How to configure AppLocker Group Policy in Windows 7 to block third-party browsers



One of the problem that face IT Administrators today is keeping up with all the security updates you need to deploy to your computers to keep them secure. This is even more exacerbated by the very large number of security updates associate with running multiple browsers. Also having multiple browsers on network could mean that you have totally patched one browser using your patch management system only to have user use a different type of browser that is completely un-patches. Another reason IT Administrators might want to block running third-party browsers is the lack of group policy support which makes it very difficult for administrators configured the browser to corporate standards (e.g. home page and/or security settings). Luckily Windows 7 comes with a new feature that prevent the user from running a particular executable called AppLocker which can be used to block all but authorised internet browsers.

Update: Also check out my Troubleshooting AppLocker workflow post at  http://www.grouppolicy.biz/2013/04/how-to-troubleshoot-applocker/

AppLocker is a new feature in Windows 7 that allows system administrators to block a particular executable from running on a computer. This is a enhanced version of Software Restriction Policy which did a similar thing in Windows XP/Vista, but it can only block programs based on either a file name, path or file hash. The AppLocker feature takes it a step further and allows administrators block executables based on its digital signature. The benefit of basing this on a digital signature is that you can block programs based on a combination of the version, program name or even vendor name. This means that even if the vendor updates the program with a new version (which happens often with browsers) the AppLocker rules will still apply greatly saving administrative overhead. You can also set the rule based on the program version which means you can set a minimum supported versions that is allowed to run. Another advantage is that AppLocker applies to any program that runs on a computer meaning that no matter where the program is being run from (e.g. USB Memory stick) it will prevent it from running.

Note: You can also use this tutorial to block the running of any other program weather it be from a third-party or even from Microsoft. In this example I show you how to block running Google Chrome on any of your computers in your network however you can just as easily apply the same process to any other browser (e.g. Firefox, Safari).



Step 1. Edit the Group Policy Object that is targeted to the computer you want to apply this policy. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies and then click on “Configure rule enforcement”

image

Step 2. Under Executable rules tick “Configured” and select the “Enforce rules” option from the pop-down menu then click “OK”.

image

Step 3. Right click on “Executable Rules” and click on “Create New Rule..”

image

Step 4. Click “Next”

image

Step 5. Select “Deny” and then click “Next”

image

Step 6. Select “Publisher” condition and click “Next”

Note: The “Path” and “File hash” option are the same condition as was available in a software restriction policy that was in Windows XP and Vista.

image

Step 7. Click on “Browse”

image

Step 8. Select the “chrome.exe” executable file and click “Open”

Note: Again I have used Chrome as an example you can easily select the executable of any other browsers (including Internet Explorer) here as well if you want to block multiple browsers.

image

Step 9. In this example we are just going to accept the defaults and click “Next”.

Optional: If you wanted to just block a particular version of browser (or program) or just any version below a certain number tick “Use custom values” and then enter the version number in the “File version” field and select “And Below” from the pop-down menu.

image

Step 10: Click “Next”

image

Step 11: Click “Create”

image

Step 12: You will now be prompted to create some default rules that ensure that you don’t accidently stop Windows from working. Click “Yes” to this if you don’t already have these rules created.

image

Step 13 (Optional): If you also want this AppLocker rule to apply computer administrators then right-click on the “BUILTIN\Administrators” rule and click “Delete”

image

Step 14 (Optional): Click “Yes”

image

You AppLocker Rules are now setup and should now look like this…

image

Now there is one more thing you need to do to enable AppLocker on the computer…

Step 15. In the same Group Policy Object you were just editing navigate to Computer Configuration > Policies > Windows Settings > Security Settings > System Services and double click on the “Application Identity” service.

Note: This is the process that scan’s all the file before they are executed to check the name, hash or signature of the executable before it is run. If this is not turned on then AppLocker will simple not work.

image

Step 16: Tick “Define this policy setting” and tick “Automatic” then click “OK”

image

The services section should now look like this…

image

Your all done… Now when the user tries to run an un-approved browser (or program) they will be presented to this dialogue box…

image

Now if you want to make sure you have covered all the bases below is a an image of the AppLocker rules configured with a few more denied browsers…

image



31 Comments

  1. if anybody want to endulge me i would be happy to block all types and all versions of torrent-clients. i guess it would be a long list so if somebody would like to maintain a webpage that i could update from it would be nice.

    • Yes… it would be a long list and Applocker will only work on application that have been signed digitally… and i would guese that most torrent clients are not digitally signed.

  2. Pingback: Group Policy Center » Blog Archive » Updated: How to make Adobe Reader more secure using Group Policy

  3. Pingback: Group Policy Center » Blog Archive » How to use Group Policy to Allow or Block URL’s

    • Fruit bat or grammar nazi. Both are fun to watch squirm when proper stimuli are applied. Glad to see someone is on top of their game.

  4. THANK YOU! The computer I’m going to enforce the rules is in Chinese and I can’t understand a thing. So it’s very helpful for you to include the screenshot for each the step. Thanks for the “extra mile” effort, really!

  5. This feature is great, but can i configure it to prevent another user on my computer (who by necessity has admin rights) from accessing applocker itself, to prevent them removing/editing the rules?

    • I know this response may be late, but I just came across this article while researching applocker. There is a way to lock down other local admins from modifying local or domain based group policy. It involves user rights assignment and file/folder permissions.

      Example for local policies you want to protect:
      Open the local group policy editor on the PC.
      Drill down to Computer Configuration>Windows Settings>Security settings>Local Policies>User Rights Assignment.
      Open the policy, Take ownership of files or other objects.
      Remove the Administrators group from the list, then add only the good local admin user accounts that you want this policy to apply to. Click OK when done.
      Locate gpedit.msc and secpol.msc, and regedit.exe. open their properties and access their security tabs.
      add the offending local admin that you want to prevent from running these apps, to the ACL and Deny full permissions.
      Set the same permissions for the offending local admin again for the following folders: C:\Windows\System32\GroupPolicyUsers and C:\Windows\System32\GroupPolicy, to prevent them from deleting the local policies.

      A policy like this can also be similarly made in domain based GPO as well.

      These steps should block the specific offending local admin(s) from opening these editors. They will also be unable take ownership of files and folders to be able to give themselves full permissions to them again in order to change policies.

      Have fun!

      Ryan

    • I still would not consider that a 100% solution as a local admin could still disable the group policy and undo all the restrictions you apply to the computer. The best thing to do would be to remove all local admins… not try to restrict them.

  6. This policy works when a user trying to install a chrome browser. Incase the users already installed the chrome ,Is this policy stops the browsing on already instilled browser?

  7. Pingback: جلوگیری از اجرا شدن یک application در 7 توسط group policy

  8. Step 13 and 14 claim to be optional if you want to block Administrators also, but since Deny rules override Allow rules, the Administrators will be blocked anyway even you skip 13 and 14, correct?

    • Chrome.exe is a signed file, so Applocker checks the publisher, product name, version in the signature. This signature remains even if the file is renamed.

  9. in the windows help for app locker, it said that app locker rules cannot be enforced on computers running windows 7 professional. if this this true, that’s mean it is useless to me because all of my company computers are using 7 professional

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>