Since this is an "allow" rule and it entails allowing a publisher, I see no reason to use exceptions here. You will only need this if there are files you want to exclude from the rule you are making. At any rate, once you make your selection click next. The nice thing about the "publisher rule" at the top is that all Google apps from now on will automatically be allowed without having to add more rules. So, for instance, if you want to allow all programs signed by "TomTom International" to be installed on the machine, then you want to go up to "Publisher." If you only want to allow this particular piece of software from TomTom, you click "Product Name." If you only want to allow this particular version of the software (2.2.7) and no future versions, then click on "File Version." As you can see, this gives quite a bit of granularity over what exactly can get installed - that is, if allowing everything from a publisher is too much for you, then you can limit it to a specific app or an app version. As you can see, the file is digitally signed and this particular screen is asking what type of rule I want to make. In the above example, I imported a "TomTom" executable that is used to install the software for my TomTom car GPS software. Once you import the reference file, you will see this screen: AppLocker should automatically import the signature. So, for instance, if you downloaded Google Chrome, you would find the installer file you just downloaded and enter it here. This screen essentially allows you to enter the reference file that contains the digital signature. Most every app from the major publishers will be signed (MS, Google, Sun, Apple, Mozilla, etc.) Some independent developers also sign their apps (if they are reputable they should already be doing this). You will want to click "Publisher" if the app in question is signed. If you have other people using your machine, you can specify for the rule to only apply to their user account. I prefer to pick "everyone," especially if I am setting this up to protect myself. Below you can pick for whom this rule will apply. (Remember, AppLocker is useful for creating whitelists, so allow should be what you use most of the time). You will want to click allow, which is the default. Then click "Create New Rule." You will see an initial screen that is only a nag screen. To do this, right click on "executable rules" if the file is an executable (or "Windows Installer File" if it's a windows installer file, or "Scripts" if the file is a script). Next, you need to create a whitelist for applications not included in this baseline. (NOTE: I recommend doing this with a fresh Windows install, or else questionable files already on the system might get whitelisted here). Do the same for Windows Installer Rules and Script Rules. First, right click on "executable rules." You will see an option for "Create Default Rules." This will create a baseline of your system and allow everything that needs to run to be able to run. exe's, windows installer files, and various scripts. Once you open it, it will look like this:Īs you can see there are 3 possible file types to set rules for. To start, open the AppLocker configuration screen (go to the start menu and enter "secpol.msc" in order to start the policy configuration tool. In cases where apps don't have a signature, then use hash rules. Ok, first of all I suggest you use publisher rules if possible.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |