deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Html to md table conversion- batch 27

Browse Source
This commit is contained in:
Alekhya Jupudi
2021-12-02 18:55:53 +05:30
parent 72d0aad678
commit 6cdb6455eb
15 changed files with 203 additions and 1383 deletions
Download Patch File Download Diff File Expand all files Collapse all files

213
windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
View File

@ -26,193 +26,54 @@ See [Windows 10 (and Windows 11) settings to protect devices using Intune](/intu
## Group Policy settings
SmartScreen uses registry-based Administrative Template policy settings.
<table>
<tr>
<th align="left">Setting</th>
<th align="left">Supported on</th>
<th align="left">Description</th>
</tr>
<tr>
<td><b>Windows 10, version 2004:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen<p>
<td><b>Windows 10, version 1703:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen<p><b>Windows 10, Version 1607 and earlier:</b><br>Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen<br><br>
<b>At least Windows Server 2012, Windows 8 or Windows RT</b></td>
<td>This policy setting turns on Microsoft Defender SmartScreen.<p>If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).<p>If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.<p>If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.</td>
</tr>
<tr>
<td><b>Windows 10, version 2004:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control</td>
<td><b>Windows 10, version 1703:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control</td>
<td>This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.</br></br> This setting does not protect against malicious content from USB devices, network shares, or other non-internet sources.</p><p><b>Important:</b> Using a trustworthy browser helps ensure that these protections work as expected.</p></td>
</tr>
<tr>
<td><b>Windows 10, version 2004:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)<p>Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)<p><b>Windows 10, version 1703:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)<p>Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)<p><b>Windows 10, Version 1607 and earlier:</b><br>Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen</td>
<td>Microsoft Edge on Windows 10 or Windows 11</td>
<td>This policy setting turns on Microsoft Defender SmartScreen.<p>If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off.<p>If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.<p>If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.</td>
</tr>
<tr>
<td><b>Windows 10, version 2004:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)<p>Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)<p><b>Windows 10, version 1703:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)<p>Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)<p><b>Windows 10, Version 1511 and 1607:</b><br>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files</td>
<td>Microsoft Edge on Windows 10, version 1511 or later</td>
<td>This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files.<p>If you enable this setting, it stops employees from bypassing the warning, stopping the file download.<p>If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files.</td>
</tr>
<tr>
<td><b>Windows 10, version 2004:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)<p>Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)<p><b>Windows 10, version 1703:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)<p>Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)<p><b>Windows 10, Version 1511 and 1607:</b><br>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites</td>
<td>Microsoft Edge on Windows 10, version 1511 or later</td>
<td>This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites.<p>If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.<p>If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site.</td>
</tr>
<tr>
<td>Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen Filter</td>
<td>Internet Explorer 9 or later</td>
<td>This policy setting prevents the employee from managing Microsoft Defender SmartScreen.<p>If you enable this policy setting, the employee isn't prompted to turn on Microsoft Defender SmartScreen. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee.<p>If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on Microsoft Defender SmartScreen during the first-run experience.</td>
</tr>
<tr>
<td>Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings</td>
<td>Internet Explorer 8 or later</td>
<td>This policy setting determines whether an employee can bypass warnings from Microsoft Defender SmartScreen.<p>If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.<p>If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.</td>
</tr>
<tr>
<td>Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet</td>
<td>Internet Explorer 9 or later</td>
<td>This policy setting determines whether the employee can bypass warnings from Microsoft Defender SmartScreen. Microsoft Defender SmartScreen warns the employee about executable files that Internet Explorer users do not commonly download from the Internet.<p>If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.<p>If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.</td>
</tr>
</table>
Setting|Supported on|Description|
|--- |--- |--- |
|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen|**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen<p>**Windows 10, Version 1607 and earlier:** Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen<p>**At least Windows Server 2012, Windows 8 or Windows RT**|This policy setting turns on Microsoft Defender SmartScreen. <p>If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).<p>If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.|
|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control|**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control|This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet. This setting does not protect against malicious content from USB devices, network shares, or other non-internet sources.<p>**Important:** Using a trustworthy browser helps ensure that these protections work as expected.|
|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)<p>**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)<p>**Windows 10, Version 1607 and earlier:** Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen|Microsoft Edge on Windows 10 or Windows 11|This policy setting turns on Microsoft Defender SmartScreen. <p>If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off.<p>If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.|
|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)<p>**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)<p>**Windows 10, Version 1511 and 1607:** Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files|Microsoft Edge on Windows 10, version 1511 or later|This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files.<p>If you enable this setting, it stops employees from bypassing the warning, stopping the file download.<p>If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files.|
|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)<p>**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)<p>**Windows 10, Version 1511 and 1607:** Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites|Microsoft Edge on Windows 10, version 1511 or later|This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites.<p>If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.<p>If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site.|
|Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen Filter|Internet Explorer 9 or later|This policy setting prevents the employee from managing Microsoft Defender SmartScreen.If you enable this policy setting, the employee isn't prompted to turn on Microsoft Defender SmartScreen. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee.<p>If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on Microsoft Defender SmartScreen during the first-run experience.|
|Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings|Internet Explorer 8 or later|This policy setting determines whether an employee can bypass warnings from Microsoft Defender SmartScreen.<p>If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.<p>If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.|
|Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet|Internet Explorer 9 or later|This policy setting determines whether the employee can bypass warnings from Microsoft Defender SmartScreen. Microsoft Defender SmartScreen warns the employee about executable files that Internet Explorer users do not commonly download from the Internet.<p>If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.<p>If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.|
## MDM settings
If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support desktop computers running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune. <br><br>
For Microsoft Defender SmartScreen Edge MDM policies, see [Policy CSP - Browser](/windows/client-management/mdm/policy-csp-browser).
<table>
<tr>
<th align="left">Setting</th>
<th align="left">Supported versions</th>
<th align="left">Details</th>
</tr>
<tr>
<td>AllowSmartScreen</td>
<td>Windows 10</td>
<td>
<ul>
<li><b>URI full path.</b> ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen</li>
<li><b>Data type.</b> Integer</li>
<li><b>Allowed values:</b><ul>
<li><b>0 .</b> Turns off Microsoft Defender SmartScreen in Edge.</li>
<li><b>1.</b> Turns on Microsoft Defender SmartScreen in Edge.</li></ul></li></ul>
</td>
</tr>
<tr>
<td>EnableAppInstallControl</td>
<td>Windows 10, version 1703</td>
<td>
<ul>
<li><b>URI full path.</b> ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl</li>
<li><b>Data type.</b> Integer</li>
<li><b>Allowed values:</b><ul>
<li><b>0 .</b> Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.</li>
<li><b>1.</b> Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.</li></ul></li></ul>
</td>
</tr>
<tr>
<td>EnableSmartScreenInShell</td>
<td>Windows 10, version 1703</td>
<td>
<ul>
<li><b>URI full path.</b> ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell</li>
<li><b>Data type.</b> Integer</li>
<li><b>Allowed values:</b><ul>
<li><b>0 .</b> Turns off Microsoft Defender SmartScreen in Windows for app and file execution.</li>
<li><b>1.</b> Turns on Microsoft Defender SmartScreen in Windows for app and file execution.</li></ul></li></ul>
</td>
</tr>
<tr>
<td>PreventOverrideForFilesInShell</td>
<td>Windows 10, version 1703</td>
<td>
<ul>
<li><b>URI full path.</b> ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell</li>
<li><b>Data type.</b> Integer</li>
<li><b>Allowed values:</b><ul>
<li><b>0 .</b> Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.</li>
<li><b>1.</b> Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.</li></ul></li></ul>
</td>
</tr>
<tr>
<td>PreventSmartScreenPromptOverride</td>
<td>Windows 10, Version 1511 and Windows 11</td>
<td>
<ul>
<li><b>URI full path.</b> ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride</li>
<li><b>Data type.</b> Integer</li>
<li><b>Allowed values:</b><ul>
<li><b>0 .</b> Employees can ignore Microsoft Defender SmartScreen warnings.</li>
<li><b>1.</b> Employees can't ignore Microsoft Defender SmartScreen warnings.</li></ul></li></ul>
</td>
</tr>
<tr>
<td>PreventSmartScreenPromptOverrideForFiles</td>
<td>Windows 10, Version 1511 and Windows 11</td>
<td>
<ul>
<li><b>URI full path.</b> ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles</li>
<li><b>Data type.</b> Integer</li>
<li><b>Allowed values:</b><ul>
<li><b>0 .</b> Employees can ignore Microsoft Defender SmartScreen warnings for files.</li>
<li><b>1.</b> Employees can't ignore Microsoft Defender SmartScreen warnings for files.</li></ul></li></ul>
</td>
</tr>
</table>
|Setting|Supported versions|Details|
|--- |--- |--- |
|AllowSmartScreen|Windows 10|<li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen<li>**Data type.** Integer**Allowed values:**<ul><li>**0 .** Turns off Microsoft Defender SmartScreen in Edge.<li>**1.** Turns on Microsoft Defender SmartScreen in Edge.|
|EnableAppInstallControl|Windows 10, version 1703|<li>**URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl<li>**Data type.** Integer**Allowed values:**<ul><li>**0 .** Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.<li>**1.** Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.|
|EnableSmartScreenInShell|Windows 10, version 1703|<li>**URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell<li>**Data type.** Integer**Allowed values:**<ul><li>**0 .** Turns off Microsoft Defender SmartScreen in Windows for app and file execution.<li>**1.** Turns on Microsoft Defender SmartScreen in Windows for app and file execution.|
|PreventOverrideForFilesInShell|Windows 10, version 1703|<li>**URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell<li>**Data type.** Integer**Allowed values:**<ul><li>**0 .** Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.<li>**1.** Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.|
|PreventSmartScreenPromptOverride|Windows 10, Version 1511 and Windows 11|<li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride<li>**Data type.** Integer**Allowed values:**<ul><li>**0 .** Employees can ignore Microsoft Defender SmartScreen warnings.<li>**1.** Employees can't ignore Microsoft Defender SmartScreen warnings.|
|PreventSmartScreenPromptOverrideForFiles|Windows 10, Version 1511 and Windows 11|<li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles<li>**Data type.** Integer**Allowed values:**<ul><li>**0 .** Employees can ignore Microsoft Defender SmartScreen warnings for files.<li>**1.** Employees can't ignore Microsoft Defender SmartScreen warnings for files.|
## Recommended Group Policy and MDM settings for your organization
By default, Microsoft Defender SmartScreen lets employees bypass warnings. Unfortunately, this feature can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning.
To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings.
<table>
<tr>
<th align="left">Group Policy setting</th>
<th align="left">Recommendation</th>
</tr>
<tr>
<td>Administrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)<p>Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)</td>
<td><b>Enable.</b> Turns on Microsoft Defender SmartScreen.</td>
</tr>
<tr>
<td>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)<p>Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)</td>
<td><b>Enable.</b> Stops employees from ignoring warning messages and continuing to a potentially malicious website.</td>
</tr>
<tr>
<td>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)<p>Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later) </td>
<td><b>Enable.</b> Stops employees from ignoring warning messages and continuing to download potentially malicious files.</td>
</tr>
<tr>
<td>Administrative Templates\Windows Components\File Explorer\Configure Windows Defender SmartScreen</td>
<td><b>Enable with the Warn and prevent bypass option.</b> Stops employees from ignoring warning messages about malicious files downloaded from the Internet.</td>
</tr>
</table>
<p>
<table>
<tr>
<th align="left">MDM setting</th>
<th align="left">Recommendation</th>
</tr>
<tr>
<td>Browser/AllowSmartScreen</td>
<td><b>1.</b> Turns on Microsoft Defender SmartScreen.</td>
</tr>
<tr>
<td>Browser/PreventSmartScreenPromptOverride</td>
<td><b>1.</b> Stops employees from ignoring warning messages and continuing to a potentially malicious website.</td>
</tr>
<tr>
<td>Browser/PreventSmartScreenPromptOverrideForFiles</td>
<td><b>1.</b> Stops employees from ignoring warning messages and continuing to download potentially malicious files.</td>
</tr>
<tr>
<td>SmartScreen/EnableSmartScreenInShell</td>
<td><b>1.</b> Turns on Microsoft Defender SmartScreen in Windows.<p>Requires at least Windows 10, version 1703.</td>
</tr>
<tr>
<td>SmartScreen/PreventOverrideForFilesInShell</td>
<td><b>1.</b> Stops employees from ignoring warning messages about malicious files downloaded from the Internet.<p>Requires at least Windows 10, version 1703.</td>
</tr>
</table>
|Group Policy setting|Recommendation|
|--- |--- |
|Administrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)<p>dministrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)|**Enable.** Turns on Microsoft Defender SmartScreen.|
|Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)<p>dministrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)|**Enable.** Stops employees from ignoring warning messages and continuing to a potentially malicious website.|
|Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)<p>dministrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)|**Enable.** Stops employees from ignoring warning messages and continuing to download potentially malicious files.|
|Administrative Templates\Windows Components\File Explorer\Configure Windows Defender SmartScreen|**Enable with the Warn and prevent bypass option.** Stops employees from ignoring warning messages about malicious files downloaded from the Internet.|
|MDM setting|Recommendation|
|--- |--- |
|Browser/AllowSmartScreen|**1.** Turns on Microsoft Defender SmartScreen.|
|Browser/PreventSmartScreenPromptOverride|**1.** Stops employees from ignoring warning messages and continuing to a potentially malicious website.|
|Browser/PreventSmartScreenPromptOverrideForFiles|**1.** Stops employees from ignoring warning messages and continuing to download potentially malicious files.|
|SmartScreen/EnableSmartScreenInShell|**1.** Turns on Microsoft Defender SmartScreen in Windows.<p>Requires at least Windows 10, version 1703.|
|SmartScreen/PreventOverrideForFilesInShell|**1.** Stops employees from ignoring warning messages about malicious files downloaded from the Internet.<p>Requires at least Windows 10, version 1703.|
## Related topics
- [Threat protection](../index.md)
- [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen-overview.md)

