Most users are familiar with Windows Defender, the built-in antivirus software that constantly scans for malicious activity and blocks known threats. However, even the best antivirus can’t prevent users from inadvertently installing harmful programs. Think of it like the Trojan Horse – a seemingly harmless gift that opens the door to unwelcome guests.
One powerful defense against this is application whitelisting. This allows you, as the administrator, to create a list of approved programs. Any application not on this list is automatically blocked from running, adding an extra layer of security even against unknown malware. This is particularly helpful in shared environments like families, schools, or businesses.
(Source: Microsoft)
Using AppLocker for Application Whitelisting
Windows offers a built-in whitelisting tool called AppLocker, accessible through the Local Security Policy. While included in Pro and Enterprise editions, it can also be enabled in Windows 10 and 11 Home editions (see instructions at the end of this article). AppLocker functions similarly to the Windows Firewall, using rules, or policies, to control application execution. You can create both whitelists and blacklists, but whitelisting is generally more effective against the ever-evolving landscape of malware.
Setting Up Your AppLocker Whitelist
- Open Local Security Policy by typing “secpol” in the taskbar search and clicking the matching result.
- Navigate to
Application Control Policies > AppLocker. - Focus on the “Executable rules” folder, which manages EXE and COM files.
- While granular control is possible, leveraging default rules simplifies setup. Right-click on “Executable rules” and select “Create default rules.” Then, right-click again and select “Automatically generate rules.”
- The wizard will initially select the
C:Program Filesfolder. Click “Next.” - In “Rule settings,” choose between “File hash” and “Path” for program identification. “File hash” (the default) is recommended as it’s more secure. Click “Next.”
- AppLocker will generate rules for applications in
C:Program Files. Click “Create.” - Repeat steps 5-7 for
C:Program Files (x86)andC:Windows.
Activating Application Identity
AppLocker requires the “Application Identity” service to be running.
- Type “services” in the taskbar search and click the corresponding result.
- Locate “Application Identity,” double-click it, and click “Start.”
Now, any program outside the specified folders will be blocked with the message “This app has been blocked by the system administrator.” Only administrators can add programs to the whitelisted folders. This configuration provides robust protection against malware and unauthorized software installations while still allowing access to documents and other files.
Managing AppLocker
To temporarily disable AppLocker, simply restart Windows. The “Application Identity” service is set to “Manual” startup by default and will be deactivated upon restart. For permanent activation, change the startup type to “Automatic” in the service properties. If access is denied, modify the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesAppIDSvc and set “Start” to “2” (Automatic). To revert to manual startup, change the value to “3.” If you’ve locked yourself out, access the registry editor (regedit) via the command prompt in administrator mode.
To completely remove AppLocker, delete the executable rules in Local Group Policy.
Alternatives to AppLocker
Cyberlock
Cyberlock (formerly VoodooShield) is a more comprehensive, albeit paid, alternative. It creates a whitelist based on a system snapshot and notifies you of any new or unsigned applications, allowing you to block, sandbox, or install them.
Other Whitelisting Options
While Software Restriction Policies (SRP) existed in older Windows versions, it’s now deprecated. Other options include restricting installations to the Microsoft Store or using Smart App Control, which automatically whitelists based on your usage patterns. However, these offer less control than AppLocker or Cyberlock. Kiosk mode, designed for single-app usage scenarios, also provides whitelisting functionality.
Enabling Local Security Policy in Windows Home
- Open command prompt as administrator.
- Run the following command:
FOR %F IN ("%SystemRoot%servicingPackagesMicrosoft-Windows-GroupPolicy-ClientTools-Package~*.mum") DO (DISM /Online /NoRestart /Add-Package:"%F") - Then, run:
FOR %F IN ("%SystemRoot%servicingPackagesMicrosoft-Windows-GroupPolicy-ClientExtensions-Package~*.mum") DO (DISM /Online /NoRestart /Add-Package:"%F") - Local Security Policy will then be accessible via the Start menu.
