Create a Rule that Uses a Publisher Condition

  • Article

Applies To: Windows 7, Windows Server 2008 R2

This topic shows how to create an AppLocker rule with a publisher condition in Windows Server 2008 R2 and Windows 7.

You can use publisher conditions only for files that are digitally signed; the publisher condition identifies an application based on its digital signature and extended attributes. The digital signature contains information about the company that created the application (the publisher). The extended attributes, which are obtained from the binary resource, contain the name of the product that the file is part of and the version number of the application. The publisher may be a software development company, such as Microsoft, or the information technology department of your organization.

For information about the publisher condition, see Understanding the Publisher Rule Condition in AppLocker.

You can perform this task by using Group Policy for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer.

  • To create a new rule with a publisher condition by using Group Policy

  • To create a new rule with a publisher condition by using the Local Security Policy snap-in

To complete this procedure, you must have Edit Setting permission to edit a GPO. By default, members of the Domain Admins group, the Enterprise Admins group, and the Group Policy Creator Owners group have this permission.

To create a new rule with a publisher condition by using Group Policy

  1. Click Start, click Administrative Tools, and then click Group Policy Management to open the Group Policy Management Console (GPMC).

  2. Locate the GPO that contains the AppLocker policy to modify, right-click the GPO, and click Edit.

  3. In the console tree, double-click Application Control Policies, double-click AppLocker, and then click the rule collection that you want to create the rule for.

  4. On the Action menu, click Create New Rule.

  5. On the Before You Begin page, click Next.

  6. On the Permissions page, select the action (allow or deny) and the user or group that the rule should apply to, and then click Next.

  7. On the Conditions page, select the Publisher rule condition, and then click Next.

  8. On the Publisher page, click Browse to select a signed file, and then use the slider to specify the scope of the rule. To use custom values in any of the fields or to specify a specific file version, select the Use custom values check box. For example, you can use the asterisk (*) wildcard character within a publisher rule to specify that any value should be matched.

  9. Click Next.

  10. (Optional) On the Exceptions page, specify conditions by which to exclude files from being affected by the rule. Click Next.

  11. On the Name and Description page, either accept the automatically generated rule name or type a new rule name, and then click Create.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To create a new rule with a publisher condition by using the Local Security Policy snap-in

  1. Click Start, type secpol.msc in the Search programs and files box, and then press ENTER.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. In the console tree, double-click Application Control Policies, double-click AppLocker, and then click the rule collection that you want to create the rule for.

  4. On the Action menu, click Create New Rule.

  5. On the Before You Begin page, click Next.

  6. On the Permissions page, select the action (allow or deny) and the user or group that the rule should apply to, and then click Next.

  7. On the Conditions page, select the Publisher rule condition, and then click Next.

  8. On the Publisher page, click Browse to select a signed file, and then use the slider to specify the scope of the rule. To use custom values in any of the fields or to specify a specific file version, select the Use custom values check box. For example, you can use the asterisk (*) wildcard character within a publisher rule to specify that any value should be matched.

  9. Click Next.

  10. (Optional) On the Exceptions page, specify conditions by which to exclude files from being affected by the rule. Click Next.

  11. On the Name and Description page, either accept the automatically generated rule name or type a new rule name, and then click Create.