15
windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
View File

@ -30,18 +30,9 @@ Describes the best practices, location, values, management practices, and securi
The **Audit: Shut down system immediately if unable to log security audits** policy setting determines whether the system shuts down if it is unable to log security events. This policy setting is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log those events. Microsoft has chosen to meet this requirement by halting the system and displaying a Stop message in the case of a failure of the auditing system. Enabling this policy setting stops the system if a security audit cannot be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the value of **Retention method for security log** is **Do not overwrite events (clear log manually)** or **Overwrite events by days**.
With **Audit: Shut down system immediately if unable to log security audits** set to **Enabled**, if the security log is full and an existing entry cannot be overwritten, the following Stop message appears:
<table>
<colgroup>
<col width="100%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p>STOP: C0000244 {Audit Failed}</p>
<p>An attempt to generate a security audit failed.</p></td>
</tr>
</tbody>
</table>
**STOP: C0000244 {Audit Failed}**: An attempt to generate a security audit failed.
To recover, you must log on, archive the log (optional), clear the log, and reset this option as desired.
If the computer is unable to record events to the security log, critical evidence or important troubleshooting information might not be available for review after a security incident.

66
windows/security/threat-protection/windows-10-mobile-security-guide.md
View File

@ -156,59 +156,21 @@ Windows 10 Mobile supports both [FIPS 140 standards](http://csrc.nist.gov/groups
The best way to fight malware is prevention. Windows 10 Mobile provides strong malware resistance through secured hardware, startup process defenses, core operating system architecture, and application-level protections.
The table below outlines how Windows 10 Mobile mitigates specific malware threats.
<table>
<colgroup>
<col width="40%" />
<col width="60%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Threat</th>
<th align="left">Windows 10 Mobile mitigation</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Firmware bootkits replace the firmware with malware.</p></td>
<td align="left"><p>All certified devices include Unified Extensible Firmware (UEFI) with Secure Boot, which requires signed firmware for updates to UEFI and Option ROMs.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Bootkits start malware before Windows starts.</p></td>
<td align="left"><p>UEFI with Secure Boot verifies Windows bootloader integrity to help ensure that no malicious operating system can start before Windows.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>System or driver rootkits (typically malicious software that hides from the operating system) start kernel- level malware while Windows is starting, before antimalware solutions can start.</p></td>
<td align="left"><p>Windows Trusted Boot verifies Windows boot components, including Microsoft drivers. Measured Boot runs in parallel with Trusted Boot and can provide information to a remote server that verifies the boot state of the device to help ensure that Trusted Boot and other boot components successfully checked the system.</p></td>
</tr>
<tr class="even">
<td align="left"><p>An app infects other apps or the operating system with malware.</p></td>
<td align="left"><p>All Windows 10 Mobile apps run inside an AppContainer that isolates them from all other processes and sensitive operating system components. Apps cannot access any resources outside their AppContainer.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>An unauthorized app or malware attempts to start on the device.</p></td>
<td align="left"><p>All Windows 10 Mobile apps must come from Microsoft Store or Microsoft Store for Business. Device Guard enforces administrative policies to select exactly which apps are allowed to run.</p></td>
</tr>
<tr class="even">
<td align="left"><p>User-level malware exploits a vulnerability in the system or an application and owns the device.</p></td>
<td align="left"><p>Improvements to address space layout randomization (ASLR), Data Execution Prevention (DEP), the heap architecture, and memory-management algorithms reduce the likelihood that vulnerabilities can enable successful exploits.</p>
<p>Protected Processes isolates non-trusted processes from each other and from sensitive operating system components.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Users access a dangerous website without knowledge of the risk.</p></td>
<td align="left"><p>The Windows Defender SmartScreen URL Reputation feature prevents users from going to a malicious website that may try to exploit the browser and take control of the device.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Malware exploits a vulnerability in a browser add-on.</p></td>
<td align="left"><p>Microsoft Edge is an app built on the Universal Windows Platform (UWP) that does not run legacy binary extensions, including Microsoft ActiveX and browser helper objects frequently used for toolbars, which eliminates these risks.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>A website that includes malicious code exploits a vulnerability in the web browser to run malware on the client device.</p></td>
<td align="left"><p>Microsoft Edge includes Enhanced Protected Mode, which uses AppContainer-based sandboxing to help protect the system against vulnerabilities that at attacker may discover in the extensions running in the browser (for example, Adobe Flash, Java) or the browser itself.</p></td>
</tr>
</tbody>
</table>
|Threat|Windows 10 Mobile mitigation|
|--- |--- |
|Firmware bootkits replace the firmware with malware.|All certified devices include Unified Extensible Firmware (UEFI) with Secure Boot, which requires signed firmware for updates to UEFI and Option ROMs.|
|Bootkits start malware before Windows starts.|UEFI with Secure Boot verifies Windows bootloader integrity to help ensure that no malicious operating system can start before Windows.|
|System or driver rootkits (typically malicious software that hides from the operating system) start kernel- level malware while Windows is starting, before antimalware solutions can start.|Windows Trusted Boot verifies Windows boot components, including Microsoft drivers. Measured Boot runs in parallel with Trusted Boot and can provide information to a remote server that verifies the boot state of the device to help ensure that Trusted Boot and other boot components successfully checked the system.|
|An app infects other apps or the operating system with malware.|All Windows 10 Mobile apps run inside an AppContainer that isolates them from all other processes and sensitive operating system components. Apps cannot access any resources outside their AppContainer.|
|An unauthorized app or malware attempts to start on the device.|All Windows 10 Mobile apps must come from Microsoft Store or Microsoft Store for Business. Device Guard enforces administrative policies to select exactly which apps are allowed to run.|
|User-level malware exploits a vulnerability in the system or an application and owns the device.|Improvements to address space layout randomization (ASLR), Data Execution Prevention (DEP), the heap architecture, and memory-management algorithms reduce the likelihood that vulnerabilities can enable successful exploits.<p>Protected Processes isolates non-trusted processes from each other and from sensitive operating system components.|
|Users access a dangerous website without knowledge of the risk.|The Windows Defender SmartScreen URL Reputation feature prevents users from going to a malicious website that may try to exploit the browser and take control of the device.|
|Malware exploits a vulnerability in a browser add-on.|Microsoft Edge is an app built on the Universal Windows Platform (UWP) that does not run legacy binary extensions, including Microsoft ActiveX and browser helper objects frequently used for toolbars, which eliminates these risks.|
|A website that includes malicious code exploits a vulnerability in the web browser to run malware on the client device.|Microsoft Edge includes Enhanced Protected Mode, which uses AppContainer-based sandboxing to help protect the system against vulnerabilities that at attacker may discover in the extensions running in the browser (for example, Adobe Flash, Java) or the browser itself.|
>**Note:** The Windows 10 Mobile devices use a System on a Chip (SoC) design provided by SoC vendors such as Qualcomm. With this architecture, the SoC vendor and device manufacturers provide the pre-UEFI bootloaders and the UEFI environment. The UEFI environment implements the UEFI Secure Boot standard described in section 27 of the UEFI specification, which can be found at [www.uefi.org/specs]( http://www.uefi.org/specs). This standard describes the process by which all UEFI drivers and applications are validated against keys provisioned into a UEFI-based device before they are executed.
>[!NOTE]
> The Windows 10 Mobile devices use a System on a Chip (SoC) design provided by SoC vendors such as Qualcomm. With this architecture, the SoC vendor and device manufacturers provide the pre-UEFI bootloaders and the UEFI environment. The UEFI environment implements the UEFI Secure Boot standard described in section 27 of the UEFI specification, which can be found at [www.uefi.org/specs]( http://www.uefi.org/specs). This standard describes the process by which all UEFI drivers and applications are validated against keys provisioned into a UEFI-based device before they are executed.
### <a href="" id="companion-devices"></a>UEFI with Secure Boot

