Microsoft has just released a report (see AppLocker Deployment at Microsoft) describing the process they used to implementation of AppLocker via Group Policy. This was done to so that Microsoft would maintaining compliance with the U.S. Digital Millennium Copyright Act (DMCA) by preventing all their computers from running P2P software.
The report shows that after they fully rolled out the AppLocker policy setting the number of P2P cases dropped to nearly 0%. It was also interesting that the report noted that there was not a single support call regarding AppLocker for all 200,000 computers when the settings were rolled out.
Not a single support call for an AppLocker-related problem has occurred.
This document focus’s more on the process for testing and deployment of AppLocker in a large environment rather than the exact technical steps. I assume what made this a lot easier for Microsoft is that the most popular BitTorrent clients uTorrent is a digitally signed program. This makes it a lot easier for AppLocker to identify the application as it only need to look at the digital signature to determine if the program should be blocked. Meaning that they do not have to constantly update the Group Policy setting with a new hash value whenever a new version of the client is released.
Personally I certainly think BitTorrent software has a legitimate and legal place. For example check out The Tunnel Movie which was a full length movie that was released freely using BitTorrent. Rather ironically Windows has its P2P service built-in called Background Intelligent Transfer Service (BITS) which is used for distributing software updates to computers efficiently over WAN and LAN links.
However this is still good case study at the process you need to take to rollout AppLocker to prevent users from running particular programs that say may not be a secure version. e.g. Adobe Reader v9 see http://blog.stealthpuppy.com/virtualisation/dont-virtualize-adobe-reader-x/).
If you are interested for instructions for using AppLocker then check out my other blog post Best Practice: How to configure AppLocker Group Policy in Windows 7 to block third-party browsers
5 thoughts on “How Microsoft uses AppLocker to block Bit Torrent”
Blog Post: How Microsoft uses AppLocker to block Bit Torrent http://t.co/soDRtWOx
How Microsoft uses AppLocker to block Bit Torrent: http://t.co/fNsL9aPh
How Microsoft uses AppLocker to block Bit Torrent http://t.co/kBGms9Gm #microsoft #grouppolicy
I have shared my own peer-2-peer Applocker policy here with all BitTorrent clients I could find. It takes a few minuttes to import into a Group Policy.