Windows 7 is destined to be an epoch-making product as a high-profile next-generation mainstream operating system. In addition to fully learning the lessons of developing Windows Vista, Microsoft has added a number of new and convenient features, such as BitLocker To GO, which can directly encrypt mobile storage devices, and install the system to VHD images. The pop-up frequency of the UAC security window of Windows 7 has been reduced. Many friends may think that the user account control function of Windows 7 has been weakened. In fact, this is an improvement of the cumbersome user control function of Windows 7. If you need more secure and flexible control over user execution programs, files, and scripts, there is already a more practical AppLocker in Windows 7, and the Chinese name is the application control strategy. So, how do we use this security feature?
1. Enabling AppLocker is tricky
Enable AppLocker is relatively simple, we can take the following methods. First, we enter the "Gpedit.msc" command in the Windows 7 search box to open the Group Policy Editor, and then go to the "Computer Configuration - Windows Settings - Security Settings - Application Control Policy - AppLocker" project, AppLocker has executable rules There are three types of Windows installer rules and script rules. No policy is added by default. Let's create a simplest executable rule. Simply right-click on the "Executable Rules" project and select the "Create Default Rule" command to create three executable rules (Figure 1). The first rule means that only all users are allowed to run the program of the "Program Files" folder. The second rule means that all users are allowed to run the "Windows" folder. The third rule means that only administrators are allowed. The user runs all programs. The current user runs the program with normal user rights. Therefore, you can double-click the first rule, and in the pop-up window, set "Action" to "Reject" to get the effect of restricting the running of any program (Figure 2). However, we found that the strategy could not be effective. What is the reason?
Figure 1
Figure 2
In fact, the AppLocker function is blocked by the system by default, we need to open it. We enter the “Services.msc” command in the Windows 7 search box to open the "Services" window and open the "Application Identity" service, which is a service that verifies the application ID. By default, deactivating the service will prevent the system from forcing. AppLocker is executed, so we need to click the “Start” button to open the service (Figure 3). Then, we run any of the "Program Files" folder again to pop up the disabled window (Figure 4), the strategy just took effect. Due to the high priority of the rejection policy, we will not be able to start all the programs in this folder. We can only right click on the program to select “Run as administrator to run the program.
Figure 3
Figure 4
2. Personalized AppLocker strategy method
Even if the first policy is restored, we find that Windows 7 will only allow ordinary users to run “ The Program Files” folder and the "Windows" folder program sometimes feel very inconvenient, so how do you let ordinary users run programs in any directory? We try to modify the first policy. Open this policy and go to the "path" option, we found that just modify the path to * (Figure 5). At this point, it may not work immediately. We need to enter the “Gpupdate” command in the search box to update the group policy to achieve the goal.
Figure 5
The above strategy allows any user to run all the programs. If we need to restrict them from running certain programs, we can open the first policy and go to “ Exceptions, such as: you want to limit the running of the Foxmail program, then select "Add Exceptions" under "Add Exceptions", then click the "Add" button, click the "Browse Files" button to add Foxmail The executable program can be (Figure 6). Then, ordinary users running Foxmail will encounter a forbidden prompt (Figure 7).
Figure 6
Figure 7
3. Create a practical program restriction strategy
We just introduced the basic setting method and limitation effect through the default AppLocker strategy, then, how will Is it better applied to program limitations? For example, we want to establish a strategy that limits children's use of QQ2009 SP2. We can right click on the blank pane on the right to select the “Create new rule” command, then pop up the “Create executable rules” window (Figure 8), click the “Next” button; You need to select the user's permission, select the action as “Reject”, click ““Users/Groups” under the “Select” button to select the child's account (as shown in Figure 9); in the pop-up “Select User or Group” & rdquo; window click “ advanced & rdquo; button, then click & ldquo; find now & rdquo;, then double click on the "small naughty" user (assumed child user) can be selected (Figure 10), exit to just Window, click the "Next" button; you need to choose the type of the main condition to be created. If the application has been signed by the software publisher, then directly select "Publisher" is faster, otherwise you can choose “File hash& rdquo; condition, which requires calculating the hash value of the file, the speed is slightly slower, and the "path" is not recommended because the child only needs to change the installation path of the program. You can escape the restriction (Figure 11), here we only need to select the "Publisher" condition, click the "Next" button; then we found the window to select "Publisher", click &ldquo ; Browse & rdquo; button to select the QQ executable file, the default display of the file publisher, product name, file version and other information (Figure 12), the default can only limit the current version of the QQ program, you can pull the slider on the left To the "file name" location, you can limit any version of the QQ program (Figure 13), and then pull up to the "publisher" location can limit all Tencent software, the top can limit all The program, we just need to pull to the "file name" location is enough, click the "Next" button; then, we can add exception conditions, such as: the child can run a lower version of the QQ can run, Select the "path" condition, click the "Add" button to select the QQ path (Figure 14), click the "Next" button; you can enter a name and description Interest, click on the & ldquo; create & rdquo; to complete (Figure 15).
Figure 8
Figure 9
Figure 10
Figure 11
Figure 12
Figure 13
Figure 14
Figure 15
So, what is the final limit effect? The child can run QQ2008, but can not run QQ2009 SP2 (Figure 16), successfully achieved the intended goal.
Figure 16
AppLocker can also create Windows installers and script rules in a similar way to creating executable rules. Installing the application through file hashing restrictions can improve system security, while scripting rules can also guarantee that only security scripts are run to avoid poisoning. AppLocker's operation process is convenient and fast, suitable for ordinary users to strengthen the system security line, and the administrator is very efficient and easy to use for network deployment through Group Policy configuration.