You have a computer that runs Windows 7.
You have a third party application. You need to ensure that only a specific version of the applicationruns on the
computer.
You have the application vendor’s digital signature.
What should you do?
A.
From Application Control Policies, configure a path rule.
B.
From Application Control Policies, configure a publisher rule.
C.
From Software Restriction policies, configure a path rule.
D.
From Software Restriction policies, configure a certificate rule.
Explanation:
1087 20102
AppLocker Application Control Policies
AppLocker is a feature new to Windows 7 that is available only in the Enterprise and Ultimate editionsof the
product. AppLocker policies are conceptually similar to Software Restriction Policies, though AppLocker policies
have several advantages, such as the ability to be applied to specific user or group accounts and the ability to
apply to all future versions of a product. As you learned earlier in this chapter, hash rules apply only to a specific
version of an application and must be recalculated whenever you apply software updates to that application.
AppLocker policies are located in the Computer Configuration\Windows Settings\ Security Settings\Application
Control Policies node of a standard Windows 7 or Windows Server 2008 R2 GPO.
AppLocker relies upon the Application Identity Service being active. When you install Windows 7, the startup
type of this service is set to Manual. When testingAppLocker, you should keep the startup type as Manual in
case you configure rules incorrectly. In that event, you can just reboot the computer and the AppLocker rules
will no longer be in effect. Only when you are surethat your policies are applied correctly should you set the
startup type of the Application Identity Service toAutomatic. You should take great care in testing AppLocker
rules because it is possible to lock down a computer running Windows 7 to such an extent that the computer
becomes unusable. AppLocker policies are sometimes called application control policies.
AppLocker Application Control Policies – Publisher Rules
Publisher rules in AppLocker work on the basis of the code-signing certificate used by the file’s publisher.
Unlike a Software Restriction Policy certificate rule, it is not necessary to obtain a certificate to use a publisher
rule because the details of the digital signature are extracted from a reference application file. If a file has no
digital signature, you cannot restrict or allow it using AppLocker publisher rules.
Publisher rules allow you more flexibility than hash rules because you can specify not only a specificversion of
a file but also all future versions of that file. This means that you do not have to re-create publisher rules each
time you apply a software update because the existing rule remains valid. You can also allow only a specific
version of a file by setting the Exactly option.
AppLocker Application Control Policies – Path Rules
AppLocker path rules work in a similar way to Software Restriction Policy path rules. Path rules let you specify a
folder, in which case the path rule applies to the entire contents of the folder, including subfolders, and the path
to a specific file. The advantage of path rules is that they are easy to create. The disadvantage of path rules is
that they are the least secure form of AppLocker rules. An attacker can subvert a path rule if they copy an
executable file into a folder covered by a path rule or overwrite a file that is specified by a path rule. Path rules
are only as effective as the file and folder permissions applied on the computer.
Software Restriction Policies
Software Restriction Policies is a technology available to clients running Windows 7 that is availablein Windows
XP, Windows Vista, Windows Server 2003, and WindowsServer 2008. You manage Software Restriction
Policies through Group Policy. You can find Software Restriction Policies in the Computer Configuration
\Windows Settings\Security Settings\Software Restriction Policies node of a group policy. When you use
Software Restriction Policies, you use the Unrestricted setting to allow an application to execute andthe
Disallowed setting to block an application from executing.
You can achieve many of the same application restriction objectives with Software Restriction Policiesthat you
can with AppLocker policies. The advantage of Software Restriction Policies over AppLocker policies isthat
Software Restriction Policies can apply to computers running Windows XP and Windows Vista, as well as to
computers running Windows 7 editions that do not support AppLocker. The disadvantage of Software
Restriction Policies is that all rules must be created manually because there are no built-in wizards to simplify
the process of rule creation.
Software Restriction Policies – Path Rules
Path rules, allow you to specify a file, folder, orregistry key as the target of a Software Restriction Policy. The
more specific a path rule is, the higher its precedence. For example, if you have a path rule that sets the file C:
\Program files\Application\App.exe to Unrestricted and one that sets the folder C:\Program files\Application to
Disallowed, the more specific rule takes precedenceand the application can execute. Wildcards can be used in
path rules, so it is possible to have a path rule that specifies C:\Program files\Application\*.exe. Wildcard rules
are less specific than rules that use a file’s fullpath.
The drawback of path rules is that they rely on files and folders remaining in place. For example, if you created
a path rule to block the application C:\Apps\Filesharing.exe, an attacker could execute the same application by
moving it to another directory or renaming it something other than Filesharing.exe. Path rules work only when
the file and folder permissions of the underlying operating system do not allow files to be moved and renamed.
Software Restriction Policies – Certificate Rules
Certificate rules use a code-signed software publisher’s certificate to identify applications signed by that
publisher. Certificate rules allow multiple applications to be the target of a single rule that is as secure as a hash
rule. It is not necessary to modify a certificate rule in the event that a software update is releasedby the vendor
because the updated application will still be signed using the vendor’s signing certificate. To configure a
certificate rule, you need to obtain a certificate from the vendor. Certificate rules impose a performance burden
on computers on which they are applied because the certificate’s validity must be checked before the
application can execute. Another disadvantage of certificate rules is that they apply to all applications from a
vendor. If you want to allow only 1 application from a vendor to execute but the vendor has 20 applications
available, you are better off using a different type of Software Restriction Policy because otherwise users can
execute any of those other 20 applications.