{"id":642,"date":"2012-04-19T19:39:56","date_gmt":"2012-04-19T19:39:56","guid":{"rendered":"http:\/\/microsoftgeek.com\/?p=642"},"modified":"2012-04-19T19:39:56","modified_gmt":"2012-04-19T19:39:56","slug":"restrict-access-to-programs-with-applocker-in-windows-7","status":"publish","type":"post","link":"https:\/\/microsoftgeek.com\/?p=642","title":{"rendered":"Restrict Access to Programs with AppLocker in Windows 7"},"content":{"rendered":"<p>If you share a computer and don\u2019t want other users accessing certain  applications, there is a new feature in Windows 7 that allows you to  block them. Today we take a quick look at restricting what programs  other users can access using AppLocker.<\/p>\n<p><em>Note: AppLocker is only available in Ultimate and Enterprise versions of Windows 7.<\/em><\/p>\n<p><strong>Using AppLocker<\/strong><\/p>\n<p>To access Group Policy Editor and create rules in AppLocker you\u2019ll  need to be logged in as Administrator. Click on Start and type <em>gpedit.msc<\/em> into the search box and hit Enter.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"1-app\" src=\"http:\/\/www.howtogeek.com\/wp-content\/uploads\/2009\/11\/1app.png\" border=\"0\" alt=\"1-app\" width=\"438\" height=\"158\" \/><\/p>\n<p>Under Local Computer Policy go to Computer Configuration \\ Windows  Settings \\ Security Settings \\ Application Control Policies \\ AppLocker.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"2-app\" src=\"http:\/\/www.howtogeek.com\/wp-content\/uploads\/2009\/11\/2app.png\" alt=\"\" width=\"347\" height=\"505\" \/><\/p>\n<p>Now you will see the overall controls for the applications.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"3-app\" src=\"http:\/\/www.howtogeek.com\/wp-content\/uploads\/2009\/11\/3app.png\" alt=\"\" width=\"519\" height=\"446\" \/><\/p>\n<p>Under Configure Rule Enforcement click on the <em>Configure rule enforcement<\/em> link.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"1-applock\" src=\"http:\/\/www.howtogeek.com\/wp-content\/uploads\/2009\/11\/1applock.png\" alt=\"\" width=\"503\" height=\"225\" \/><\/p>\n<p>Now under AppLocker Properties check the boxes next to <em>Configured <\/em>under Executable rules then click Ok.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"1-lock\" src=\"http:\/\/www.howtogeek.com\/wp-content\/uploads\/2009\/11\/1lock.png\" alt=\"\" width=\"403\" height=\"585\" \/><\/p>\n<p><strong>Blocking Apps from Running<\/strong><\/p>\n<p>In this scenario, Jack wastes time playing games like Minesweeper and  Solitaire when he should be doing his homework, so we are going to  block all of the games. After completing the steps above, under the  Overview section click on Executable Rules.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"3-applock\" src=\"http:\/\/www.howtogeek.com\/wp-content\/uploads\/2009\/11\/3applock.png\" alt=\"\" width=\"503\" height=\"314\" \/><\/p>\n<p>Since this is your first time accessing AppLocker, there will be no rules listed. Right-click and select <em>Create New Rule\u2026<\/em><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"2-lock\" src=\"http:\/\/www.howtogeek.com\/wp-content\/uploads\/2009\/11\/2lock.png\" alt=\"\" width=\"487\" height=\"329\" \/><\/p>\n<p>This opens up the Create Executable Rules wizard and you can select  not to show the introduction screen at start up for the next time you  access it.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"9-applocker\" src=\"http:\/\/www.howtogeek.com\/wp-content\/uploads\/2009\/11\/9applocker.png\" alt=\"\" width=\"634\" height=\"382\" \/><\/p>\n<p>Select Permissions under Action select Deny.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"3-lock\" src=\"http:\/\/www.howtogeek.com\/wp-content\/uploads\/2009\/11\/3lock.png\" alt=\"\" width=\"401\" height=\"316\" \/><\/p>\n<p>Add the user you want to block, in this case it\u2019s Jack.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"4-lock\" src=\"http:\/\/www.howtogeek.com\/wp-content\/uploads\/2009\/11\/4lock.png\" alt=\"\" width=\"500\" height=\"286\" \/><\/p>\n<p>After you\u2019ve selected the deny action and selected the user continue to the next step.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"5-lock\" src=\"http:\/\/www.howtogeek.com\/wp-content\/uploads\/2009\/11\/5lock.png\" alt=\"\" width=\"563\" height=\"562\" \/><\/p>\n<p>In Conditions you can select from Publisher, Path or File hash. We  don\u2019t want Jack to have access to any of the games. so we will select  Path.