In this lesson, I will talk about restricting access to the software. I'll also discuss the reasons why we want to restrict access to software and show you a little bit about how we can restrict that access to applications and to software. There are several reasons why we want to restrict access to applications in software. The first reason is corporate culture, corporate culture may say you're not supposed to do anything on your computer except work. This may include Netflix, this may include Facebook, maybe Twitter. So maybe we want to block the applications that can access those specific websites. So browsers, for example. If your job doesn't have anything to do with browsers, then why allow user's access to it? Another reason is the attack surface. Adding applications onto system increases the attack surface. Think about Java, for example, or flash. If we don't need either of those components, why have them on our systems? They introduce vulnerabilities later on down the road. That attackers could compromise by sending you an email with a compromised jar file on it for Java or a flash file that is also compromised. The third reason is system resources. Any applications that we put on our systems increase the load on those systems. Additionally, if we remove that software we may have left over registry keys, application data, and other things left behind by that software that we don't need on our systems and cause our systems to slow down. Space in an environment also could be an issue. If we only have a 512 gigabyte hard drive, then the more applications that we put on eat away at that storage. Let's look at the technical portion of this lesson. This is my Windows 10 system right here. I am going to look and see if the service is running. I type in services and I can go up to application identity. Application identity service is necessary to restrict access to software. Right now it's not running. So I don't want to turn this on on my Windows 10 machine, I want to turn it on for the domain. So I'm going to go to my Windows Sever, let's log in, Okay, and I already have the group policy pulled up. So it's located under Computer Configuration, Security Settings, System Services, and then Application Identity. I'm going to define this policy and set it to automatic. I'll press okay. And go back to my Windows 10 system. Notice how it's still not started. What I need to do is I need to force an update to the group policy on this system. So I'll type in command prompt or CMD for short. Type in GP. Update /force. That's going to pull down the latest policy from the domain controller. And if I go back to my services, and let's refresh, notice it's running now. We'll exit out of here, and exit out of here. I'm going to sign out. Because I'm the administrator, my Greg account is the administrator on this computer at the moment. In our group policy, let's go down to App Locker. This is located under Security Settings and Application Control Policies, and AppLocker. Let me just explain about AppLocker for just a minute. Prior to Windows 7 in 2008, we had different technology that would restrict access to applications, this was called the software restriction policies. In Windows 7, in 2008, the technology is called AppLocker, that allows us to block certain things from users, certain applications, that is. Let me compare and contrast both software restrictions, and AppLocker. Software restriction policies prior to the Windows 2007 and 2008 are to release of Windows, didn't allow just any users to have software restriction policies that apply to actually all users. With AppLocker coming on board, now we can actually lock that down to specific users or groups. We are still able to lock down file hashes, application paths, certificate, Internet zones rules. Within AppLocker, we're not allowed to look at Internet zone rules or registered paths anymore. However, we can still look at file hashes, paths and publisher rules, as well. Additionally, AppLocker gives us only the ability to deny software from being run, not both allow and deny. We also now can run statistics on the domain and see what kind of applications users are running and generate reports based off of the applications that we decide to audit. Let's create a rule. I go into executable rules, I don't see any items. First thing I'm going to do is automatically generate rules. I'm going to say this for everyone right now because I want to allow them access to software. So I'm going to leave the defaults here. So rule generation is in progress, I'm going to create, and it instantly put in everything that I'm going to allow them to use. So Internet Explorer, for example, is allowing us to activate that or to run that. Let's create a new rule. What I'm going to do is I'm going to deny access to its particular application for occurring. Press okay and press Next and i'm going to use the publisher. So let's browse, I'm going to go up one and let's block Google Chrome. When Chrome was first installed, It had a digital signature with it. That digital signature is a certificate issued by a third party. The digital signature comes in the form of a certificate. Which includes information on the publisher, the product name, the file name, and the version number. So I can modify any of these values if I wish but I'm not going to at the moment. I'm going to just create this value. So I'm going to say Next and Create. So I'm going to deny Curly access to Chrome 57 and above. Let's go back to my Windows 10 system, and let's log in as Curly. Notice how I can get in right away. Again, we don't have restrictions unless we update our policies. So gpupdate, again, slash force. So now let's try to access this again. It's denying us access to that file. Additionally, if we know what software we want to restrict, we can easily lock down based on publisher and then even prevent the installation in the first place. However, because we are in an enterprise organization, maybe we don't want to allow certain people to use certain applications but we want to allow other people, too. So this is a good way to restrict based on user or group inside a back locker when we change a rule. So this is only going to apply to Curly. So in conclusion, Application restrictions are necessary to ensure that the enterprise runs well, and securely.
