyGenerate Executable Rules Wizard

    2013 John Wiley & Sons, Inc. 20

  • 8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker

    21/22

    Creating Rules Automatically

    The Review Rules page of the Automatically GenerateExecutable Rules Wizard

    2013 John Wiley & Sons, Inc. 21

  • 8/10/2019 MOAC 70-687 L07 Software Restriction and App Locker

    22/22

    Creating Rules Manually You can create rules manually using a

    wizard.

    To start the wizard, select Create New Rule

    from the context menu for one of the threerule containers.

    The wizard prompts you for:o Action

    o User or groupo Conditions

    o Exceptions

    2013 John Wiley & Sons, Inc. 22