83
windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
View File

@ -50,76 +50,21 @@ You can perform this task by using the Group Policy Management Console for an Ap
3. On the **Before You Begin** page, select **Next**.
4. On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**.
5. On the **Publisher** page, you can select a specific reference for the packaged app rule and set the scope for the rule. The following table describes the reference options.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Selection</th>
<th align="left">Description</th>
<th align="left">Example</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p><b>Use an installed packaged app as a reference</b></p></td>
<td align="left"><p>If selected, AppLocker requires you to choose an app that is already installed on which to base your new rule. AppLocker uses the publisher, package name and package version to define the rule.</p></td>
<td align="left"><p>You want the Sales group only to use the app named Microsoft.BingMaps for its outside sales calls. The Microsoft.BingMaps app is already installed on the device where you are creating the rule, so you choose this option, and select the app from the list of apps installed on the computer and create the rule using this app as a reference.</p></td>
</tr>
<tr class="even">
<td align="left"><p><b>Use a packaged app installer as a reference</b></p></td>
<td align="left"><p>If selected, AppLocker requires you to choose an app installer on which to base your new rule. A packaged app installer has the .appx extension. AppLocker uses the publisher, package name, and package version of the installer to define the rule.</p></td>
<td align="left"><p>Your company has developed many internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share, and choose the installer for the Payroll app as a reference to create your rule.</p></td>
</tr>
</tbody>
</table>
 
|Selection|Description|Example|
|--- |--- |--- |
|**Use an installed packaged app as a reference**|If selected, AppLocker requires you to choose an app that is already installed on which to base your new rule. AppLocker uses the publisher, package name and package version to define the rule.|You want the Sales group only to use the app named Microsoft.BingMaps for its outside sales calls. The Microsoft.BingMaps app is already installed on the device where you are creating the rule, so you choose this option, and select the app from the list of apps installed on the computer and create the rule using this app as a reference.|
|**Use a packaged app installer as a reference**|If selected, AppLocker requires you to choose an app installer on which to base your new rule. A packaged app installer has the .appx extension. AppLocker uses the publisher, package name, and package version of the installer to define the rule.|Your company has developed many internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share, and choose the installer for the Payroll app as a reference to create your rule.|
The following table describes setting the scope for the packaged app rule.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Selection</th>
<th align="left">Description</th>
<th align="left">Example</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Applies to <b>Any publisher</b></p></td>
<td align="left"><p>This is the least restrictive scope condition for an <b>Allow</b> rule. It permits every packaged app to run or install.</p>
<p>Conversely, if this is a <b>Deny</b> rule, then this option is the most restrictive because it denies all apps from installing or running.</p></td>
<td align="left"><p>You want the Sales group to use any packaged app from any signed publisher. You set the permissions to allow the Sales group to be able to run any app.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Applies to a specific <b>Publisher</b></p></td>
<td align="left"><p>This scopes the rule to all apps published by a particular publisher.</p></td>
<td align="left"><p>You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Applies to a <b>Package name</b></p></td>
<td align="left"><p>This scopes the rule to all packages that share the publisher name and package name as the reference file.</p></td>
<td align="left"><p>You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Applies to a <b>Package version</b></p></td>
<td align="left"><p>This scopes the rule to a particular version of the package.</p></td>
<td align="left"><p>You want to be very selective in what you allow. You do not want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Applying custom values to the rule</p></td>
<td align="left"><p>Selecting the <b>Use custom values</b> check box allows you to adjust the scope fields for your particular circumstance.</p></td>
<td align="left"><p>You want to allow users to install all Microsoft.Bing* applications, which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the <b>Use custom values</b> check box and edit the package name field by adding “Microsoft.Bing*” as the Package name.</p></td>
</tr>
</tbody>
</table>
|Selection|Description|Example|
|--- |--- |--- |
|Applies to **Any publisher**|This is the least restrictive scope condition for an **Allow** rule. It permits every packaged app to run or install. <p>Conversely, if this is a **Deny** rule, then this option is the most restrictive because it denies all apps from installing or running.|You want the Sales group to use any packaged app from any signed publisher. You set the permissions to allow the Sales group to be able to run any app.|
|Applies to a specific **Publisher**|This scopes the rule to all apps published by a particular publisher.|You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope.|
|Applies to a **Package name**|This scopes the rule to all packages that share the publisher name and package name as the reference file.|You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope.|
|Applies to a **Package version**|This scopes the rule to a particular version of the package.|You want to be very selective in what you allow. You do not want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer.|
|Applying custom values to the rule|Selecting the **Use custom values** check box allows you to adjust the scope fields for your particular circumstance.|You want to allow users to install all *Microsoft.Bing* applications, which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the **Use custom values** check box and edit the package name field by adding “Microsoft.Bing*” as the Package name.|
 
