Situation To reduce security risk and maintain compliance with the U.S. Digital Millennium Copyright Act (DMCA), Microsoft IT was spending significant time and resources using a patchwork of proprietary applications to identify unauthorized peer-to-peer (P2P) applications running on domain-joined client machines.
Solution Microsoft IT deployed AppLocker, an application control feature available in Windows 7 and Windows Server 2008 R2, into an updated network security infrastructure.
Benefits Reduced security risk. AppLocker blocks unauthorized applications like P2P applications from running on managed systems, which helps protect the corporate network from data breaches and malware attacks. Increased legal compliance. Because many P2P file-sharing applications can promote distribution of copyrighted material, AppLocker helps Microsoft IT conform to DMCA regulations. Reduced operational costs. AppLocker prevents users from running applications that destabilize the desktop environment and result in help-desk support costs. The feature also automates management activities that Microsoft IT previously had to perform manually.
Products and Technologies
Windows 7 Windows Server 2008 R2 AppLocker Active Directory
Microsoft IT Uses AppLocker to Help Secure Windows 7 Clients Published: December 2011 The following content may no longer reflect Microsoft’s current position or infrastructure. This content should be viewed as reference documentation only, to inform IT business decisions within your own company or organization.
Learn how Microsoft Information Technology (Microsoft IT) deployed AppLocker™—an application control feature of Windows® 7 and Windows Server® 2008 R2—as the basis for a new automated application control solution for domain-joined systems. By rolling out AppLocker to almost 200,000 Windows 7 clients worldwide, Microsoft IT has reduced operational costs associated with unapproved applications, increased corporate compliance with the U.S. Digital Millennium Copyright Act, and reduced security risk by blocking unauthorized peer-to-peer applications that might cause a data breach. Situation Over the past few years, social networking sites, peer-to-peer (P2P) file sharing, and other social applications have become a popular addition to computers and mobile devices. This becomes a challenge for the corporate world when software from home, Internet downloads, and P2P file sharing through e-mail find their way onto machines that connect to the corporate network. As more employees load unapproved applications onto domain-joined systems, the risks of a data breach, malware (malicious software) infection, and copyright infringement increase. Corporate policies do not provide sufficient protection by themselves. Although many businesses have established guidelines that prohibit the use of unapproved applications on the corporate network, they struggle with a practical means to ensure that company computers run only approved, licensed software. Microsoft is committed to maintaining compliance with the U.S. Digital Millennium Copyright Act and strictly prohibits unauthorized P2P applications within the company's infrastructure. As the group responsible for managing the company's corporate network and infrastructure, Microsoft Information Technology (Microsoft IT) has a legal and security obligation to manage all data-sharing applications on domain-joined machines. Microsoft IT had been using a patchwork of proprietary utilities and applications to block unauthorized P2P applications on the network edge, but still had to spend significant time and resources to scan the corporate network, identify inappropriate applications, and communicate with system owners to request removal of the prohibited software. Furthermore, maintaining the homegrown system required additional resources.
Microsoft IT needed an automated security solution that could either allow or deny a specified set of applications. The solution would be a key component in an updated network infrastructure that could block any type of application that causes problems anywhere within the managed network. The new solution needed to be flexible enough to control applications not only by file type (hash rules) but also by publisher (application digital signatures)—which would remove the need to create a new rule every time an application is updated. Ideally, the new system would be based on off-the-shelf technology that could run on Microsoft IT's existing infrastructure and use Group Policy objects (GPOs) to manage settings.
Solution Microsoft IT decided to test AppLocker, an application control technology that was introduced in the Windows 7 and Windows Server 2008 R2 operating systems, to see if it could form the basis of an updated network security infrastructure. AppLocker is a built-in feature of Windows 7 and Windows Server 2008 R2 that prevents the execution of unwanted applications. AppLocker can be configured using two rule actions—allow and deny:
Allow limits execution of applications to an allowed list of applications and blocks everything else.
Deny takes the opposite approach by allowing the execution of any application except those on a list of denied applications.
