and Applications MOAC 70-687: Configuring Windows 8 Controlling Device Installation The Device Installation Restrictions folder in a GPO contains policy settings that enable you to prevent Windows computers from installing and updating device drivers under specific conditions. The policies in the Computer Configuration/Policies/Administrative Templates/System/Device Installation/Device Installation Restrictions folder enable you to specify if or when the computers on your network can install drivers for hardware devices. 2013 John Wiley & Sons, Inc. 2 Controlling Device Installation The Device Installation Restrictions policies 2013 John Wiley & Sons, Inc. 3 Controlling Removable Storage Access For control over access to specific types of removable storage at the computer level, use the policy settings in the Computer Configuration/Policies/Administrative Templates/System/Device Installation/ Removable Storage Access folder. For control at the user level, the same policies appear in the User Configuration/Policies/Administrative Templates/System/Removable Storage Access folder. 2013 John Wiley & Sons, Inc. 4 Controlling Removable Storage Access The Removable Storage Access policies 2013 John Wiley & Sons, Inc. 5 Configuring Application Restrictions Lesson 7: Controlling Access to Local Hardware and Applications 2013 John Wiley & Sons, Inc. 6 Software Restriction Policies Software restriction policies are Group Policy settings that enable administrators to specify the programs that are allowed to run on workstations by creating rules of various types. 2013 John Wiley & Sons, Inc. 7 Software Restriction Policy Rules The software restriction policy rules that you can create include: o Certificate rules o Hash rules o Network zone rules o Path rules
2013 John Wiley & Sons, Inc. 8 Creating Rules To create rules: 1. Open a Group Policy object (GPO) and browse to Computer Configuration\Policies\Windows Settings\Security Settings\Software Restriction Policies. 2. Right-click the Software Restriction Polices object. 3. From the context menu, select New Software Restriction Policies. You create new rules of your own in the Additional Rules folder, using the dialog box. 2013 John Wiley & Sons, Inc. 9 Creating Rules Software Restriction Policies 2013 John Wiley & Sons, Inc. 10 Creating Rules The New Path Rule dialog box 2013 John Wiley & Sons, Inc. 11 Rule Settings The three possible settings are Disallowed: Prevents an application matching a rule from running. Basic user: Allows all applications not requiring administrative privileges to run. Allows applications that do require administrative privileges to run only if they match a rule. Unrestricted: Allows an application matching a rule to run. 2013 John Wiley & Sons, Inc. 12 Using AppLocker AppLocker, also known as application control policies, is essentially an updated version of the concept implemented in software restriction policies. AppLocker uses rules, which administrators must manage. Creating the rules is much easier because of a wizard-based interface. 2013 John Wiley & Sons, Inc. 13 Understanding Rule Types The AppLocker settings are located in Group Policy objects in the Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies\AppLocker container. In the AppLocker container, there are four nodes that contain the basic rule types: o Executable Rules o Windows Installer Rules o Script Rules o Packaged app Rules
2013 John Wiley & Sons, Inc. 14 Understanding Rule Types The AppLocker container in a GPO 2013 John Wiley & Sons, Inc. 15 Creating Default Rules To use AppLocker, create rules that enable users to access the files needed for Windows and the systems installed applications to run. The simplest way to do this is to right-click each of the three rules containers and select Create Default Rules from the context menu. 2013 John Wiley & Sons, Inc. 16 Creating Default Rules The default AppLocker executable rules 2013 John Wiley & Sons, Inc. 17 Creating Rules Automatically When you right-click one of the three rules containers and select Create Rules Automatically from the context menu, an Automatically Generate Rules Wizard appears. After specifying the folder to be analyzed and the users or groups to which the rules should apply, a Rule Preferences page appears. The wizard then displays a summary of its results in the Review Rules page and adds the rules to the container.
2013 John Wiley & Sons, Inc. 18 Creating Rules Automatically The Automatically Generate Executable Rules Wizard 2013 John Wiley & Sons, Inc. 19 Creating Rules Automatically The Rule Preferences page of the Automatically Generate Executable Rules Wizard 2013 John Wiley & Sons, Inc. 20 Creating Rules Automatically The Review Rules page of the Automatically Generate Executable Rules Wizard 2013 John Wiley & Sons, Inc. 21 Creating Rules Manually You can create rules manually using a wizard. To start the wizard, select Create New Rule from the context menu for one of the three rule containers. The wizard prompts you for: o Action o User or group o Conditions o Exceptions 2013 John Wiley & Sons, Inc. 22