One of the problem that face IT Administrators today is keeping up with all the security updates you need to deploy to your computers to keep them secure. This is even more exacerbated by the very large number of security updates associate with running multiple browsers. Also having multiple browsers on network could mean that you have totally patched one browser using your patch management system only to have user use a different type of browser that is completely un-patches. Another reason IT Administrators might want to block running third-party browsers is the lack of group policy support which makes it very difficult for administrators configured the browser to corporate standards (e.g. home page and/or security settings). Luckily Windows 7 comes with a new feature that prevent the user from running a particular executable called AppLocker which can be used to block all but authorised internet browsers.
Update: Also check out my Troubleshooting AppLocker workflow post at https://www.grouppolicy.biz/2013/04/how-to-troubleshoot-applocker/
AppLocker is a new feature in Windows 7 that allows system administrators to block a particular executable from running on a computer. This is a enhanced version of Software Restriction Policy which did a similar thing in Windows XP/Vista, but it can only block programs based on either a file name, path or file hash. The AppLocker feature takes it a step further and allows administrators block executables based on its digital signature. The benefit of basing this on a digital signature is that you can block programs based on a combination of the version, program name or even vendor name. This means that even if the vendor updates the program with a new version (which happens often with browsers) the AppLocker rules will still apply greatly saving administrative overhead. You can also set the rule based on the program version which means you can set a minimum supported versions that is allowed to run. Another advantage is that AppLocker applies to any program that runs on a computer meaning that no matter where the program is being run from (e.g. USB Memory stick) it will prevent it from running.
Note: You can also use this tutorial to block the running of any other program weather it be from a third-party or even from Microsoft. In this example I show you how to block running Google Chrome on any of your computers in your network however you can just as easily apply the same process to any other browser (e.g. Firefox, Safari).
Step 1. Edit the Group Policy Object that is targeted to the computer you want to apply this policy. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies and then click on â€œConfigure rule enforcementâ€
Step 2. Under Executable rules tick â€œConfiguredâ€ and select the â€œEnforce rulesâ€ option from the pop-down menu then click â€œOKâ€.
Step 3. Right click on â€œExecutable Rulesâ€ and click on â€œCreate New Rule..â€
Step 4. Click â€œNextâ€
Step 5. Select â€œDenyâ€ and then click â€œNextâ€
Step 6. Select â€œPublisherâ€ condition and click â€œNextâ€
Note: The â€œPathâ€ and â€œFile hashâ€ option are the same condition as was available in a software restriction policy that was in Windows XP and Vista.
Step 7. Click on â€œBrowseâ€
Step 8. Select the â€œchrome.exeâ€ executable file and click â€œOpenâ€
Note: Again I have used Chrome as an example you can easily select the executable of any other browsers (including Internet Explorer) here as well if you want to block multiple browsers.
Step 9. In this example we are just going to accept the defaults and click â€œNextâ€.
Optional: If you wanted to just block a particular version of browser (or program) or just any version below a certain number tick â€œUse custom valuesâ€ and then enter the version number in the â€œFile versionâ€ field and select â€œAnd Belowâ€ from the pop-down menu.
Step 10: Click â€œNextâ€
Step 11: Click â€œCreateâ€
Step 12: You will now be prompted to create some default rules that ensure that you donâ€™t accidently stop Windows from working. Click â€œYesâ€ to this if you donâ€™t already have these rules created.
Step 13 (Optional): If you also want this AppLocker rule to apply computer administrators then right-click on the â€œBUILTIN\Administratorsâ€ rule and click â€œDeleteâ€
Step 14 (Optional): Click â€œYesâ€
You AppLocker Rules are now setup and should now look like thisâ€¦
Now there is one more thing you need to do to enable AppLocker on the computerâ€¦
Step 15. In the same Group Policy Object you were just editing navigate to Computer Configuration > Policies > Windows Settings > Security Settings > System Services and double click on the â€œApplication Identityâ€ service.
Note: This is the process that scanâ€™s all the file before they are executed to check the name, hash or signature of the executable before it is run. If this is not turned on then AppLocker will simple not work.
Step 16: Tick â€œDefine this policy settingâ€ and tick â€œAutomaticâ€ then click â€œOKâ€
The services section should now look like thisâ€¦
Your all doneâ€¦ Now when the user tries to run an un-approved browser (or program) they will be presented to this dialogue boxâ€¦
Now if you want to make sure you have covered all the bases below is a an image of the AppLocker rules configured with a few more denied browsersâ€¦