These rules can be assigned to a security group or to an individual user. AppLocker also supports rule exceptions to simplify rule management while also increasing flexibility. For example, you can create a rule that allows all Windows processes to run except for Regedit.exe. Microsoft IT was especially interested in using AppLocker to implement rules as policy settings that can target Active Directory® objects such as domains, organizational units, and even users. Additionally, Microsoft IT wanted to investigate incorporating AppLocker publisher rules to define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. Compared with software restriction policies in the Windows XP and Windows Vista® operating systems, AppLocker publisher rules enable a single rule to maintain control over multiple versions of an application. For example, the rule allow all versions greater than 9.0 of the program Acrobat Reader to run if it is signed by the software publisher Adobe enables the deployment and execution of updates to Acrobat without requiring administrators to create another application control rule for each new version. Microsoft IT also saw AppLocker as a means to improve the manageability of the company’s infrastructure and to conform to Digital Millennium Copyright Act requirements. As a readymade solution for application control within Windows 7 and Windows Server 2008 R2, AppLocker could give Microsoft IT the means to build a new solution using off-the-shelf technology.
Implementation Microsoft IT designed a pilot program to test and validate AppLocker before deploying it across all corporate domains. This section describes the planning and implementation efforts Microsoft IT Uses AppLocker to Help Secure Windows 7 Clients
Page 2
“AppLocker’s automated block list has minimized our P2P support hit. It works as we intended--blocking only the malicious apps that are known problems while allowing everything else.” Patrick Hanrion Principal Security Engineer MSIT Information Security & Risk Management
for the initial pilot program, and then discusses the production rollout of AppLocker that has been underway since the close of the pilot.
Pilot Deployment The AppLocker pilot program began in August 2010 and finished in March 2011. The objectives were as follows:
Engage the Microsoft IT security group as the key pilot participants because it is the most familiar with understanding new security controls.
Minimize the number of AppLocker-related service requests.
Determine whether AppLocker is ready for production-scale deployment, measured by the technology's ability to function as expected, plus the relative amount of interruption that might be caused to users as AppLocker is installed on client systems.
To implement the AppLocker pilot program, Microsoft IT: 1.
Created a list of known peer-to-peer applications that should be blocked.
2.
Built a virtual test environment including an isolated domain with a domain controller, a single reference machine with the set of unapproved P2P applications identified in step 1 installed, and a rule set created by using the AppLocker “automatically generate rules” feature, and deployed it via a GPO. The rule set included both file type and publisher rules that would be used to disable the unapproved applications.
3.
Confirmed that the unapproved applications were blocked in the virtual test environment.
4.
Created a pilot security group within the production domain, applied the GPO to the new group, and defined a support path to assist pilot participants with any AppLocker problems that might arise.
5.
Confirmed that the unapproved applications on the reference machine were blocked in the pilot security group.
6.
Expanded the scope of the testing to additional systems that were used by members of Microsoft IT's Information Security and Risk Management team. In this expanded test, Microsoft IT configured AppLocker to enable applications only in the Windows and Program Files directories. Later, the rules were adjusted to allow applications installed anywhere on the computer as long as they were not on the AppLocker deny list.
Pilot Results The results from the pilot are as follows:
Three participants of the approximately 200 involved in the pilot program requested a change to the AppLocker rule set to allow additional applications to run.
The updated GPO did not affect any non-targeted applications, and no support calls were made after the GPO allowed executables to run from any location on the computer.
The ability to update the AppLocker rules in the GPO without requiring a system reboot helped move the implementation into the production deployment phase.
Microsoft IT Uses AppLocker to Help Secure Windows 7 Clients
Page 3
Production Deployment “We saw zero impact to our helpdesk when we deployed AppLocker. By approaching the production rollout with an IT life cycle framework that followed proven practices of Microsoft and other industry standards, the deployment process went smoothly.” Norresa Calos Senior IT/Ops Program Manager MSIT Information Security & Risk Management
With the successful completion of the pilot program, Microsoft IT began a global production deployment of AppLocker into corporate domains. To minimize risk and impact, Microsoft IT took a phased approach by rolling out AppLocker to one region at a time, starting with the smallest domain first. To implement AppLocker production deployment, Microsoft IT: 1.
