Allowing Only Signed Application to Run
Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
This topic for the IT professional provides instructions how to allow only signed applications to run using AppLocker in Windows Server 2012, Windows Server 2008 R2, Windows 8, and Windows 7.
With the advent of new heuristic identification technologies in Web browsers and operating systems, more ISVs are using digital signatures to sign their applications. These signatures make it easier for organizations to identify applications as genuine and to create a better and more trustworthy user experience.
Before performing the following procedure, ensure that you created the default rules for the rule collection that is described in Preventing Standard Users from Running Per-user Applications.
To allow only signed applications to run
To open the Local Security Policy MMC snap-in, click Start, type secpol.msc, and then press ENTER.
In the console tree, double-click Application Control Policies, and then double-click AppLocker.
Right-click Executable Rules, and then click Create New Rule.
This rule prevents unsigned applications from running. Before implementing this rule, ensure that all of the files that you want to run in your organization are digitally signed. If any applications are not signed, consider implementing an internal signing process to sign unsigned applications with an internal signing key.
On the Before You Begin page, click Next.
On the Permissions page, click Next to accept the default settings.
On the Conditions page, click Next.
On the Publisher page, note that the default setting is to allow any signed file to run, and then click Next.
On the Exceptions page, click Next.
On the Name and Description page, accept the default name or enter a custom name and description, and then click Create.
By using this rule and ensuring that all applications are signed within your organization, you are assured that users are running only applications from known publishers.