What's this AppLocker thing

What is AppLocker?

AppLocker is a security technology that first appeared in Windows 7, and is now included with every version of Windows; notebook, tablet, desktop and server.

Why do we need AppLocker?

The complete answer is lengthy, but the short answer is that traditional protection technologies .. anti-virus and the like .. are no longer enough to protect our computers, our data, our personal information and our identities, from the bad guys.  

It must be noted that the bad guys are no longer individual social misfits involved in chicken vandalism from their bedrooms, as in years past.  The bad guys are now sophisticated criminal organizations and even nation states, out to do harm.

What does AppLocker do?

AppLocker is a system process and a set of rules.  Windows checks with AppLocker before starting a program, asking "can I start this program?"  AppLocker checks its rules, and if a program is not permitted by one of the rules, AppLocker says "no" and the program does not run.

The most important of the rules can roughly be described as

  • if the program is installed in one of the two usual locations, it will be allowed to run
  • if the program is in an unusual location, but an administrator has said that the unusual location is OK, the program will run
  • if a program has been specifically identified by a unique fingerprint, it will be allowed to run, no matter the location

How do AppLocker rules help?

There are three ways to get at the sort of information the bad guys want; hacking, just plain asking for it and malware, new and old.

Hacking is an external attack, mitigated by the use of firewalls and keeping machines up to date with patches.

Just plain asking is a sadly successful method of attack, where bogus emails ask for someone's ID and password and people supply it!  This is mitigated by education and we'd like to think that one day, people will stop the computer equivalent of taking candy from strangers (although the H.L.Mencken column "Notes on Journalism" does not give me a lot of hope).

Malware is what AppLocker protects against, malware being broadly defined as any program with malicious intent. The programs could be carried on a USB stick, downloaded deliberately from the Internet or most troubling, downloaded without someone's knowledge simply as a result of browsing a web page.  However, none of these locations are one of the usual locations and so an attempt to run such a program will fail.  It does not matter if a user attempts to run such a program deliberately or the bad web page attempts to run the program surreptitiously, the attempt will fail.

What are the usual locations?

Beginning with Windows 95 (twenty years ago), Microsoft stated that all programs should be installed in one of two locations.  Programs fundamental to the operation of Windows itself should be installed in the Windows folder.  Programs typically run by users of the computer (Word, Excel, Internet Explorer, etc.) should be installed in the Programs Files folder.

What's so special about the usual locations?

The usual locations are areas that only an administrator can write to, and (typically) only after being asked at least once "are you sure you want to do this".  Hopefully, the administrator has properly vetted the program and so by the time a person gets to run it, a double-check of the program's legitimacy has been performed.

Why isn't everything installed in one of the usual locations?

There's two principal reasons.  

The first is that many programmers are just too lazy to "do it right".  We must remember that the usual locations have been strongly recommended by Microsoft since Windows 95, which also includes Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, Windows Vista, Windows 7, Windows 8 and now, Windows 8.1.  There is little excuse for programmers to not finally do it right, but they continue to take the easy way out and use a 1990 Windows 3 style of installation.

The other reason is a bit insidious.  Some companies want to get software on a person's machine that an organization might not wish to have installed.  And there are any number of completely understandable reasons why an organization may not wish to blindly have things installed, beginning with most minimal need to simply examine a program for security concerns before blindly allowing the installation.  

But there are software companies, including some very big ones, that want their software and their branding and their advertising installed on our computers, no matter what the organization's policy might be, and an easy "back door" is to install things in an unusual location.

What has ITDS done about AppLocker?

A few things, most importantly, to deploy it, as every responsible IT department everywhere has done.  The days of just relying on anti-virus software is long gone; the bad guys are far to smart.  Indeed, if the choice had to made to use just one line of defense, anti-virus or AppLocker, there is little doubt that AppLocker would be the choice.

But ITDS did more than just deploy it with a standard set of rules, we also tried to examine and whitelist as many of those Windows 3 style programs that insisted on installing themselves in a non-standard location.

Did we find them all?  

Nope, in our initial rollout, we missed at least one of the programs people use .  We tried to get them all, but missed one of them.

And there's no promises that we won't find more as time goes by.  SFU is a big place with lots of people doing lots of things and we don't know everything.

The long term solution is to come to your support person with any problems you might have early enough that we can help.

Note that by "problem", I do not mean "install this software"; that statement is a solution.  The problem would be

"I need to do this and can't",

and may include the additional bit of information

"and I think this program might help".

The entire support team can then determine the proper course, which may very well result in whitelisting the suggested software, but could also offer an alternate solution using software written in a proper manner.

Isn't this all a pain?

Yes, a wee bit, for both the users as well as the support staff, in the same way that locks on doors are a bit of a pain.

But the world we live in requires locks on doors and also requires security measures like AppLocker.