Discussed the deployment plans with key stakeholders to review potential impact to the production infrastructure in each domain, and to vet the communications and support plans.
2.
Developed an awareness campaign to notify users about the deployment, including. notifying regional Microsoft IT managers about imminent deployment to their domains, adding information to internal corporate webpages, and creating a new email distribution list for the Support team to help respond to AppLocker-related questions and issues.
3.
Exported the GPO from the reference machine that was built in the pilot stage and imported it to the regional domain controllers, which were used to deploy the GPO to domain-joined Windows 7 client systems. Note: Microsoft IT decided to use a relatively open application control methodology in the production deployment, which allowed any application to run on a computer as long as it was not on the deny list. This decision was based on two key factors: (1) an open methodology was a better fit for the company's corporate culture, and (2) Microsoft IT wanted to minimize the potential for newly developed products to be inappropriately blocked from running on developers' systems, which could affect productivity.
4.
Spent approximately one month monitoring and resolving any issues in each domain before deploying AppLocker to the next domain.
Regional domains and dates of AppLocker production deployment Domain
Date of AppLocker Deployment
Africa
April 2011
Middle East
May 2011
South America
June 2011
South Pacific
July 2011
Far East
July 2011
North America
August 2011
Europe
October 2011
Redmond (USA)
October 2011
Microsoft IT Uses AppLocker to Help Secure Windows 7 Clients
Page 4
Production Rollout Results The following list summarizes the status of Microsoft IT’s production rollout of AppLocker as of November 2011:
To date, Microsoft IT has deployed AppLocker to almost 200,000 systems worldwide. The distribution and numbers of clients are displayed in Figure 1.
Figure 1. Distribution and number of Windows 7 systems running AppLocker as of November 2011
Not a single support call for an AppLocker-related problem has occurred.
Microsoft IT has not received any further requests to update the AppLocker rule set for the production environment.
Microsoft IT has confirmed the ability of AppLocker to prevent the execution of unwanted applications. As illustrated in Figure 2, the incidence of P2P-related cases has dropped to near zero percent since the rollout of AppLocker.
Figure 2. As of October 2011, the incidence of P2P-related cases has dropped to near zero percent since the rollout of AppLocker. Microsoft IT Uses AppLocker to Help Secure Windows 7 Clients
Page 5
Best Practices In the course of working with AppLocker to implement the new application control solution, Microsoft IT followed these best practices:
Build an isolated reference machine when deploying AppLocker. Microsoft installed instances of the peer-to-peer applications that it wanted to block. Because these applications can contain malware, you should always configure a reference environment that is isolated from your main corporate network.
Review operating systems before implementing AppLocker. AppLocker rules cannot be used to manage computers running a Windows operating system earlier than Windows 7. If AppLocker rules and software restriction policies are applied on the same GPO, only AppLocker rules take effect. Therefore, if you have a mixed environment comprising both Windows 7 and earlier versions of Windows, you should use separate GPOs—one for AppLocker rules and the other for software restriction policies.
Promote internal collaboration among all teams involved. Due to the number of different teams in your organization that may need to be involved—including business owners, Security, Compliance, Legal, and those who provide infrastructure—it is important to ensure that all stakeholders can provide input at an early stage and work together to design a system that fulfills all key criteria.
Determine what type of application control is appropriate for your network. The flexible nature of AppLocker supports the conservative (but more manageable) approach of blocking all applications except those expressly noted on an allow list and the more open (but more difficult to manage) approach of allowing all applications to run except those expressly noted on a deny list.
Consider using Audit-only mode to test enforcement settings. The AppLocker Audit only enforcement setting helps you determine which applications are used in an organization. When set to Audit only, rules for that rule collection are not enforced. Instead, when a user runs an application that would have been affected by an AppLocker rule, details concerning that application are added to the AppLocker event log. For more information on AppLocker auditing capabilities, see http://technet.microsoft.com/en-us/library/dd723693(v=WS.10).aspx.
