Allowing Windows Operating System Files to Run
Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
This topic for the IT professional provides instructions how to verify that your AppLocker policies will permit Windows operating system files to run using AppLocker in Windows Server 2012, Windows Server 2008 R2, Windows 8, and Windows 7.
Step 1: Create the default rules
AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection.
You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run.
For information about the default rules for each rule collection in Windows Server 2012, Windows Server 2008 R2, Windows 8, and Windows 7, see:
For information about the Packaged app default rules in Windows Server 2012 and Windows 8, see:
You can create the default rules on any computer that supports AppLocker. For information about how to create the default rules, see Create AppLocker Default Rules.
The default rules act the same as any other rule: they are visible in the Local Security Policy snap-in, they can be edited or deleted, and they can be exported to a Group Policy Object (GPO) for deployment.
If you require additional application security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions:
Traverse Folder/Execute File
Create Files/Write Data
Create Folders/Append Data
These permissions settings are applied to this folder for application compatibility. However, because any user can create files in this location, allowing applications to be run from this location might conflict with your organization's security policy.
Step 2: Test access to the operating system with the default rules applied
If the default rules are not configured properly, crucial system processes might not run. It is important to test the configuration of the rules on a computer that is not in production, or one that can easily be recovered.
If you have created an AppLocker policy planning document, verify that a user with a standard user account can access the computer and all the required applications. For information about this document, see Creating Your AppLocker Planning Document.
If you have created the default rules in audit-only mode, check the AppLocker logs to verify that all system files will be accessible for the intended account. For information about how to set AppLocker policies to this mode, see Configure an AppLocker Policy for Audit Only. For information about viewing the event logs, see View the AppLocker Log in Event Viewer or Review AppLocker Events with Get-AppLockerFileInformation.
If you have modified the default rules and the operating system files are inaccessible so that logon is not possible, see the troubleshooting topic Problem: Users cannot log on.
Step 3: Deploy the policy containing the default rules
The default rules are deployed in the same way other AppLocker rules are deployed. For information about policy deployment, see Deploying the AppLocker Policy into Production.