Anyone for Applocker?

Some time ago, I was attending a Microsoft Licensing Boot-camp run by Directions on Microsoft.  Whilst covering off the variations of Windows 8 (Enterprise) operating system, the course tutor happened to touch on a sub-component that had previously flown by me – namely, Applocker.  In the presentation, the tutor happened to mention that Applocker can prevent applications running without the required permission.

Stop the press!! Is the world of Software Asset Management about to be turned on its head?! If you read the tech-net information that covers implementing Applocker, you might be inclined to think that not only could you do away with your Software Asset Management suite, your anti-virus software might also become redundant.  Applocker controls the key component of an application and validates whether it can be allowed to run or not by comparing it to a list of users through a Group Policy Object within Active Directory.  This can be done on a local device, or via Windows Server 2008 to apply to an entire range of devices.  Indeed, exceptions can even be allowed, so that if a company policy exists to prohibit access to a specific title, then certain users can be given permission to run that software.

A monkey-see, monkey-do guide can be found at the link below:

http://blogs.technet.com/b/canitpro/archive/2013/06/10/step-by-step-controlling-access-in-windows-8-with-applocker.aspx

A more in-depth review of Applocker can be found in the tech-net pages:

http://technet.microsoft.com/en-us/library/dd759113.aspx

I was talking with John Tomeny of Sassafras about this development, as I wondered whether he saw this as a potential threat to this permission setting feature of KeyServer (Sassafras’s Software Asset Management suite) and John raised a very salient point:  Applocker might offer a degree of control around who can and cannot run applications, but it will not perform such a check against a license count, nor will it provide application metering data (although Applocker can be configured to provide rule-usage data via the Event Viewer).

Rather like self-service portals, I suspect Applocker will come into its own when the current crop of Software Asset Management suites can interface with Applocker rules and dynamically validate whether or not a license permits the running of a software title or not.

In the meantime, IT staff will have to continue to categorise company employees by job role to assess their suitability to access software titles if Applocker is their sole means of control.

A point too, on such AD/Applocker controls:  if concurrency is a requirement of management for certain software titles on your estate, ensure the software vendors for those titles endorse Applocker as a suitable method of control – it could be a very expensive lesson learnt if those vendors state they don’t acknowledge Applocker and attempt to widen licence fees due by the rest of your user base.

 

Image Credit

1 thought on “Anyone for Applocker?”

  1. Thanks Rory for the discussion last week and for your post here. I spent some time learning a bit more about AppLocker so that I could expound a bit upon my initial reaction in a more informed light. In summary, while AppLocker may offer certain limited security benefits for some organizations, its current capabilities appear to make it ineffective as a software license compliance tool, or more generally as a software asset management tool.

    Four years after the release of AppLocker, we don’t hear of anyone using it for software licensing. It was never designed for licensing and I doubt it will evolve in this direction. As you noted in the article, while AppLocker can prevent access to certain files (executable files, scripts, Windows Installer files, and DLLs), it does this without any awareness of software product identification or product licensing. For many years, the Mac OS X Server admin console has had similar abilities to prevent software launches on client machines. I would imagine that if there are companies out there attempting to use these features as a ‘poor-man’s license metering tool’, they will quickly discover how inadequate it is for the task, and hopefully find a true SAM tool instead.

    There are plenty of OS features that will only satisfy the requirements of a novice user. As an example, when Windows 7 was released, Microsoft was trying to address a lot of criticism over security of their OS. Just a few weeks ago I saw an interesting article about Security Essentials, stating that this on-board Microsoft OS tool was a “baseline” technology that couldn’t hold a candle to devoted antivirus software. ( http://www.pcpro.co.uk/news/security/384394/microsoft-security-essentials-is-designed-to-be-bottom-of-the-antivirus-rankings ). Microsoft apparently saw a need to add certain features if only in a cursory way, but for many of these features third party software provides a better and more complete solution.

    I have seen this habit repeat itself in many ways over the years – that OS developers will provide “baseline” level functionality in certain areas while third party developers publish professional level functionality. Early versions of some file server technologies even included the ability to meter out concurrent-use licensing. A few customers used this in its day, but those who were serious about managing software licensing for compliance and cost reduction sought out dedicated SAM solutions.

    Other limitations of AppLocker include:
    – fragile identification (paths and checksums)
    – lack of reporting (usage is recorded in the Event Log http://technet.microsoft.com/en-us/library/ee844150(v=ws.10).aspx )
    – OS compatibility limitations (only Win 7 and later – and in addition, specifically incompatible with Win 7 Pro).

    It’s great that Windows has at least a teaser tool that hints at security and compliance “out of the box”. Hopefully more companies will think about how important this is, and how it can be easy to manage compliance and save money on software – IF they use the right tool…

Leave a Comment

Your email address will not be published. Required fields are marked *