6. Select **Next**.
7. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**.

150
windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
View File

@ -37,137 +37,23 @@ There are management and maintenance costs associated with a list of allowed app
Use the following table to develop your own objectives and determine which application control feature best addresses those objectives.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Application control function</th>
<th align="left">SRP</th>
<th align="left">AppLocker</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Scope</p></td>
<td align="left"><p>SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.</p></td>
<td align="left"><p>AppLocker policies apply only to the support versions of Windows listed in <a href="requirements-to-use-applocker.md" data-raw-source="[Requirements to use AppLocker](requirements-to-use-applocker.md)">Requirements to use AppLocker</a>.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Policy creation</p></td>
<td align="left"><p>SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.</p></td>
<td align="left"><p>AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.</p>
<p>AppLocker permits customization of error messages to direct users to a Web page for help.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Policy maintenance</p></td>
<td align="left"><p>SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).</p></td>
<td align="left"><p>AppLocker policies can be updated by using the Local Security Policy snap-in, if the policies are created locally, or the GPMC, or the Windows PowerShell AppLocker cmdlets.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Policy application</p></td>
<td align="left"><p>SRP policies are distributed through Group Policy.</p></td>
<td align="left"><p>AppLocker policies are distributed through Group Policy.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Enforcement mode</p></td>
<td align="left"><p>SRP works in the “deny list mode” where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.</p>
<p>SRP can also be configured in the “allow list mode” such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.</p></td>
<td align="left"><p>By default, AppLocker works in allow list mode. Only those files are allowed to run for which there's a matching allow rule.</p></td>
</tr>
<tr class="even">
<td align="left"><p>File types that can be controlled</p></td>
<td align="left"><p>SRP can control the following file types:</p>
<ul>
<li><p>Executables</p></li>
<li><p>DLLs</p></li>
<li><p>Scripts</p></li>
<li><p>Windows Installers</p></li>
</ul>
<p>SRP cannot control each file type separately. All SRP rules are in a single rule collection.</p></td>
<td align="left"><p>AppLocker can control the following file types:</p>
<ul>
<li><p>Executables</p></li>
<li><p>DLLs</p></li>
<li><p>Scripts</p></li>
<li><p>Windows Installers</p></li>
<li><p>Packaged apps and installers</p></li>
</ul>
<p>AppLocker maintains a separate rule collection for each of the five file types.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Designated file types</p></td>
<td align="left"><p>SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable.</p></td>
<td align="left"><p>AppLocker doesn't support this. AppLocker currently supports the following file extensions:</p>
<ul>
<li><p>Executables (.exe, .com)</p></li>
<li><p>DLLs (.ocx, .dll)</p></li>
<li><p>Scripts (.vbs, .js, .ps1, .cmd, .bat)</p></li>
<li><p>Windows Installers (.msi, .mst, .msp)</p></li>
<li><p>Packaged app installers (.appx)</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><p>Rule types</p></td>
<td align="left"><p>SRP supports four types of rules:</p>
<ul>
<li><p>Hash</p></li>
<li><p>Path</p></li>
<li><p>Signature</p></li>
<li><p>Internet zone</p></li>
</ul></td>
<td align="left"><p>AppLocker supports three types of rules:</p>
<ul>
<li><p>Hash</p></li>
<li><p>Path</p></li>
<li><p>Publisher</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><p>Editing the hash value</p></td>
<td align="left"><p>SRP allows you to select a file to hash.</p></td>
<td align="left"><p>AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (exe and DLL) and Windows Installers and an SHA2 flat file hash for the rest.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Support for different security levels</p></td>
<td align="left"><p>With SRP, you can specify the permissions with which an app can run. Then configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.</p>
<p>SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).</p></td>
<td align="left"><p>AppLocker does not support security levels.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Manage Packaged apps and Packaged app installers.</p></td>
<td align="left"><p>Unable</p></td>
<td align="left"><p>.appx is a valid file type which AppLocker can manage.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Targeting a rule to a user or a group of users</p></td>
<td align="left"><p>SRP rules apply to all users on a particular computer.</p></td>
<td align="left"><p>AppLocker rules can be targeted to a specific user or a group of users.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Support for rule exceptions</p></td>
<td align="left"><p>SRP does not support rule exceptions</p></td>
<td align="left"><p>AppLocker rules can have exceptions that allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Support for audit mode</p></td>
<td align="left"><p>SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.</p></td>
<td align="left"><p>AppLocker supports audit mode that allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Support for exporting and importing policies</p></td>
<td align="left"><p>SRP does not support policy import/export.</p></td>
<td align="left"><p>AppLocker supports the importing and exporting of policies. This allows you to create AppLocker policy on a sample computer, test it out and then export that policy and import it back into the desired GPO.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Rule enforcement</p></td>
<td align="left"><p>Internally, SRP rules enforcement happens in user-mode, which is less secure.</p></td>
<td align="left"><p>Internally, AppLocker rules for exes and dlls are enforced in kernel-mode, which is more secure than enforcing them in the user-mode.</p></td>
</tr>
</tbody>
</table>
|Application control function|SRP|AppLocker|
|--- |--- |--- |
|Scope|SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.|AppLocker policies apply only to the support versions of Windows listed in[Requirements to use AppLocker](requirements-to-use-applocker.md).|
|Policy creation|SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.|AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.<p>AppLocker permits customization of error messages to direct users to a Web page for help.|
|Policy maintenance|SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).|AppLocker policies can be updated by using the Local Security Policy snap-in, if the policies are created locally, or the GPMC, or the Windows PowerShell AppLocker cmdlets.|
|Policy application|SRP policies are distributed through Group Policy.|AppLocker policies are distributed through Group Policy.|
|Enforcement mode|SRP works in the “deny list mode” where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.<p>SRP can also be configured in the “allow list mode” such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|By default, AppLocker works in allow list mode. Only those files are allowed to run for which there's a matching allow rule.|
|File types that can be controlled|SRP can control the following file types:<li>Executables<li>DLLs<li>Scripts<li>Windows Installers<p>SRP cannot control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:<li>Executables<li>DLLs<li>Scripts<li>Windows Installers<li>Packaged apps and installers<p>AppLocker maintains a separate rule collection for each of the five file types.|
|Designated file types|SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable.|AppLocker doesn't support this. AppLocker currently supports the following file extensions:<li>Executables (.exe, .com)<li>DLLs (.ocx, .dll)<li>Scripts (.vbs, .js, .ps1, .cmd, .bat)<li>Windows Installers (.msi, .mst, .msp)<li>Packaged app installers (.appx)|
|Rule types|SRP supports four types of rules:<li>Hash<li>Path<li>Signature<p>Internet zone|AppLocker supports three types of rules:<li>Hash<li>Path<li>Publisher|
|Editing the hash value|SRP allows you to select a file to hash.|AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (exe and DLL) and Windows Installers and an SHA2 flat file hash for the rest.|
|Support for different security levels|With SRP, you can specify the permissions with which an app can run. Then configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.<p>SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker does not support security levels.|
|Manage Packaged apps and Packaged app installers.|Unable|.appx is a valid file type which AppLocker can manage.|
|Targeting a rule to a user or a group of users|SRP rules apply to all users on a particular computer.|AppLocker rules can be targeted to a specific user or a group of users.|
|Support for rule exceptions|SRP does not support rule exceptions|AppLocker rules can have exceptions that allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.|
|Support for audit mode|SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.|AppLocker supports audit mode that allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.|
|Support for exporting and importing policies|SRP does not support policy import/export.|AppLocker supports the importing and exporting of policies. This allows you to create AppLocker policy on a sample computer, test it out and then export that policy and import it back into the desired GPO.|
|Rule enforcement|Internally, SRP rules enforcement happens in user-mode, which is less secure.|Internally, AppLocker rules for exes and dlls are enforced in kernel-mode, which is more secure than enforcing them in the user-mode.|
For more general info, see <a href="applocker-overview.md" data-raw-source="[AppLocker](applocker-overview.md)">AppLocker</a>.

100
windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
View File

@ -43,96 +43,16 @@ To complete this AppLocker planning document, you should first complete the foll
After you determine how to structure your Group Policy Objects (GPOs) so that you can apply AppLocker policies, you should record your findings. You can use the following table to determine how many GPOs to create (or edit) and which objects they are linked to. If you decided to create custom rules to allow system files to run, note the high-level rule configuration in the **Use default rule or define new rule condition** column.
The following table includes the sample data that was collected when you determined your enforcement settings and the GPO structure for your AppLocker policies.
<table>
<colgroup>
<col width="12%" />
<col width="12%" />
<col width="12%" />
<col width="12%" />
<col width="12%" />
<col width="12%" />
<col width="12%" />
<col width="12%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Business group</th>
<th align="left">Organizational unit</th>
<th align="left">Implement AppLocker?</th>
<th align="left">Apps</th>
<th align="left">Installation path</th>
<th align="left">Use default rule or define new rule condition</th>
<th align="left">Allow or deny</th>
<th align="left">GPO name</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Bank Tellers</p></td>
<td align="left"><p>Teller-East and Teller-West</p></td>
<td align="left"><p>Yes</p></td>
<td align="left"><p>Teller Software</p></td>
<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
<td align="left"><p>File is signed; create a publisher condition</p></td>
<td align="left"><p>Allow</p></td>
<td align="left"><p>Tellers-AppLockerTellerRules</p></td>
</tr>
<tr class="even">
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p>Windows files</p></td>
<td align="left"><p>C:\Windows</p></td>
<td align="left"><p>Create a path exception to the default rule to exclude \Windows\Temp</p></td>
<td align="left"><p>Allow</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>Human Resources</p></td>
<td align="left"><p>HR-All</p></td>
<td align="left"><p>Yes</p></td>
<td align="left"><p>Check Payout</p></td>
<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
<td align="left"><p>File is signed; create a publisher condition</p></td>
<td align="left"><p>Allow</p></td>
<td align="left"><p>HR-AppLockerHRRules</p></td>
</tr>
<tr class="even">
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p>Time Sheet Organizer</p>
<p></p></td>
<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p>
<p></p></td>
<td align="left"><p>File is not signed; create a file hash condition</p>
<p></p></td>
<td align="left"><p>Allow</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p>Internet Explorer 7</p></td>
<td align="left"><p>C:\Program Files\Internet Explorer&lt;/p&gt;</td>
<td align="left"><p>File is signed; create a publisher condition</p></td>
<td align="left"><p>Deny</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p>Windows files</p></td>
<td align="left"><p>C:\Windows</p></td>
<td align="left"><p>Use a default rule for the Windows path</p></td>
<td align="left"><p>Allow</p></td>
<td align="left"><p></p></td>
</tr>
</tbody>
</table>
|Business group|Organizational unit|Implement AppLocker?|Apps|Installation path|Use default rule or define new rule condition|Allow or deny|GPO name|
|--- |--- |--- |--- |--- |--- |--- |--- |
|Bank Tellers|Teller-East and Teller-West|Yes|Teller Software|C:\Program Files\Woodgrove\Teller.exe|File is signed; create a publisher condition|Allow|Tellers-AppLockerTellerRules|
||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp|Allow||
|Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition|Allow|HR-AppLockerHRRules|
||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File is not signed; create a file hash condition|Allow||
||||Internet Explorer 7|C:\Program Files\Internet Explorer</p>|File is signed; create a publisher condition|Deny||
||||Windows files|C:\Windows|Use a default rule for the Windows path|Allow||
## Next steps
After you have determined the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain:

