I'm currently trying to secure a Windows environment using AppLocker but have hit some snags with path-based rules. I initially thought about using a firewall in learning mode to create rules, but many applications like browsers and emulators use dynamic paths (like AppData and Temp folders), which can change and mess up the policy once enforcement is turned on.
So, I'm looking into publisher-based rules because they seem to be more resilient to updates and changes in paths.
Here's what I need:
- **Restrict certain application categories**:
- Web browsers
- Android emulators (like BlueStacks, Nox, LDPlayer, etc.)
- Virtual machine software (like VirtualBox and VMware)
I want to prevent users from using these types of applications while still allowing them to download and run general software.
I understand AppLocker typically works with allow-listing, but here, I need a setup that's not completely restrictive. Blocking execution from user directories would hinder legitimate use cases too much.
I'm digging for recommendations on how to control these categories without being overly restrictive, and whether publisher-based deny rules can work at scale. I'm also open to alternative strategies (like WDAC or SRP) that balance control, flexibility, and maintainability.
Just to note, users don't have admin rights, and my priority is to prevent the usage of specific software types without a complete lockdown. Any real-world advice would be appreciated!
1 Answer
If you're aiming to manage apps effectively, getting a solid grip on your users' permissions is key. Since your users are standard users and you need them to download software, I suggest using tools like MDM or GPO if you're on a domain. This way, you can remotely install software and not let users install anything themselves. You could also set up a local admin access solution where the admin password changes periodically, so users can request it temporarily when they need to install something specific. That's a middle ground that allows you to maintain control without too much hassle.
That makes sense, but wouldn’t enforcing that kind of control create bottlenecks for users? For example, can they still install apps they need on the fly without too much back-and-forth?