Locking down your computer against malware in Windows 7 Ultimate & Enterprise

I believe this works only with Windows 7 Ultimate and Enterprise editions.

http://community.spiceworks.com/how...erfect-malware-protection-with-gpo-app-locker

I discovered AppLocker 3 years ago it has been a total game changer for us. Through the use of this Group Policy feature we have not had to clean up a single malware infection across 500 Windows 7 machines in over 3 years. This is in contrast to having to cleanup 3-5 infections per week, some of those involving a complete reimaging of the machine. Prior to AppLocker we had users with limited/non-admin rights and anti-virus/anti-malware software running on all machines with supposed real-time protection. Even with those limitations and software that was supposed to block it the users still managed to infect them via consenting to running executables presented to them by compromised and/or malicious websites..

The prospect of whitelisting every executable a user could legitimately need to access sounds daunting, but actually it's pretty simple, at least in a corporate environment. Rules for digitally signed executables are the easiest because you can trust all executables by a given publisher with a single rule. Want to allow everything that Google, Adobe, Citrix or Cisco offers? Okay, maybe not Adobe. Just create a publisher rule allowing anything signed by those guys, and you're done. Path rules are easy, too; but use them sparingly, and only on locations when users don't have write NTFS permissions. For example, allow c:\Windows and c:\Program Files, et cetera, but not c:\Users\Username) for executables.

 

I've never tried using whitelisting solutions with our customers or with my family. I guess I don't want to be bothered will all support calls when they couldn't install what they want. But I agree that this concept is much more powerful than blacklisting and that it can really help maintaining large number of systems in bigger companies and enterprises.
I'm using whitelisting for some time now and really like it. It's trouble free and at the same time much more effective than blacklisting.

 

Applocker does not work with Windows 8.1 Professional ?

 

Nope. Only Enterprise edition.

 

I couldn't imagine my security setup without application whitelisting. It helps me trim off a few layers of security and ensures no system performance degradation.

 

IMO SRP with default level Basic User and symantec Run MSI as Admin tweak is easier to use, when you want to be flexible (just install with right click run as admin). When I try to whitelist Applocker on publishers, there is useually a problem with installs and removals. I have given up getting DLL's to be whitelisted and being flexible is. Now running a locked applocker setup again (meaning having to change from enforced to monitored when installing/updating).