http://community.spiceworks.
com/topic/389016-need-help-with-gpo-to-block-exe-s-in-appdata-folder
http://community.spiceworks.com/topic/99767-whitelisting-binaries-application-using-gpo-for-securing-
terminal-server-2008
http://technet.microsoft.com/en-us/video/using-applocker-in-win7.aspx
http://www.grouppolicy.biz/2010/04/how-to-configure-applocker-group-policy-in-windows-7-to-block-third-
party-browsers/
Merge, dar blocheaza doar acel director, nu si subdirectoarele
So far what I have done in Group Policy Management is open the domain went to group policy objects and
edited every Windows SBS Client policy under Computer Configuration/Policies/Windows
Settings/Security Settings/Software restriction Policies/additional rules
New Path Rule:
Path: %AppData%\*.exe
Security Level: Dissalowed
Description: block exe's in appdata
It's pretty easy to whitelist, actually.
Computer Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies
Set the security level to Disallowed, Allow these in "Additional Rules" (see attached), and you're 90%
done. You'll just add any application paths outside of Program Files that you might need (network
locations, etc.).
I also disallow regedit.exe and runas.exe.
If you just want to blacklist you'll set your default level to Unrestricted, then disallow %USERPROFILE
%\Appdata
It's not going to be very effective, though. Also, make sure to whitelist *.lnk or users will find that start
menu shortcuts don't work.
�The exceptions for file types and admins are found under "Software Restriction Policies" in the "Enforcement"
and "Designated File Types" (see attached) Make sure to configure the enforcement policies as shown or you
won't be able to install software as an admin. Also, remove "LNK" from the Designated File Types if it's in
there so that shortcuts will work.
Nu blocheaza apps deschise prin retea, dar blocheaza subdirectoarele
gpedit.msc
Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies
Executable rules > right click > add automatically generate rules (allow) – for windows and program files
> Create new rules (deny) > path – to deny exe from a certain drive
%REMOVABLE%\*.exe – for DVDs
%HOT%\*.exe – for USBs
D:\*.exe
AppLocker path Windows environment
Windows directory or disk variable variable
Windows %WINDIR% %SystemRoot%
System32 %SYSTEM32% %SystemDirectory%
Windows installation directory %OSDRIVE% %SystemDrive%
Program Files %PROGRAMFILES% %ProgramFiles% and
%ProgramFiles(x86)%
Removable media (for example, a CD or %REMOVABLE%
DVD)
Removable storage device (for example, a %HOT%
USB flash drive)
Important
For a best practice, use Allow actions with exceptions. You can use a
combination of Allow and Deny actions, but Deny actions override Allow actions
� in all cases, and combined actions can be circumvented.
Important
If you join a computer running Windows Server 2012 or Windows 8 to a domain that
already enforces AppLocker rules for executables, users will not be able to run any
Packaged apps unless you also create rules for the Packaged apps. If you want to allow
any Packaged apps in your environment while continuing to control executables, you
should create default rules for Packaged apps and set the enforcement mode to Audit-
only for the Packaged app rule collection.
