Archive

Posts Tagged ‘Windows 8’

AppLocker

History
Allow me to start by telling you a story. A long while ago, I did some work for a travel agency. The project I was involved in was a desktop upgrade, rolling out NT 4.0 Workstation across the company. This included the computers in the agency retail outlets used to help sell flights and holidays. The company needed to limit the applications were allowed to run on the computers, as it hardly looked professional if a customer entered the shop to see an assistant playing Solitaire! Back in those days, we used Poledit.exe to customise what users could see and do on the desktop. So much has changed since then.

In more recent times, such as with Windows XP, Group Policy incorporated newer settings for administrators to manage desktops, and this included Software Restriction Policies (SRPs). SRPs allowed administrators to limit which applications users could run, based on rules such as path, and certificate publisher.

Today
Now with Windows 7 and Windows 8 Enterprise editions, administrators can now leverage a more modern set of tools via the Applocker feature in Group Policy. Applocker settings can be found in the following area as seen in figure 1.

clip_image002
Figure 1. Applocker settings in Group Policy.

You can configure the following types of rules in Applocker:

· Executable rules – rules that point to a folder containing executables, or a specific executable.

· Windows Installer Rules – rules which control which programs can be installed in the first place, rather than limit them running afterwards.

· Script Rules – increasingly, administrators use scripts like PowerShell scripts to manage desktops. The behaviour of scripts can now be controlled.

· Packaged App Rules – the newest to the collection. This is for Windows 8 Apps, or otherwise known as side-loaded apps. You can find out more about side-loading in the Windows 8 Jump Start video collection.

Why use Applocker?
One of the benefits for administrators is that Applocker allows very customisable rules that allow/disallow applications, scripts and installers, and not just system-wide like SRPs used to do, but per user or per group now as well. This gives a level of granularity that simplifies management, and the number of Group Policies that need to be deployed across an organisation.

Administrators should be interested in this feature to ensure security and licencing compliance needs are met, and to help reduce the TCO in managing applications that users might otherwise download and install.

How Does It Work?
Firstly an administrator will create/edit a Group Policy Object such as the one you’ve seen above. Based on the business needs, rules are created to permit/deny some applications/scripts/installers to run for different users or groups. In figure 2, I’ve created an executable rule by first creating the default rules that allow users to run all programs from ‘Program Files’ and ‘Windows’ folders, and administrators to be able to run all applications from all folders. I’ve then created a rule that specifically denies notepad.exe using a hash rule, meaning that even if the file is moved or renamed, the rule will still control access to that application. It’s also important to remember to configure rule enforcement, as by default no action is taken.

clip_image004

Figure 2. Executable rules configured in Applocker in Group Policy.

Once the policy applies to a Windows 7 or Windows 8 domain joined computer, the Application Identity service will use the deployed information whenever a request to launch an application takes place.

Summary
The desktop administrator today has more options than ever before to control Windows operating systems. When used in an Active Directory environment, Windows 7 and Windows 8 can be robustly managed to help ensure licencing compliance and security on the desktop with Applocker.

For more information on Applocker and Group Policy, visit the Springboard website.

My Windows 8 ‘Feature of the Week’–Windows To Go

October 24, 2012 3 comments

In what is likely to be an irregular feature on my blog, I just have to talk about a new and cool feature of Windows 8 I’ve been testing the last few days.

Windows 8 Enterprise edition contains many cool features, some known (and improved) from Windows 7 such as BitLocker, Applocker, Branchcache and DirectAccess to name the main ones.

Windows

But the one feature worthy of call out in this post is Windows To Go (herein abbreviated to WTG).

The idea behind Windows To Go is that you have a copy of your operating system on a stick. You prepare that memory stick on a Windows 8 Enterprise computer, then simply plug it into another PC.  Almost like a cuckoo with the PC hardware for your own use.

Forget roaming profiles – I now have a full roaming PC with me, in USB format. First time I plug it in to a different PC (assuming I have set the boot order to USB first), it will detect hardware and load drivers as needed. From there, after a minute or two, I can use the desktop with all my apps loaded. Simply shutdown, unplug and take it to the next PC to use it there.

For those whose shoulders and back suffer from carrying round laptops all the time, it’s well worth a look. I just need to carry a USB drive, and use a ‘donor’ machine to plug into to use it.

Sounds too good to be true? Give it a go.

Remember though, that you must shutdown the PC before ejecting the memory stick. If you unplug it while the operating system is running, then it will freeze the PC until it is plugged back in. You have 60 seconds to do this, and it will resume from where it left off.

USB 3.0 external drives have to be from the supported hardware list (see links at the bottom for supported models). Currently as I type there are only 3 available.  32GB is the minimum size required for this. Do not try to shoehorn a standard USB memory stick for this – it just won’t work.  I have the Kingston, and it works like a dream, if a little warm when in use. It uses an SSD drive, not regular flash memory – which is part of the specification.

 

Here’s my summary:

Pro’s:

  • Fully portable operating system
  • use any PC hardware that has USB 2.0/3.0 to boot from (that will ordinarily run Windows 7 or 8)
  • apps and settings are included, as it is a full O/S on the drive
  • Bitlocker is available to use for added peace of mind

Con’s:

  • WinRE is not available for recovery. How could it be? We are booting straight into an alternate O/S, not touching the C: drive at all on the local machine we plug into.
  • Store (for Windows 8 apps) is disabled (but you can enable it if you wish). This means app downloads from the store won’t work out of the box. ‘Regular’ apps can still be installed though in the old fashioned way though.

Also know:

  • Hibernation is disabled. It will only work in a startup and shutdown fashion.
  • Push button reset won’t work. See above.
  • Internal Disks are inaccessible when booted from WTG. They do not appear whatsoever. You only see the USB device’s drive (and mapped drives, Skydrive etc).
  • Mix & match CPU architecture will only work in a backward compatible way. i.e. if I have a 32-bit WTG installation, I can use that on a 32-bit or a 64-bit PC (as long as it’s using a legacy BIOS- not so with UEFI), but if I have a 64-bit WTG installation, then it can only be used on 64-bit PCs. No drama really, it’s what you’d expect.
  • You can prepare your own corporate images with the usual tools of ImageX, DISM

Hardware manufacturers links:
http://www.wd.com/wtg
http://www.supertalent.com/wtg/
http://www.kingston.com/wtg/

Step-by-Step Instructions for enabling Windows To Go:
http://social.technet.microsoft.com/wiki/contents/articles/6991.windows-to-go-step-by-step-en-us.aspx

Find out more about Windows To Go here on TechNet:
http://technet.microsoft.com/library/hh831833.aspx

And download the 90 day trial of Windows 8 Enterprise here:
http://technet.microsoft.com/en-US/evalcenter/hh699156.aspx?ocid=wc-tn-sb

 

EDIT: new devices now added to the list include IronKey and Spryrus devices. Good to see the list growing.
http://technet.microsoft.com/library/hh831833.aspx check the list here.

Also I’ve been asked this question a lot recently, Microsoft DO NOT support Macs at this time for WTG, (even though they would meet the min spec for host computer)  -yes – it’s an Apple thing 🙂