Select a representative set of users for your pilot program. Because different sets of users may have different requirements, it will take some time before your list of allowed applications stabilizes.
Be conservative when setting AppLocker run privileges. Users with administrative privileges can overwrite AppLocker rules, so you should consider this factor when assigning privileges to your users.
Plan for an initial increase in help-desk calls due to blocked applications. You should expect to receive requests to make some modifications to your allow and deny lists at the onset of your deployment. The potential increase in support calls can be mitigated by a phased approach to rollout, use of auditing before running in enforcement mode, and other strategies. Once you have fine-tuned your lists, AppLocker-related support calls should be minimal (if any).
Consider providing an end-user portal. You can build an internal website to inform users about AppLocker and updates to the corporate deny list. You can also use the portal to help automate the change request process for when employees want modifications to blocked-application settings. You can configure AppLocker to display information about how to get to the portal via the user interface that appears when an unapproved application is prevented from running.
Microsoft IT Uses AppLocker to Help Secure Windows 7 Clients
Page 6
Benefits By implementing an application control solution based on AppLocker, Microsoft IT derived a number of benefits:
Reduced security risk. The ability to prevent installation and running of unauthorized applications helps Microsoft IT prevent malware and unsupported applications from affecting computers that are connected to the corporate network.
Improved legal compliance. Because many peer-to-peer file-sharing applications can promote distribution of copyrighted material, AppLocker helps Microsoft IT conform to Digital Millennium Copyright Act regulations.
Improved system management. With AppLocker, Microsoft IT has an automated means to identify and disable unapproved applications. In addition, the powerful and flexible rules offer more options for effective desktop configuration management.
Reduced support costs. AppLocker prevents users from running applications that destabilize the desktop environment, which translates to a reduction in help-desk costs.
Conclusion Microsoft IT needed to find an automated application control solution for domain-joined Windows 7 systems that could help the company maintain compliance with the Digital Millennium Copyright Act and reduce security risks by blocking unauthorized peer-to-peer applications. Microsoft IT began testing AppLocker, an application control feature that is built into Windows 7 and Windows Server 2008 R2, in a pilot program starting in August 2010. This program involved more than 200 participants and was designed to test the AppLocker feature's ability to block unapproved applications from running on systems while allowing all other applications to function normally. At the end of the pilot program, only three support requests had been made to update the deny list. After modifying the GPO settings, no further support calls were made. Since the close of the program, Microsoft IT has deployed AppLocker to domains worldwide. This production rollout was executed in phases, working from the smallest domain to the largest domain. Microsoft IT estimates that almost 200,000 domain-joined Windows 7 systems are now running AppLocker. Microsoft IT now has an automated means to prevent unauthorized applications from running on the corporate network. Use of AppLocker has yielded a significant reduction in the frequency of unauthorized applications being detected on corporate systems. As of October 2011, the incidence of P2P-related cases has dropped to near zero percent since the rollout of AppLocker. Furthermore, the company is able to reduce its risk of data breaches, improve compliance with Digital Millennium Copyright Act requirements, and lower operational costs by replacing a patchwork of proprietary systems that required a high amount of maintenance with an automated solution built from off-the-shelf technology. Microsoft IT expects to see continued worldwide adoption of AppLocker as new machines are added to the network and as older versions of Windows are upgraded to Windows 7. The flexible rules of AppLocker will enable Microsoft IT to deploy different variations of the GPO— more open rules (where only certain applications are blocked), and more restrictive rules (where only certain applications are allowed)—as they are needed.
Microsoft IT Uses AppLocker to Help Secure Windows 7 Clients
Page 7
For More Information For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Order Centre at (800) 933-4750. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information via the World Wide Web, go to: http://www.microsoft.com/ http://www.microsoft.com/technet/itshowcase/
© 2011 Microsoft Corporation. All rights reserved. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Active Directory, AppLocker, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Microsoft IT Uses AppLocker to Help Secure Windows 7 Clients
Page 8
