deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/keep-secure/document-your-applocker-rules.md
Jan Backstrom f046a5fec0 tagging update 
change W10 to w10 (lower case), add security pagetype to various
2016-05-26 17:07:01 -07:00

4.6 KiB
Raw Blame History

title, description, ms.assetid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, author
title description ms.assetid ms.prod ms.mktglfcycl ms.sitesec ms.pagetype author
Document your AppLocker rules (Windows 10) This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded. 91a198ce-104a-45ff-b49b-487fb40cd2dd w10 deploy library security brianlic-msft

Document your AppLocker rules

Applies to

  • Windows 10

This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded.

Record your findings

To complete this AppLocker planning document, you should first complete the following steps:

  1. Determine your application control objectives
  2. Create a list of apps deployed to each business group
  3. Select the types of rules to create

Document the following items for each business group or organizational unit:

  • Whether your organization will use the built-in default AppLocker rules to allow system files to run.
  • The types of rule conditions that you will use to create rules, stated in order of preference.

The following table details sample data for documenting rule type and rule condition findings. In addition, you should now consider whether to allow an app to run or deny permission for it to run. For info about these settings, see Understanding AppLocker allow and deny actions on rules.

Business group Organizational unit Implement AppLocker? Applications Installation path Use default rule or define new rule condition Allow or deny

Bank Tellers

Teller-East and Teller-West

Yes

Teller Software

C:\Program Files\Woodgrove\Teller.exe

File is signed; create a publisher condition

Windows files

C:\Windows

Create a path exception to the default rule to exclude \Windows\Temp

Human Resources

HR-All

Yes

Check Payout

C:\Program Files\Woodgrove\HR\Checkcut.exe

File is signed; create a publisher condition

Time Sheet Organizer

C:\Program Files\Woodgrove\HR\Timesheet.exe

File is not signed; create a file hash condition

Internet Explorer 7

C:\Program Files\Internet Explorer\

File is signed; create a publisher condition

Windows files

C:\Windows

Use the default rule for the Windows path

  ## Next steps

For each rule, determine whether to use the allow or deny option. Then, three tasks remain: