You have a computer that runs windows 7.
You have a third-party application.
You need to ensure that only a specific version of the application runs on the computer. You have
the application vendor’s digital signature.
What should you do?

A.
From Application Control Policies, configure a path rule.

B.
From Application Control Policies, configure a publisher rule.

C.
From Software Restriction policies, configure a path rule.

D.
From Software Restriction policies, configure a certificate rule.

Explanation:
AppLocker Application Control Policies
AppLocker is a feature new to Windows 7 that is available only in the Enterprise and Ultimate
editions of the product. AppLocker policies are conceptually similar to Software Restriction Policies,
though AppLocker policies have several advantages, such as the ability to be applied to specific user
or group accounts and the ability to apply to all future versions of a product. As you learned earlier
in this chapter, hash rules apply only to a specific version of an application and must be recalculated
whenever you apply software updates to that application. AppLocker policies are located in the
Computer Configuration\Windows Settings\ Security Settings \Application Control Policies node of a
standard Windows 7 or Windows Server 2008 R2 GPO. AppLocker relies upon the Application
Identity Service being active. When you install Windows 7, the startup type of this service is set to
Manual. When testing AppLocker, you should keep the startup type as Manual in case you configure
rules incorrectly. In that event, you can just reboot the computer and the AppLocker rules will no
longer be in effect. Only when you are sure that your policies are applied correctly should you set
the startup type of the Application Identity Service to Automatic. You should take great care in
testing AppLocker rules because it is possible to lock down a computer running Windows 7 to such
an extent that the computer becomes unusable. AppLocker policies are sometimes called application
control policies.
AppLocker Application Control Policies – Publisher Rules
Publisher rules in AppLocker work on the basis of the code-signing certificate used by the file’s
publisher. Unlike a Software Restriction Policy certificate rule, it is not necessary to obtain a

certificate to use a publisher rule because the details of the digital signature are extracted from a
reference application file. If a file has no digital signature, you cannot restrict or allow it using
AppLocker publisher rules. Publisher rules allow you more flexibility than hash rules because you can
specify not only a specific version of a file but also all future versions of that file. This means that you
do not have to re-create publisher rules each time you apply a software update because the existing
rule remains valid. You can also allow only a specific version of a file by setting the Exactly option.
AppLocker Application Control Policies – Path Rules
AppLocker path rules work in a similar way to Software Restriction Policy path rules. Path rules let
you specify a folder, in which case the path rule applies to the entire contents of the folder, including
subfolders, and the path to a specific file. The advantage of path rules is that they are easy to create.
The disadvantage of path rules is that they are the least secure form of AppLocker rules. An attacker
can subvert a path rule if they copy an executable file into a folder covered by a path rule or
overwrite a file that is specified by a path rule. Path rules are only as effective as the file and folder
permissions applied on the computer.
Software Restriction Policies
Software Restriction Policies is a technology available to clients running Windows 7 that is available
in Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. You manage
Software Restriction Policies through Group Policy. You can find Software Restriction Policies in the
Computer Configuration \Windows Settings\Security Settings\Software Restriction Policies node of a
group policy. When you use Software Restriction Policies, you use the Unrestricted setting to allow
an application to execute and the Disallowed setting to block an application from executing. You can
achieve many of the same application restriction objectives with Software Restriction Policies that
you can with AppLocker policies. The advantage of Software Restriction Policies over AppLocker
policies is that Software Restriction Policies can apply to computers running Windows XP and
Windows Vista, as well as to computers running Windows 7 editions that do not support AppLocker.
The disadvantage of Software Restriction Policies is that all rules must be created manually because
there are no built-in wizards to simplify the process of rule creation.
Software Restriction Policies – Path Rules
Path rules, allow you to specify a file, folder, or registry key as the target of a Software Restriction
Policy. The more specific a path rule is, the higher its precedence. For example, if you have a path
rule that sets the file C: \Program files\Application\App.exe to Unrestricted and one that sets the
folder C:\Program files\Application to Disallowed, the more specific rule takes precedence and the
application can execute. Wildcards can be used in path rules, so it is possible to have a path rule that
specifies C:\Program files\Application\*.exe. Wildcard rules are less specific than rules that use a
file’s full path. The drawback of path rules is that they rely on files and folders remaining in place.
For example, if you created a path rule to block the application C:\Apps\Filesharing.exe, an attacker
could execute the same application by moving it to another directory or renaming it something
other than Filesharing.exe. Path rules work only when the file and folder permissions of the
underlying operating system do not allow files to be moved and renamed.
Software Restriction Policies – Certificate Rules
Certificate rules use a code-signed software publisher’s certificate to identify applications signed by
that publisher. Certificate rules allow multiple applications to be the target of a single rule that is as
secure as a hash rule. It is not necessary to modify a certificate rule in the event that a software
update is released by the vendor because the updated application will still be signed using the
vendor’s signing certificate. To configure a certificate rule, you need to obtain a certificate from the
vendor. Certificate rules impose a performance burden on computers on which they are applied
because the certificate’s validity must be checked before the application can execute. Another
disadvantage of certificate rules is that they apply to all applications from a vendor. If you want to

allow only 1 application from a vendor to execute but the vendor has 20 applications available, you
are better off using a different type of Software Restriction Policy because otherwise users can
execute any of those other 20 applications.