mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-16 19:03:46 +00:00
Based on customer fdbk, added links. Also fixed 2 typos.
This commit is contained in:
JanKeller1
@ -27,3 +27,7 @@ You can perform this task by using the Group Policy Management Console for an Ap
|
|||||||
1. Open the AppLocker console.
|
1. Open the AppLocker console.
|
||||||
2. Right-click the appropriate rule type for which you want to automatically generate default rules. You can automatically generate rules for executable, Windows Installer, script rules and Packaged app rules.
|
2. Right-click the appropriate rule type for which you want to automatically generate default rules. You can automatically generate rules for executable, Windows Installer, script rules and Packaged app rules.
|
||||||
3. Click **Create Default Rules**.
|
3. Click **Create Default Rules**.
|
||||||
|
|
||||||
|
## Related topics
|
||||||
|
|
||||||
|
- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
|
||||||
|
|||||||
@ -24,7 +24,7 @@ The following requirements must be met or addressed before you deploy your AppLo
|
|||||||
|
|
||||||
### <a href="" id="bkmk-reqdepplan"></a>Deployment plan
|
### <a href="" id="bkmk-reqdepplan"></a>Deployment plan
|
||||||
|
|
||||||
An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).
|
An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md)).
|
||||||
|
|
||||||
<table style="width:100%;">
|
<table style="width:100%;">
|
||||||
<colgroup>
|
<colgroup>
|
||||||
|
|||||||
@ -55,7 +55,7 @@ In the Woodgrove Bank example, the line-of-business app for the Bank Tellers bus
|
|||||||
|
|
||||||
### Determine how to allow system files to run
|
### Determine how to allow system files to run
|
||||||
|
|
||||||
Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it is denoted with "(Default rule)" in its name as it appears in the rule collection.
|
Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules (listed in [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules)) as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it is denoted with "(Default rule)" in its name as it appears in the rule collection.
|
||||||
|
|
||||||
You can also create a rule for the system files based on the path condition. In the preceding example, for the Bank Tellers group, all Windows files reside under C:\\Windows and can be defined with the path rule condition type. This will permit access to these files whenever updates are applied and the files change. If you require additional application security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions:
|
You can also create a rule for the system files based on the path condition. In the preceding example, for the Bank Tellers group, all Windows files reside under C:\\Windows and can be defined with the path rule condition type. This will permit access to these files whenever updates are applied and the files change. If you require additional application security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions:
|
||||||
|
|
||||||
|
|||||||
@ -24,7 +24,7 @@ The following tools can help you administer the application control policies cre
|
|||||||
|
|
||||||
- **Generate Default Rules tool**
|
- **Generate Default Rules tool**
|
||||||
|
|
||||||
AppLocker includes default rules for each rule collection accessed through the Local Security Policy snap-in. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For info about how to use this tool, see [Create AppLocker default rules](create-applocker-default-rules.md).
|
AppLocker includes default rules for each rule collection accessed through the Local Security Policy snap-in. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For info about how to use this tool, see [Create AppLocker default rules](create-applocker-default-rules.md). For a list of the default rules, see [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules).
|
||||||
|
|
||||||
- **Automatically Generate AppLocker Rules wizard**
|
- **Automatically Generate AppLocker Rules wizard**
|
||||||
|
|
||||||
|
|||||||
@ -42,5 +42,4 @@ These permissions settings are applied to this folder for app compatibility. How
|
|||||||
## Related topics
|
## Related topics
|
||||||
|
|
||||||
- [How AppLocker works](how-applocker-works-techref.md)
|
- [How AppLocker works](how-applocker-works-techref.md)
|
||||||
|
- [Create AppLocker default rules](create-applocker-default-rules.md)
|
||||||
|
|
||||||
@ -33,3 +33,5 @@ For info about how to enable the DLL rule collection, see [Enable the DLL rule c
|
|||||||
## Related topics
|
## Related topics
|
||||||
|
|
||||||
- [How AppLocker works](how-applocker-works-techref.md)
|
- [How AppLocker works](how-applocker-works-techref.md)
|
||||||
|
- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
|
||||||
|
|
||||||
|
|||||||
@ -61,7 +61,7 @@ The following table compares the features and functions of Software Restriction
|
|||||||
<tr class="odd">
|
<tr class="odd">
|
||||||
<td align="left"><p>Enforcement mode</p></td>
|
<td align="left"><p>Enforcement mode</p></td>
|
||||||
<td align="left"><p>SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file are allowed to run by default.</p>
|
<td align="left"><p>SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file are allowed to run by default.</p>
|
||||||
<p>SRP can also be configured in the “allow list mode” such that the by default all files are blocked and administrators need to create allow rules for files that they want to allow.</p></td>
|
<p>SRP can also be configured in the “allow list mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.</p></td>
|
||||||
<td align="left"><p>AppLocker by default works in the “allow list mode” where only those files are allowed to run for which there is a matching allow rule.</p></td>
|
<td align="left"><p>AppLocker by default works in the “allow list mode” where only those files are allowed to run for which there is a matching allow rule.</p></td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr class="even">
|
<tr class="even">
|
||||||
|
|||||||
@ -123,7 +123,7 @@ When you choose the file hash rule condition, the system computes a cryptographi
|
|||||||
|
|
||||||
## AppLocker default rules
|
## AppLocker default rules
|
||||||
|
|
||||||
AppLocker allows you to generate default rules for each rule collection.
|
AppLocker includes default rules, which are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For background, see [Understanding AppLocker default rules](understanding-applocker-default-rules), and for steps, see [Create AppLocker default rules](create-applocker-default-rules.md).
|
||||||
|
|
||||||
Executable default rule types include:
|
Executable default rule types include:
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user