76
windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
View File

@ -42,70 +42,18 @@ Record the name of the app, whether it is signed as indicated by the publisher's
Record the installation path of the apps. For example, Microsoft Office 2016 installs files to *%programfiles%\\Microsoft Office\\Office16\\*, which is *C:\\Program Files\\Microsoft Office\\Office16\\* on most devices.
The following table provides an example of how to list applications for each business group at the early stage of designing your application control policies. Eventually, as more planning information is added to the list, the information can be used to build AppLocker rules.
<table>
<colgroup>
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Business group</th>
<th align="left">Organizational unit</th>
<th align="left">Implement AppLocker?</th>
<th align="left">Apps</th>
<th align="left">Installation path</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Bank Tellers</p></td>
<td align="left"><p>Teller-East and Teller-West</p></td>
<td align="left"><p>Yes</p></td>
<td align="left"><p>Teller Software</p></td>
<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
</tr>
<tr class="even">
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p>Windows files</p></td>
<td align="left"><p>C:\Windows</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Human Resources</p></td>
<td align="left"><p>HR-All</p></td>
<td align="left"><p>Yes</p></td>
<td align="left"><p>Check Payout</p></td>
<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
</tr>
<tr class="even">
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p>Time Sheet Organizer</p></td>
<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p></td>
</tr>
<tr class="odd">
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p>Internet Explorer 7</p></td>
<td align="left"><p>C:\Program Files\Internet Explorer&lt;/p&gt;</td>
</tr>
<tr class="even">
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p>Windows files</p></td>
<td align="left"><p>C:\Windows</p></td>
</tr>
</tbody>
</table>
&gt;<b>Note:</b> AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary.
|Business group|Organizational unit|Implement AppLocker?|Apps|Installation path|
|--- |--- |--- |--- |--- |
|Bank Tellers|Teller-East and Teller-West|Yes|Teller Software|C:\Program Files\Woodgrove\Teller.exe|
||||Windows files|C:\Windows|
|Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|
||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|
||||Internet Explorer 7|C:\Program Files\Internet Explorer</p>|
||||Windows files|C:\Windows|
>[!NOTE]
>AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary.
<b>Event processing</b>

87
windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
View File

@ -46,86 +46,15 @@ Document the following items for each business group or organizational unit:
The following table details sample data for documenting rule type and rule condition findings. In addition, you should now consider whether to allow an app to run or deny permission for it to run. For info about these settings, see [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md).
<table>
<colgroup>
<col width="14%" />
<col width="14%" />
<col width="14%" />
<col width="14%" />
<col width="14%" />
<col width="14%" />
<col width="14%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Business group</th>
<th align="left">Organizational unit</th>
<th align="left">Implement AppLocker?</th>
<th align="left">Applications</th>
<th align="left">Installation path</th>
<th align="left">Use default rule or define new rule condition</th>
<th align="left">Allow or deny</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Bank Tellers</p></td>
<td align="left"><p>Teller-East and Teller-West</p></td>
<td align="left"><p>Yes</p></td>
<td align="left"><p>Teller Software</p></td>
<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
<td align="left"><p>File is signed; create a publisher condition</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p>Windows files</p></td>
<td align="left"><p>C:\Windows</p></td>
<td align="left"><p>Create a path exception to the default rule to exclude \Windows\Temp</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>Human Resources</p></td>
<td align="left"><p>HR-All</p></td>
<td align="left"><p>Yes</p></td>
<td align="left"><p>Check Payout</p></td>
<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
<td align="left"><p>File is signed; create a publisher condition</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p>Time Sheet Organizer</p></td>
<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p></td>
<td align="left"><p>File is not signed; create a file hash condition</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p>Internet Explorer 7</p></td>
<td align="left"><p>C:\Program Files\Internet Explorer&lt;/p&gt;</td>
<td align="left"><p>File is signed; create a publisher condition</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p>Windows files</p></td>
<td align="left"><p>C:\Windows</p></td>
<td align="left"><p>Use the default rule for the Windows path</p></td>
<td align="left"><p></p></td>
</tr>
</tbody>
</table>
|Business group|Organizational unit|Implement AppLocker?|Applications|Installation path|Use default rule or define new rule condition|Allow or deny|
|--- |--- |--- |--- |--- |--- |--- |
|Bank Tellers|Teller-East and Teller-West|Yes|Teller Software|C:\Program Files\Woodgrove\Teller.exe|File is signed; create a publisher condition||
||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp||
|Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition||
||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File is not signed; create a file hash condition||
||||Internet Explorer 7|C:\Program Files\Internet Explorer</p>|File is signed; create a publisher condition||
||||Windows files|C:\Windows|Use the default rule for the Windows path||
## Next steps
For each rule, determine whether to use the allow or deny option, and then complete the following tasks:

192
windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
View File

@ -143,103 +143,15 @@ The three key areas to determine for AppLocker policy management are:
The following table contains the added sample data that was collected when determining how to maintain and manage AppLocker policies.
<table>
<colgroup>
<col width="11%" />
<col width="11%" />
<col width="11%" />
<col width="11%" />
<col width="11%" />
<col width="11%" />
<col width="11%" />
<col width="11%" />
<col width="11%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Business group</th>
<th align="left">Organizational unit</th>
<th align="left">Implement AppLocker?</th>
<th align="left">Apps</th>
<th align="left">Installation path</th>
<th align="left">Use default rule or define new rule condition</th>
<th align="left">Allow or deny</th>
<th align="left">GPO name</th>
<th align="left">Support policy</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Bank Tellers</p></td>
<td align="left"><p>Teller-East and Teller-West</p></td>
<td align="left"><p>Yes</p></td>
<td align="left"><p>Teller Software</p></td>
<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
<td align="left"><p>File is signed; create a publisher condition</p></td>
<td align="left"><p>Allow</p></td>
<td align="left"><p>Tellers-AppLockerTellerRules</p></td>
<td align="left"><p>Web help</p></td>
</tr>
<tr class="even">
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p>Windows files</p>
<p></p></td>
<td align="left"><p>C:\Windows</p></td>
<td align="left"><p>Create a path exception to the default rule to exclude \Windows\Temp</p></td>
<td align="left"><p>Allow</p></td>
<td align="left"><p></p></td>
<td align="left"><p>Help desk</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Human Resources</p></td>
<td align="left"><p>HR-All</p></td>
<td align="left"><p>Yes</p></td>
<td align="left"><p>Check Payout</p></td>
<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
<td align="left"><p>File is signed; create a publisher condition</p></td>
<td align="left"><p>Allow</p></td>
<td align="left"><p>HR-AppLockerHRRules</p></td>
<td align="left"><p>Web help</p></td>
</tr>
<tr class="even">
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p>Time Sheet Organizer</p></td>
<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p></td>
<td align="left"><p>File is not signed; create a file hash condition</p></td>
<td align="left"><p>Allow</p></td>
<td align="left"><p></p></td>
<td align="left"><p>Web help</p></td>
</tr>
<tr class="odd">
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p>Internet Explorer 7</p></td>
<td align="left"><p>C:\Program Files\Internet Explorer&lt;/p&gt;</td>
<td align="left"><p>File is signed; create a publisher condition</p></td>
<td align="left"><p>Deny</p></td>
<td align="left"><p></p></td>
<td align="left"><p>Web help</p>
<p></p></td>
</tr>
<tr class="even">
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p>Windows files</p></td>
<td align="left"><p>C:\Windows</p></td>
<td align="left"><p>Use the default rule for the Windows path</p></td>
<td align="left"><p>Allow</p></td>
<td align="left"><p></p></td>
<td align="left"><p>Help desk</p></td>
</tr>
</tbody>
</table>
|Business group|Organizational unit|Implement AppLocker?|Apps|Installation path|Use default rule or define new rule condition|Allow or deny|GPO name|Support policy|
|--- |--- |--- |--- |--- |--- |--- |--- |--- |
|Bank Tellers|Teller-East and Teller-West|Yes|Teller Software|C:\Program Files\Woodgrove\Teller.exe|File is signed; create a publisher condition|Allow|Tellers-AppLockerTellerRules|Web help|
||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp|Allow||Help desk|
|Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition|Allow|HR-AppLockerHRRules|Web help|
||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File is not signed; create a file hash condition|Allow||Web help|
||||Internet Explorer 7|C:\Program Files\Internet Explorer</p>|File is signed; create a publisher condition|Deny||Web help|
||||Windows files|C:\Windows|Use the default rule for the Windows path|Allow||Help desk|
The following two tables illustrate examples of documenting considerations to maintain and manage AppLocker policies.
**Event processing policy**
@ -248,83 +160,17 @@ One discovery method for app usage is to set the AppLocker enforcement mode to *
The following table is an example of what to consider and record.
<table>
<colgroup>
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Business group</th>
<th align="left">AppLocker event collection location</th>
<th align="left">Archival policy</th>
<th align="left">Analyzed?</th>
<th align="left">Security policy</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Bank Tellers</p></td>
<td align="left"><p>Forwarded to: AppLocker Event Repository on srvBT093</p></td>
<td align="left"><p>Standard</p></td>
<td align="left"><p>None</p></td>
<td align="left"><p>Standard</p></td>
</tr>
<tr class="even">
<td align="left"><p>Human Resources</p></td>
<td align="left"><p>DO NOT FORWARD. srvHR004</p></td>
<td align="left"><p>60 months</p></td>
<td align="left"><p>Yes, summary reports monthly to managers</p></td>
<td align="left"><p>Standard</p></td>
</tr>
</tbody>
</table>
|Business group|AppLocker event collection location|Archival policy|Analyzed?|Security policy|
|--- |--- |--- |--- |--- |
|Bank Tellers|Forwarded to: AppLocker Event Repository on srvBT093|Standard|None|Standard|
|Human Resources|DO NOT FORWARD. srvHR004|60 months|Yes, summary reports monthly to managers|Standard|
<b>Policy maintenance policy</b>
When applications are identified and policies are created for application control, then you can begin documenting how you intend to update those policies.
The following table is an example of what to consider and record.
<table>
<colgroup>
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Business group</th>
<th align="left">Rule update policy</th>
<th align="left">Application decommission policy</th>
<th align="left">Application version policy</th>
<th align="left">Application deployment policy</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Bank Tellers</p></td>
<td align="left"><p>Planned: Monthly through business office triage</p>
<p>Emergency: Request through help desk</p></td>
<td align="left"><p>Through business office triage</p>
<p>30-day notice required</p></td>
<td align="left"><p>General policy: Keep past versions for 12 months</p>
<p>List policies for each application</p></td>
<td align="left"><p>Coordinated through business office</p>
<p>30-day notice required</p></td>
</tr>
<tr class="even">
<td align="left"><p>Human Resources</p></td>
<td align="left"><p>Planned: Monthly through HR triage</p>
<p>Emergency: Request through help desk</p></td>
<td align="left"><p>Through HR triage</p>
<p>30-day notice required</p></td>
<td align="left"><p>General policy: Keep past versions for 60 months</p>
<p>List policies for each application</p></td>
<td align="left"><p>Coordinated through HR</p>
<p>30-day notice required</p></td>
</tr>
</tbody>
</table>
|Business group|Rule update policy|Application decommission policy|Application version policy|Application deployment policy|
|--- |--- |--- |--- |--- |
|Bank Tellers|Planned: Monthly through business office triage<p>Emergency: Request through help desk|Through business office triage<p>30-day notice required|General policy: Keep past versions for 12 months<p>List policies for each application|Coordinated through business office<p>30-day notice required|
|Human Resources|Planned: Monthly through HR triage<p>Emergency: Request through help desk|Through HR triage<p>30-day notice required|General policy: Keep past versions for 60 months<p>List policies for each application|Coordinated through HR<p>30-day notice required|

