Document Group Policy Structure and AppLocker Rule Enforcement

Updated: June 21, 2012

Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012

This planning topic describes what you need to investigate, determine, and record in your application control policies plan by using AppLocker.

Record your findings

To complete this AppLocker planning document, you should first complete the following steps:

1. Determining Your Application Control Objectives

2. Creating the List of Applications Deployed to Each Business Group

3. Selecting the Types of Rules to Create

4. Determining Group Policy Structure and Rule Enforcement

After determining how to structure your Group Policy Objects (GPOs) so that you can apply AppLocker policies, you should record your findings. You can use the following table to determine how many GPOs to create (or edit) and which objects they are linked to. If you decided to create custom rules to allow system files to run, note the high-level rule configuration in the Use default rule or define new rule condition column.

The following table contains the added sample data that was collected when determining enforcement settings and GPO structure for AppLocker policies.

Business group	Organizational unit	Implement AppLocker?	Applications	Installation path	Use default rule or define new rule condition	Allow or deny	GPO name
Bank Tellers	Teller-East and Teller-West	Yes	Teller Software	C:\Program Files\Woodgrove\Teller.exe	File is signed; create a publisher condition	Allow	Tellers-AppLockerTellerRules
			Windows files	C:\Windows	Create a path exception to the default rule to exclude \Windows\Temp	Allow
Human Resources	HR-All	Yes	Check Payout	C:\Program Files\Woodgrove\HR\Checkcut.exe	File is signed; create a publisher condition	Allow	HR-AppLockerHRRules
			Time Sheet Organizer	C:\Program Files\Woodgrove\HR\Timesheet.exe	File is not signed; create a file hash condition	Allow
			Internet Explorer 7	C:\Program Files\Internet Explorer\	File is signed; create a publisher condition	Deny
			Windows files	C:\Windows	Use a default rule for the Windows path	Allow

Note

In Windows Server 2012 and Windows 8, AppLocker can manage Windows 8 apps. For information about how to add rules for these apps to your existing GPO, see Add rules for Packaged apps to existing AppLocker rule-set.

Next steps

After you have determined the Group Policy structure and rule enforcement strategy for each business group's applications, the following tasks remain:

• Planning for AppLocker Policy Management

• Creating Your AppLocker Planning Document