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"6-lock\" src=\"http:\/\/www.howtogeek.com\/wp-content\/uploads\/2009\/11\/6lock.png\" alt=\"\" width=\"592\" height=\"390\" \/><\/p>\n<p>Click on Browse Folders and select the Microsoft Games folder.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"7-lock\" src=\"http:\/\/www.howtogeek.com\/wp-content\/uploads\/2009\/11\/7lock.png\" alt=\"\" width=\"586\" height=\"551\" \/><\/p>\n<p>In the next screen you could add Exceptions like allowing certain  files, but because we are blocking the entire games directory we\u2019ll skip  to the next screen.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"8-lock\" src=\"http:\/\/www.howtogeek.com\/wp-content\/uploads\/2009\/11\/8lock.png\" alt=\"\" width=\"489\" height=\"416\" \/><\/p>\n<p>Here you can add a description to the rule so you can keep track of  them is there are several rules configured. When everything looks right  click on Create.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"9-lock\" src=\"http:\/\/www.howtogeek.com\/wp-content\/uploads\/2009\/11\/9lock.png\" alt=\"\" width=\"577\" height=\"555\" \/><\/p>\n<p>A message pops up saying default rules haven\u2019t been created yet. It  is important to make sure they are created so click Yes to this message.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"10-lock\" src=\"http:\/\/www.howtogeek.com\/wp-content\/uploads\/2009\/11\/10lock.png\" alt=\"\" width=\"524\" height=\"242\" \/><\/p>\n<p>Now you will see the default rules and the new one you created showing Jack is denied access to the Microsoft Games directory.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"11-lock\" src=\"http:\/\/www.howtogeek.com\/wp-content\/uploads\/2009\/11\/11lock.png\" alt=\"\" width=\"519\" height=\"170\" \/><\/p>\n<p>After creating the rule make sure and go into services and make <em>Application Identification <\/em>is  started and that it\u2019s set to automatically start as well otherwise the  rules won\u2019t work. By default this service is not started so you will  need to enable it.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"sshot-2009-11-08-[22-52-10]\" src=\"http:\/\/www.howtogeek.com\/wp-content\/uploads\/2009\/11\/sshot20091108225210.png\" alt=\"\" width=\"448\" height=\"502\" \/><\/p>\n<p>Now, when Jack logs into his user account and tries to access the  games he will only see the following message. Only an Administrator can  go in and change the rule.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"sshot-10000\" src=\"http:\/\/www.howtogeek.com\/wp-content\/uploads\/2009\/11\/sshot10000.png\" alt=\"\" width=\"600\" height=\"167\" \/><\/p>\n<p><strong>Conclusion<\/strong><\/p>\n<p>Use caution when configuring the rules and only start the Application  Identity service after everything looks right. Otherwise you have the  potential of locking yourself out of all applications including  AppLocker.AppLocker is a powerful feature included in Windows 7 and we  showed you a basic rule so you can get an idea of how it works. In the  future we\u2019ll take a look at more complex tasks to accomplish and gain  tight control over what programs each user is able to access.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you share a computer and don\u2019t want other users accessing certain applications, there is a new feature in Windows 7 that allows you to block them. Today we take a quick look at restricting what programs other users can access using AppLocker. Note: AppLocker is only available in Ultimate and Enterprise versions of Windows [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-642","post","type-post","status-publish","format-standard","hentry","category-win_7"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/642","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=642"}],"version-history":[{"count":2,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/642\/revisions"}],"predecessor-version":[{"id":644,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/642\/revisions\/644"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=642"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=642"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=642"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}