185
windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
View File

@ -41,181 +41,28 @@ The following requirements must be met or addressed before you deploy your AppLo
An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md)).
<table>
<colgroup>
<col width="11%" />
<col width="11%" />
<col width="11%" />
<col width="11%" />
<col width="11%" />
<col width="11%" />
<col width="11%" />
<col width="11%" />
<col width="11%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Business group</th>
<th align="left">Organizational unit</th>
<th align="left">Implement AppLocker?</th>
<th align="left">Apps</th>
<th align="left">Installation path</th>
<th align="left">Use default rule or define new rule condition</th>
<th align="left">Allow or deny</th>
<th align="left">GPO name</th>
<th align="left">Support policy</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Bank Tellers</p></td>
<td align="left"><p>Teller-East and Teller-West</p></td>
<td align="left"><p>Yes</p></td>
<td align="left"><p>Teller software</p></td>
<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
<td align="left"><p>File is signed; create a publisher condition</p></td>
<td align="left"><p>Allow</p></td>
<td align="left"><p>Tellers</p></td>
<td align="left"><p>Web help</p></td>
</tr>
<tr class="even">
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p>Windows files</p>
<p></p></td>
<td align="left"><p>C:\Windows</p></td>
<td align="left"><p>Create a path exception to the default rule to exclude \Windows\Temp</p></td>
<td align="left"><p>Allow</p></td>
<td align="left"><p></p></td>
<td align="left"><p>Help Desk</p></td>
</tr>
<tr class="odd">
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p>Time Sheet Organizer</p></td>
<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p></td>
<td align="left"><p>File is not signed; create a file hash condition</p></td>
<td align="left"><p>Allow</p></td>
<td align="left"><p></p></td>
<td align="left"><p>Web help</p></td>
</tr>
<tr class="even">
<td align="left"><p>Human Resources</p></td>
<td align="left"><p>HR-All</p></td>
<td align="left"><p>Yes</p></td>
<td align="left"><p>Check Payout</p></td>
<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
<td align="left"><p>File is signed; create a publisher condition</p></td>
<td align="left"><p>Allow</p></td>
<td align="left"><p>HR</p></td>
<td align="left"><p>Web help</p></td>
</tr>
<tr class="odd">
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p>Internet Explorer 7</p></td>
<td align="left"><p>C:\Program Files\Internet Explorer&lt;/p&gt;</td>
<td align="left"><p>File is signed; create a publisher condition</p></td>
<td align="left"><p>Deny</p></td>
<td align="left"><p></p></td>
<td align="left"><p>Help Desk</p></td>
</tr>
<tr class="even">
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p></p></td>
<td align="left"><p>Windows files</p></td>
<td align="left"><p>C:\Windows</p></td>
<td align="left"><p>Use the default rule for the Windows path</p></td>
<td align="left"><p>Allow</p></td>
<td align="left"><p></p></td>
<td align="left"><p>Help Desk</p></td>
</tr>
</tbody>
</table>
|Business group|Organizational unit|Implement AppLocker?|Apps|Installation path|Use default rule or define new rule condition|Allow or deny|GPO name|Support policy|
|--- |--- |--- |--- |--- |--- |--- |--- |--- |
|Bank Tellers|Teller-East and Teller-West|Yes|Teller software|C:\Program Files\Woodgrove\Teller.exe|File is signed; create a publisher condition|Allow|Tellers|Web help|
||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp|Allow||Help Desk|
||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File is not signed; create a file hash condition|Allow||Web help|
|Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition|Allow|HR|Web help|
||||Internet Explorer 7|C:\Program Files\Internet Explorer</p>|File is signed; create a publisher condition|Deny||Help Desk|
||||Windows files|C:\Windows|Use the default rule for the Windows path|Allow||Help Desk|
<b>Event processing policy</b>
<table>
<colgroup>
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Business group</th>
<th align="left">AppLocker event collection location</th>
<th align="left">Archival policy</th>
<th align="left">Analyzed?</th>
<th align="left">Security policy</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Bank Tellers</p></td>
<td align="left"><p>Forwarded to: srvBT093</p></td>
<td align="left"><p>Standard</p></td>
<td align="left"><p>None</p></td>
<td align="left"><p>Standard</p></td>
</tr>
<tr class="even">
<td align="left"><p>Human Resources</p></td>
<td align="left"><p>Do not forward</p>
<p></p></td>
<td align="left"><p>60 months</p></td>
<td align="left"><p>Yes; summary reports monthly to managers</p></td>
<td align="left"><p>Standard</p></td>
</tr>
</tbody>
</table>
|Business group|AppLocker event collection location|Archival policy|Analyzed?|Security policy|
|--- |--- |--- |--- |--- |
|Bank Tellers|Forwarded to: srvBT093|Standard|None|Standard|
|Human Resources|Do not forward|60 months|Yes; summary reports monthly to managers|Standard|
<b>Policy maintenance policy</b>
<table>
<colgroup>
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Business group</th>
<th align="left">Rule update policy</th>
<th align="left">App decommission policy</th>
<th align="left">App version policy</th>
<th align="left">App deployment policy</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Bank Tellers</p></td>
<td align="left"><p>Planned: Monthly through business office triage</p>
<p>Emergency: Request through Help Desk</p></td>
<td align="left"><p>Through business office triage; 30-day notice required</p></td>
<td align="left"><p>General policy: Keep past versions for 12 months</p>
<p>List policies for each application</p></td>
<td align="left"><p>Coordinated through business office; 30-day notice required</p></td>
</tr>
<tr class="even">
<td align="left"><p>Human Resources</p></td>
<td align="left"><p>Planned: Through HR triage</p>
<p>Emergency: Request through Help Desk</p></td>
<td align="left"><p>Through HR triage; 30-day notice required</p>
<p></p></td>
<td align="left"><p>General policy: Keep past versions for 60 months</p>
<p>List policies for each application</p></td>
<td align="left"><p>Coordinated through HR; 30-day notice required</p></td>
</tr>
</tbody>
</table>
|Business group|Rule update policy|App decommission policy|App version policy|App deployment policy|
|--- |--- |--- |--- |--- |
|Bank Tellers|Planned: Monthly through business office triage<p>Emergency: Request through Help Desk|Through business office triage; 30-day notice required|General policy: Keep past versions for 12 months<p>List policies for each application|Coordinated through business office; 30-day notice required|
|Human Resources|Planned: Through HR triage<p>Emergency: Request through Help Desk|Through HR triage; 30-day notice required|General policy: Keep past versions for 60 months<p>List policies for each application|Coordinated through HR; 30-day notice required|
### <a href="" id="bkmk-reqsupportedos"></a>Supported operating systems

54
windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
View File

@ -98,57 +98,11 @@ Most organizations have evolved app control policies and methods over time. With
### Which Windows desktop and server operating systems are running in your organization?
If your organization supports multiple Windows operating systems, app control policy planning becomes more complex. Your initial design decisions should consider the security and management priorities of applications that are installed on each version of the operating system.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Possible answers</th>
<th align="left">Design considerations</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Your organization&#39;s computers are running a combination of the following operating systems:</p>
<ul>
<li><p>Windows 11</p></li>
<li><p>Windows 10</p></li>
<li><p>Windows 8</p></li>
<li><p>Windows 7</p></li>
<li><p>Windows Vista</p></li>
<li><p>Windows XP</p></li>
<li><p>Windows Server 2012</p></li>
<li><p>Windows Server 2008 R2</p></li>
<li><p>Windows Server 2008</p></li>
<li><p>Windows Server 2003</p></li>
</ul></td>
<td align="left"><p>AppLocker rules are only applied to computers running the supported versions of Windows, but SRP rules can be applied to all versions of Windows beginning with Windows XP and Windows Server 2003. For specific operating system version requirements, see <a href="requirements-to-use-applocker.md" data-raw-source="[Requirements to use AppLocker](requirements-to-use-applocker.md)">Requirements to use AppLocker</a>.</p>
<div class="alert">
<b>Note</b><br/><p>If you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.</p>
</div>
<div>
</div>
<p>AppLocker policies as applied through a GPO take precedence over SRP policies in the same or linked GPO. SRP policies can be created and maintained the same way.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Your organization&#39;s computers are running only the following operating systems:</p>
<ul>
<li><p>Windows 11</p></li>
<li><p>Windows 10</p></li>
<li><p>Windows 8.1</p></li>
<li><p>Windows 8</p></li>
<li><p>Windows 7</p></li>
<li><p>Windows Server 2012 R2</p></li>
<li><p>Windows Server 2012</p></li>
<li><p>Windows Server 2008 R2</p></li>
</ul></td>
<td align="left"><p>Use AppLocker to create your application control policies.</p></td>
</tr>
</tbody>
</table>
|Possible answers|Design considerations|
|--- |--- |
|Your organization's computers are running a combination of the following operating systems:<li>Windows 11<li>Windows 10<li>Windows 8<li>Windows 7<li>Windows Vista<li>Windows XP<li>Windows Server 2012<li>Windows Server 2008 R2<li>Windows Server 2008<li>Windows Server 2003|AppLocker rules are only applied to computers running the supported versions of Windows, but SRP rules can be applied to all versions of Windows beginning with Windows XP and Windows Server 2003. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).<div class="alert"> **Note:** If you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.</div><p>AppLocker policies as applied through a GPO take precedence over SRP policies in the same or linked GPO. SRP policies can be created and maintained the same way.|
|Your organization's computers are running only the following operating systems:<li>Windows 11<li>Windows 10<li>Windows 8.1<li>Windows 8<li>Windows 7<li>Windows Server 2012 R2<li>Windows Server 2012<li>Windows Server 2008 R2|Use AppLocker to create your application control policies.|
### Are there specific groups in your organization that need customized application control policies?

