Locking Down Your PC: A Comprehensive Guide to Whitelisting and Application Control
Windows Defender offers essential protection, diligently scanning for and blocking known malware. However, it cannot prevent users from installing malicious software disguised as legitimate applications – a digital Trojan horse scenario. To enhance your system’s security, consider implementing a whitelisting approach, a proactive method of application control that restricts the execution of unauthorized programs.
Whitelisting involves creating an approved list of applications permitted to run on your system. Anything not on this list is automatically blocked, providing a robust defense against both known and unknown threats. This method is particularly beneficial in environments where strict control over software installations is desired, such as family computers, school labs, or business workstations. By preventing the execution of unapproved software, you safeguard against inadvertently installed malware and unauthorized program usage. Moreover, whitelisting provides a layer of protection against zero-day exploits and previously unknown malware variants that antivirus software might not yet recognize.
Microsoft provides several tools to implement whitelisting on Windows systems. The most versatile is the Local Security Policy, a powerful configuration tool available in Windows Pro and Enterprise editions. Although not readily accessible in Windows Home editions, it can be enabled through the command prompt. The Local Security Policy allows you to manage various security settings, including the Windows AppLocker feature.
AppLocker, integrated into Windows since version 10 1809, operates using rules or policies, similar to the Windows Firewall. It provides the flexibility to create both whitelists and blacklists. A blacklist approach blocks only specifically identified programs, while allowing everything else to run. This approach can be problematic, as new malware emerges constantly. Therefore, configuring a whitelist of approved programs and blocking all other applications is generally recommended.
To access AppLocker through the Local Security Policy, type "secpol" in the taskbar search bar and open the Local Security Policy tool. Navigate to Application Control Policies > AppLocker. You’ll find several subfolders; "Executable Rules" is the most relevant, governing EXE and COM files. You can create individualized rules for each application, but this can be time-consuming. Microsoft provides the option to create default rules suitable for most scenarios, greatly simplifying the process.
To create default rules, right-click "Executable rules" and select "Create default rules". Then, right-click "Executable rules" again and select "Automatically generate rules." A wizard will guide you through the process. The first window will typically select the C:\Program Files folder. After clicking "Next," you’ll arrive at the "Rule settings" window.
Here, you must choose between identifying applications by their "File hash" or "Path." Using a file name (e.g., Notepad.exe) isn’t recommended, as malware often disguises itself using common Windows application names. Leave the default setting "File hash" selected, and click "Next." AppLocker will then create rules for the applications within C:\Program Files. Click "Create" to confirm and repeat the process for the C:\Program Files (x86) and C:\Windows folders. These folders contain many standard programs.
After defining the default rules, AppLocker will effectively whitelist the applications within those folders. However, for AppLocker to function correctly, the Windows service "Application Identity" must be running. To start this service, type "services" in the taskbar search bar and open the Services app. Locate the "Application Identity" entry, double-click it, and click the "Start" button.
Once configured, attempting to run a program outside the whitelisted folders will result in an error message: "This app has been blocked by the system administrator." This demonstrates the effectiveness of the whitelisting approach. Regular users lack write permissions to the whitelisted folders (C:\Program Files, C:\Program Files (x86), and C:\Windows), preventing them from installing unauthorized software into these locations. Documents, image files, videos, and music remain accessible, unaffected by the whitelisting restrictions.
Experiment with the newly configured system to ensure that your workflow remains functional. Be aware that any EXE or COM files installed in folders not included in the whitelist (e.g., C:\Users) will be blocked. If issues arise, simply restart Windows. By default, the Application Identity service’s startup type is set to "Manual," deactivating it upon restart and, consequently, disabling AppLocker.
To permanently enable AppLocker, access the Application Identity service’s properties, change the "Startup type" to "Automatic," and confirm. This ensures that the service loads every time Windows starts, activating AppLocker.
If you encounter an "Access denied" error when modifying the startup type, you can manually edit the registry. Open the Registry Editor (Regedit.exe), navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppIDSvc and change the "Start" key value to "2". This change takes effect immediately and cannot be undone through the Services app. To revert to the manual startup type, change the "Start" key value back to "3."
If AppLocker has inadvertently locked you out of your system, preventing access to the Registry Editor, right-click the Start button and open "Terminal (Administrator)". From the command line, type "regedit" to open the Registry Editor and modify the startup type as described above, followed by a reboot.
To permanently disable AppLocker, select "Executable rules" in the Local Security Policy, right-click the list, and click "Delete."
While AppLocker is a robust tool, numerous other whitelisting solutions exist. Cyberlock (formerly Voodooshield) is a more comprehensive application that can be tested on a trial basis. After installation, Cyberlock scans the Windows installation, snapshots found applications, and creates a whitelist. Whenever a new application is downloaded, installed, uninstalled, or an unsigned application is started, the software shows a notification window, requesting a choice between blocking, sandboxing, or allowing the application. Cyberlock cancels the installation if there is no response within 20 seconds.
AppLocker succeeded Software Restriction Policies (SRP) included in Windows since XP. However, Microsoft deactivated SRP with Windows 11 22H2.
Windows Smart App Control offers another approach, particularly suitable for users who primarily use digitally signed applications. This feature, found under Apps > Advanced settings for apps in Windows Settings, allows you to restrict app installations to the Microsoft Store. However, this restriction can be bypassed via the command line tool winget, preinstalled on newer Windows versions.
Smart App Control also exists under Privacy & security > Windows Security > App & browser control in Settings. Initially inactive after a Windows installation, it monitors PC use in evaluation mode. If it detects usage of digitally signed standard applications, Smart App Control activates within a few weeks, only permitting software installations either digitally signed or passing a check through cloud-based AI. If you use less common tools frequently, Smart App Control remains inactive.
Windows Kiosk Mode offers configurable whitelisting, found under Accounts > Other Users > Kiosk in Settings. This mode only allows a single application to run and is intended for presentations in store windows. Setting up Kiosk mode automatically selects and logs into a new user account upon Windows startup, running only one configurable application.
Enabling the Local Security Policy in Windows Home requires running the command prompt as administrator. Enter the following commands, pressing Enter after each:
FOR %F IN ("%SystemRoot%\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package~*.mum") DO (DISM /Online /NoRestart /Add-Package:"%F")
FOR %F IN ("%SystemRoot%\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~*.mum") DO (DISM /Online /NoRestart /Add-Package:"%F")
Once processed, you can search for and open the Local Security Policy via the Start menu.
