Locking down your computer against malware in Windows 7 Ultimate & Enterprise

Discussion in 'other anti-virus software' started by Justintime123, Jan 27, 2015.

  1. Justintime123

    Justintime123 Registered Member

    Joined:
    Jun 15, 2013
    Posts:
    95
    I believe this works only with Windows 7 Ultimate and Enterprise editions.

    http://community.spiceworks.com/how...erfect-malware-protection-with-gpo-app-locker

    I discovered AppLocker 3 years ago it has been a total game changer for us. Through the use of this Group Policy feature we have not had to clean up a single malware infection across 500 Windows 7 machines in over 3 years. This is in contrast to having to cleanup 3-5 infections per week, some of those involving a complete reimaging of the machine. Prior to AppLocker we had users with limited/non-admin rights and anti-virus/anti-malware software running on all machines with supposed real-time protection. Even with those limitations and software that was supposed to block it the users still managed to infect them via consenting to running executables presented to them by compromised and/or malicious websites..

    The prospect of whitelisting every executable a user could legitimately need to access sounds daunting, but actually it's pretty simple, at least in a corporate environment. Rules for digitally signed executables are the easiest because you can trust all executables by a given publisher with a single rule. Want to allow everything that Google, Adobe, Citrix or Cisco offers? Okay, maybe not Adobe. Just create a publisher rule allowing anything signed by those guys, and you're done. Path rules are easy, too; but use them sparingly, and only on locations when users don't have write NTFS permissions. For example, allow c:\Windows and c:\Program Files, et cetera, but not c:\Users\Username) for executables.
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,052
    I've never tried using whitelisting solutions with our customers or with my family. I guess I don't want to be bothered will all support calls when they couldn't install what they want. But I agree that this concept is much more powerful than blacklisting and that it can really help maintaining large number of systems in bigger companies and enterprises.
    I'm using whitelisting for some time now and really like it. It's trouble free and at the same time much more effective than blacklisting.
     
  3. KaptainBug

    KaptainBug Registered Member

    Joined:
    Dec 26, 2013
    Posts:
    484
    Applocker does not work with Windows 8.1 Professional ?
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,052
    Nope. Only Enterprise edition.
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,625
    Location:
    Toronto, Canada
    I couldn't imagine my security setup without application whitelisting. It helps me trim off a few layers of security and ensures no system performance degradation.
     
  6. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    IMO SRP with default level Basic User and symantec Run MSI as Admin tweak is easier to use, when you want to be flexible (just install with right click run as admin). When I try to whitelist Applocker on publishers, there is useually a problem with installs and removals. I have given up getting DLL's to be whitelisted and being flexible is. Now running a locked applocker setup again (meaning having to change from enforced to monitored when installing/updating).
     
Loading...