27
windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
View File

@ -35,30 +35,9 @@ The path condition identifies an application by its location in the file system
When creating a rule that uses a deny action, path conditions are less secure than publisher and file hash conditions for preventing access to a file because a user could easily copy the file to a different location than the location specified in the rule. Because path rules specify locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file under that location will be allowed to run, including within users' profiles. The following table describes the advantages and disadvantages of the path condition.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Path condition advantages</th>
<th align="left">Path condition disadvantages</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><ul>
<li><p>You can easily control many folders or a single file.</p></li>
<li><p>You can use the asterisk (*) as a wildcard character within path rules.</p></li>
</ul></td>
<td align="left"><ul>
<li><p>It might be less secure if a rule that is configured to use a folder path contains subfolders that are writable by non-administrators.</p></li>
<li><p>You must specify the full path to a file or folder when creating path rules so that the rule will be properly enforced.</p></li>
</ul></td>
</tr>
</tbody>
</table>
|Path condition advantages|Path condition disadvantages|
|--- |--- |
|<li>You can easily control many folders or a single file.<li>You can use the asterisk (*) as a wildcard character within path rules.|<li>It might be less secure if a rule that is configured to use a folder path contains subfolders that are writable by non-administrators.<li>You must specify the full path to a file or folder when creating path rules so that the rule will be properly enforced.|
AppLocker does not enforce rules that specify paths with short names. You should always specify the full path to a file or folder when creating path rules so that the rule will be properly enforced.

29
windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
View File

@ -35,32 +35,9 @@ Publisher conditions can be made only for files that are digitally signed; this
Publisher conditions are easier to maintain than file hash conditions and are generally more secure than path conditions. Rules that are specified to the version level might have to be updated when a new version of the file is released. The following table describes the advantages and disadvantages
of the publisher condition.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Publisher condition advantages</th>
<th align="left">Publisher condition disadvantages</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><ul>
<li><p>Frequent updating is not required.</p></li>
<li><p>You can apply different values within a certificate.</p></li>
<li><p>A single rule can be used to allow an entire product suite.</p></li>
<li><p>You can use the asterisk (*) wildcard character within a publisher rule to specify that any value should be matched.</p></li>
</ul></td>
<td align="left"><ul>
<li><p>The file must be signed.</p></li>
<li><p>Although a single rule can be used to allow an entire product suite, all files in the suite must be signed uniformly.</p></li>
</ul></td>
</tr>
</tbody>
</table>
|Publisher condition advantages|Publisher condition disadvantages|
|--- |--- |
|<li>Frequent updating is not required.<li>You can apply different values within a certificate.<li>A single rule can be used to allow an entire product suite.<li>You can use the asterisk (*) wildcard character within a publisher rule to specify that any value should be matched.|<li>The file must be signed.<li>Although a single rule can be used to allow an entire product suite, all files in the suite must be signed uniformly.|
Wildcard characters can be used as values in the publisher rule fields according to the following specifications:

153
windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
View File

@ -38,139 +38,26 @@ Windows Server 2008 R2, Windows 7 and later. It is recommended that you auth
Windows 7 and later, the SRP policies are ignored.
The following table compares the features and functions of Software Restriction Policies (SRP) and AppLocker.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Application control function</th>
<th align="left">SRP</th>
<th align="left">AppLocker</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Scope</p></td>
<td align="left"><p>SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.</p></td>
<td align="left"><p>AppLocker policies apply only to Windows Server 2008 R2, Windows 7, and later.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Policy creation</p></td>
<td align="left"><p>SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.</p></td>
<td align="left"><p>AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.</p>
<p>AppLocker permits customization of error messages to direct users to a Web page for help.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Policy maintenance</p></td>
<td align="left"><p>SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).</p></td>
<td align="left"><p>AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Policy application</p></td>
<td align="left"><p>SRP policies are distributed through Group Policy.</p></td>
<td align="left"><p>AppLocker policies are distributed through Group Policy.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Enforcement mode</p></td>
<td align="left"><p>SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file is allowed to run by default.</p>
<p>SRP can also be configured in the “allowlist mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.</p></td>
<td align="left"><p>AppLocker by default works in the “allowlist mode” where only those files are allowed to run for which there is a matching allow rule.</p></td>
</tr>
<tr class="even">
<td align="left"><p>File types that can be controlled</p></td>
<td align="left"><p>SRP can control the following file types:</p>
<ul>
<li><p>Executables</p></li>
<li><p>Dlls</p></li>
<li><p>Scripts</p></li>
<li><p>Windows Installers</p></li>
</ul>
<p>SRP cannot control each file type separately. All SRP rules are in a single rule collection.</p></td>
<td align="left"><p>AppLocker can control the following file types:</p>
<ul>
<li><p>Executables</p></li>
<li><p>Dlls</p></li>
<li><p>Scripts</p></li>
<li><p>Windows Installers</p></li>
<li><p>Packaged apps and installers</p></li>
</ul>
<p>AppLocker maintains a separate rule collection for each of the five file types.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Designated file types</p></td>
<td align="left"><p>SRP supports an extensible list of file types that are considered executable. Administrators can add extensions for files that should be considered executable.</p></td>
<td align="left"><p>AppLocker currently supports the following file extensions:</p>
<ul>
<li><p>Executables (.exe, .com)</p></li>
<li><p>Dlls (.ocx, .dll)</p></li>
<li><p>Scripts (.vbs, .js, .ps1, .cmd, .bat)</p></li>
<li><p>Windows Installers (.msi, .mst, .msp)</p></li>
<li><p>Packaged app installers (.appx)</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><p>Rule types</p></td>
<td align="left"><p>SRP supports four types of rules:</p>
<ul>
<li><p>Hash</p></li>
<li><p>Path</p></li>
<li><p>Signature</p></li>
<li><p>Internet zone</p></li>
</ul></td>
<td align="left"><p>AppLocker supports three types of rules:</p>
<ul>
<li><p>File hash</p></li>
<li><p>Path</p></li>
<li><p>Publisher</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><p>Editing the hash value</p></td>
<td align="left"><p>In Windows XP, you could use SRP to provide custom hash values.</p>
<p>Beginning with Windows 7 and Windows Server 2008 R2, you can only select the file to hash, not provide the hash value.</p></td>
<td align="left"><p>AppLocker computes the hash value itself. Internally, it uses the SHA2 Authenticode hash for Portable Executables (exe and dll) and Windows Installers and an SHA2 flat file hash for the rest.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Support for different security levels</p></td>
<td align="left"><p>With SRP, you can specify the permissions with which an app can run. So, you can configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.</p>
<p>SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).</p></td>
<td align="left"><p>AppLocker does not support security levels.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Manage Packaged apps and Packaged app installers.</p></td>
<td align="left"><p>Not supported</p></td>
<td align="left"><p>.appx is a valid file type which AppLocker can manage.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Targeting a rule to a user or a group of users</p></td>
<td align="left"><p>SRP rules apply to all users on a particular computer.</p></td>
<td align="left"><p>AppLocker rules can be targeted to a specific user or a group of users.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Support for rule exceptions</p></td>
<td align="left"><p>SRP does not support rule exceptions.</p></td>
<td align="left"><p>AppLocker rules can have exceptions, which allow you to create rules such as “Allow everything from Windows except for regedit.exe”.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Support for audit mode</p></td>
<td align="left"><p>SRP does not support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.</p></td>
<td align="left"><p>AppLocker supports audit mode, which allows you to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Support for exporting and importing policies</p></td>
<td align="left"><p>SRP does not support policy import/export.</p></td>
<td align="left"><p>AppLocker supports the importing and exporting of policies. This allows you to create AppLocker policy on a sample device, test it out and then export that policy and import it back into the desired GPO.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Rule enforcement</p></td>
<td align="left"><p>Internally, SRP rules enforcement happens in the user-mode, which is less secure.</p></td>
<td align="left"><p>Internally, AppLocker rules for .exe and .dll files are enforced in the kernel-mode, which is more secure than enforcing them in the user-mode.</p></td>
</tr>
</tbody>
</table>
|Application control function|SRP|AppLocker|
|--- |--- |--- |
|Scope|SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.|AppLocker policies apply only to Windows Server 2008 R2, Windows 7, and later.|
|Policy creation|SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.|AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.<p>AppLocker permits customization of error messages to direct users to a Web page for help.|
|Policy maintenance|SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).|AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets.|
|Policy application|SRP policies are distributed through Group Policy.|AppLocker policies are distributed through Group Policy.|
|Enforcement mode|SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file is allowed to run by default.<p>SRP can also be configured in the “allowlist mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|AppLocker by default works in the “allowlist mode” where only those files are allowed to run for which there is a matching allow rule.|
|File types that can be controlled|SRP can control the following file types:<li>Executables<li>Dlls<li>Scripts<li>Windows Installers<p>SRP cannot control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:<li>Executables<li>Dlls<li>Scripts<li>Windows Installers<li>Packaged apps and installers<p>AppLocker maintains a separate rule collection for each of the five file types.|
|Designated file types|SRP supports an extensible list of file types that are considered executable. Administrators can add extensions for files that should be considered executable.|AppLocker currently supports the following file extensions:<li>Executables (.exe, .com)<li>Dlls (.ocx, .dll)<li>Scripts (.vbs, .js, .ps1, .cmd, .bat)<li>Windows Installers (.msi, .mst, .msp)<li>Packaged app installers (.appx)|
|Rule types|SRP supports four types of rules:<li>Hash<li>Path<li>Signature<li>Internet zone|AppLocker supports three types of rules:<li>File hash<li>Path<li>Publisher|
|Editing the hash value|In Windows XP, you could use SRP to provide custom hash values.<p>Beginning with Windows 7 and Windows Server 2008 R2, you can only select the file to hash, not provide the hash value.|AppLocker computes the hash value itself. Internally, it uses the SHA2 Authenticode hash for Portable Executables (exe and dll) and Windows Installers and an SHA2 flat file hash for the rest.|
|Support for different security levels|With SRP, you can specify the permissions with which an app can run. So, you can configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.<p>SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker does not support security levels.|
|Manage Packaged apps and Packaged app installers.|Not supported|.appx is a valid file type which AppLocker can manage.|
|Targeting a rule to a user or a group of users|SRP rules apply to all users on a particular computer.|AppLocker rules can be targeted to a specific user or a group of users.|
|Support for rule exceptions|SRP does not support rule exceptions.|AppLocker rules can have exceptions, which allow you to create rules such as “Allow everything from Windows except for regedit.exe”.|
|Support for audit mode|SRP does not support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.|AppLocker supports audit mode, which allows you to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.|
|Support for exporting and importing policies|SRP does not support policy import/export.|AppLocker supports the importing and exporting of policies. This allows you to create AppLocker policy on a sample device, test it out and then export that policy and import it back into the desired GPO.|
|Rule enforcement|Internally, SRP rules enforcement happens in the user-mode, which is less secure.|Internally, AppLocker rules for .exe and .dll files are enforced in the kernel-mode, which is more secure than enforcing them in the user-mode.|
 
 
 

156
windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
View File

@ -53,145 +53,33 @@ For information about the application control scenarios that AppLocker addresses
The following table compares AppLocker to Software Restriction Policies.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Feature</th>
<th align="left">Software Restriction Policies</th>
<th align="left">AppLocker</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Rule scope</p></td>
<td align="left"><p>All users</p></td>
<td align="left"><p>Specific user or group</p></td>
</tr>
<tr class="even">
<td align="left"><p>Rule conditions provided</p></td>
<td align="left"><p>File hash, path, certificate, registry path, and Internet zone</p></td>
<td align="left"><p>File hash, path, and publisher</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Rule types provided</p></td>
<td align="left"><p>Defined by the security levels:</p>
<ul>
<li><p>Disallowed</p></li>
<li><p>Basic User</p></li>
<li><p>Unrestricted</p></li>
</ul></td>
<td align="left"><p>Allow and deny</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default rule action</p></td>
<td align="left"><p>Unrestricted</p></td>
<td align="left"><p>Implicit deny</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Audit-only mode</p></td>
<td align="left"><p>No</p></td>
<td align="left"><p>Yes</p></td>
</tr>
<tr class="even">
<td align="left"><p>Wizard to create multiple rules at one time</p></td>
<td align="left"><p>No</p></td>
<td align="left"><p>Yes</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Policy import or export</p></td>
<td align="left"><p>No</p></td>
<td align="left"><p>Yes</p></td>
</tr>
<tr class="even">
<td align="left"><p>Rule collection</p></td>
<td align="left"><p>No</p></td>
<td align="left"><p>Yes</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Windows PowerShell support</p></td>
<td align="left"><p>No</p></td>
<td align="left"><p>Yes</p></td>
</tr>
<tr class="even">
<td align="left"><p>Custom error messages</p></td>
<td align="left"><p>No</p></td>
<td align="left"><p>Yes</p></td>
</tr>
</tbody>
</table>
|Feature|Software Restriction Policies|AppLocker|
|--- |--- |--- |
|Rule scope|All users|Specific user or group|
|Rule conditions provided|File hash, path, certificate, registry path, and Internet zone|File hash, path, and publisher|
|Rule types provided|Defined by the security levels:<li>Disallowed<li>Basic User<li>Unrestricted|Allow and deny|
|Default rule action|Unrestricted|Implicit deny|
|Audit-only mode|No|Yes|
|Wizard to create multiple rules at one time|No|Yes|
|Policy import or export|No|Yes|
|Rule collection|No|Yes|
|Windows PowerShell support|No|Yes|
|Custom error messages|No|Yes|
<b>Application control function differences</b>
The following table compares the application control functions of Software Restriction Policies (SRP) and AppLocker.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Application control function</th>
<th align="left">SRP</th>
<th align="left">AppLocker</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Operating system scope</p></td>
<td align="left"><p>SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.</p></td>
<td align="left"><p>AppLocker policies apply only to those supported operating system versions and editions listed in <a href="requirements-to-use-applocker.md" data-raw-source="[Requirements to use AppLocker](requirements-to-use-applocker.md)">Requirements to use AppLocker</a>. But these systems can also use SRP.</p>
<div class="alert">
<b>Note</b><br/><p>Use different GPOs for SRP and AppLocker rules.</p>
</div>
<div>
</div></td>
</tr>
<tr class="even">
<td align="left"><p>User support</p></td>
<td align="left"><p>SRP allows users to install applications as an administrator.</p></td>
<td align="left"><p>AppLocker policies are maintained through Group Policy, and only the administrator of the device can update an AppLocker policy.</p>
<p>AppLocker permits customization of error messages to direct users to a Web page for help.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Policy maintenance</p></td>
<td align="left"><p>SRP policies are updated by using the Local Security Policy snap-in or the Group Policy Management Console (GPMC).</p></td>
<td align="left"><p>AppLocker policies are updated by using the Local Security Policy snap-in or the GPMC.</p>
<p>AppLocker supports a small set of PowerShell cmdlets to aid in administration and maintenance.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Policy management infrastructure</p></td>
<td align="left"><p>To manage SRP policies, SRP uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.</p></td>
<td align="left"><p>To manage AppLocker policies, AppLocker uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Block malicious scripts</p></td>
<td align="left"><p>Rules for blocking malicious scripts prevents all scripts associated with the Windows Script Host from running, except those that are digitally signed by your organization.</p></td>
<td align="left"><p>AppLocker rules can control the following file formats: .ps1, .bat, .cmd, .vbs, and .js. In addition, you can set exceptions to allow specific files to run.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Manage software installation</p></td>
<td align="left"><p>SRP can prevent all Windows Installer packages from installing. It allows .msi files that are digitally signed by your organization to be installed.</p></td>
<td align="left"><p>The Windows Installer rule collection is a set of rules created for Windows Installer file types (.mst, .msi and .msp) to allow you to control the installation of files on client computers and servers.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Manage all software on the computer</p></td>
<td align="left"><p>All software is managed in one rule set. By default, the policy for managing all software on a device disallows all software on the user&#39;s device, except software that is installed in the Windows folder, Program Files folder, or subfolders.</p></td>
<td align="left"><p>Unlike SRP, each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection will be allowed to run. This configuration makes it easier for administrators to determine what will occur when an AppLocker rule is applied.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Different policies for different users</p></td>
<td align="left"><p>Rules are applied uniformly to all users on a particular device.</p></td>
<td align="left"><p>On a device that is shared by multiple users, an administrator can specify the groups of users who can access the installed software. Using AppLocker, an administrator can specify the user to whom a specific rule should apply.</p></td>
</tr>
</tbody>
</table>
|Application control function|SRP|AppLocker|
|--- |--- |--- |
|Operating system scope|SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.|AppLocker policies apply only to those supported operating system versions and editions listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). But these systems can also use SRP.<div class="alert">**Note:** Use different GPOs for SRP and AppLocker rules.</div>|
|User support|SRP allows users to install applications as an administrator.|AppLocker policies are maintained through Group Policy, and only the administrator of the device can update an AppLocker policy.<p>AppLocker permits customization of error messages to direct users to a Web page for help.|
|Policy maintenance|SRP policies are updated by using the Local Security Policy snap-in or the Group Policy Management Console (GPMC).|AppLocker policies are updated by using the Local Security Policy snap-in or the GPMC.<p>AppLocker supports a small set of PowerShell cmdlets to aid in administration and maintenance.|
|Policy management infrastructure|To manage SRP policies, SRP uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.|To manage AppLocker policies, AppLocker uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.|
|Block malicious scripts|Rules for blocking malicious scripts prevents all scripts associated with the Windows Script Host from running, except those that are digitally signed by your organization.|AppLocker rules can control the following file formats: .ps1, .bat, .cmd, .vbs, and .js. In addition, you can set exceptions to allow specific files to run.|
|Manage software installation|SRP can prevent all Windows Installer packages from installing. It allows .msi files that are digitally signed by your organization to be installed.|The Windows Installer rule collection is a set of rules created for Windows Installer file types (.mst, .msi and .msp) to allow you to control the installation of files on client computers and servers.|
|Manage all software on the computer|All software is managed in one rule set. By default, the policy for managing all software on a device disallows all software on the user's device, except software that is installed in the Windows folder, Program Files folder, or subfolders.|Unlike SRP, each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection will be allowed to run. This configuration makes it easier for administrators to determine what will occur when an AppLocker rule is applied.|
|Different policies for different users|Rules are applied uniformly to all users on a particular device.|On a device that is shared by multiple users, an administrator can specify the groups of users who can access the installed software. Using AppLocker, an administrator can specify the user to whom a specific rule should apply.|
## Related topics