We restrict access to packaged applications

We all know that with the release of Windows 8, Microsoft decided to completely change the way users view desktop applications. Packaged applications, they are also Metro-applications, are characterized by uniformity, updated simplified appearance and new user interaction. In these applications, distractions are minimized, almost all graphic effects are removed, including Windows Aero, which Microsoft has worked on over the past few years, all applications use a single color scheme, fonts, and more. We will not dwell on whether Microsoft did well, that they decided to return to applications in the style of Windows 3.1, however, we will have to put up with this and take some action to maintain such applications.
As everyone knows, starting with operating systems such as Windows 7, in addition to performing tasks related to restricting user access to specific files or applications, in addition to SRP policies, Microsoft created a new technology, which they called AppLocker. An AppLocker policy is a collection of AppLocker rules that include various settings for enforcement. As is common with GPOs, each rule is stored in a specific policy, and the policies themselves are already distributed according to your hierarchy of GPOs.
Unlike classic applications, all packaged applications have common attributes - this is the name of the publisher, the name of the product, and its version. Therefore, all applications can be managed using one type of rule. In Windows Server 2012 and Windows 8 operating systems, AppLocker rules for packaged applications can be created separately from classic applications, that is, a separate collection has been specially allocated for them. One AppLocker rule for a packaged application can control both installation and operation of the application. Since all packaged applications are signed, AppLocker only supports publisher rules for packaged applications. Let's see how you can restrict access to packaged applications.
I would like to note right away that a mandatory requirement is the availability of such applications on the computer where the rules will be created, so we will have to install such applications now.
We’ll go to the Windows Marketplace and find some standard applications, for example, let it be such standard applications as Microsoft Zune Music, Microsoft Zune Video, Microsoft Bing News, Microsoft Bing Maps, Microsoft Bing Travel and Microsoft Bing Sports. Install these applications on the computer. How they look and what their main purpose is, you already know what I am more than sure of. Installation of some packaged applications displayed in the following illustration:


Fig. 1. Installing four packaged applications from the Windows Marketplace
Again, be sure to pay attention to the point that on the target computer, which will apply AppLocker rules, service must be running "application identity» ( the Application the Identity ). You can either manually monitor this moment directly from the snap-in services of each computer, or centrally configure such services by means of a special extension of the client side of Group Policy, which, in my opinion, is much more logical. By default, it has a “Manual” launch type , so you will have to take some measures in any case.
Now you can move on to the AppLocker rules.

Creating an AppLocker Rule

To create a rule restricting access to a packaged application, say, Microsoft Bing Sports, you need to do the following:

1. To begin with, we will naturally create a new Group Policy object in the Group Policy Management snap-in , since it is best if the rules designed to restrict applications are located in a separate GPO and call it, say, “AppLocker Rules” . After that, you will need to associate such an object with the unit, which includes computer accounts, to which the rules we create must apply. For example, in my case, the binding is for the whole domain, but in a real environment, the ideal option would be to distribute target computers to specific units. The final task of the preliminary stage will, of course, be the opening of the Group Policy Management Editor himself;
2. Now the displayed snap should expand the node Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Application Control Policies , and go to the site, which is called the AppLocker ( Computer the Configuration \ the Policies \ Windows the Settings \ Security the Settings \ the Application the Control the Policies \ the AppLocker ). Now we move on to the latest collection, called the "Packaged app rules" , which in English sounds like " Packaged app Rules ". Being inside this collection will create our rule, that is, select the option "Create new rule» ( the Create the New Rule );
   
   
   Fig. 2. Create a new AppLocker rule
3. You will see the AppLocker Executable Rules Wizard dialog box. Here, on the first page of the wizard, you just need to familiarize yourself with the information provided, and then click on the "Next" button ;
4. On the permissions page, of course, you need to choose whether you will ultimately allow the user to run the packaged application of your choice or, conversely, you want to prohibit users from using any tool once and for all. Since in this case the main task was to deny access to a specific packaged application, we will stop on this option now. In addition, here you can select a specific user or group of users to whom this rule will apply. In this case, ignore this option and move on;
   
   
   Fig. 3. Definition of permissions for the created rule
5. As you will see in the picture number 5, next page called "Publisher» ( Publisher, ), and here you can not choose any path rule or a rule hash file with which you can work in other categories AppLocker-and in the same Windows 7 or Windows Server 2008 R2. Here you can choose one of the following options:
   
   • Use for example packaged application set ( Use an installed app packaged as a reference ). In this case, you should select an application that is already installed on the computer. When creating the rule, the publisher, package name, and the version of this application will be used;
   • Use for example packaged application installer ( Use a packaged app installer as a reference ). Having settled on this option, you will need to specify the installation file of the packaged application with the appx extension. As in the previous case, the publisher, package name and version will also be used to define the rule. This option is acceptable if users will install such applications manually, say, using PowerShell.
   
   Since our applications have already been installed, we will stop at the first option and press the selection button. In the dialog box that appears, as can be seen in the illustration below, all installed packaged applications will be displayed. Despite the fact that on the left you can mark the control for installing checkboxes, do not count on much, since you will not be able to set more than one flag at a time. For example, now create a rule for Microsoft Bing Sports, that is, select it;
   
   
   Fig. 4. Selecting the installed packaged application
6. As you can see in this illustration, which was discussed a little above, at the bottom of this page of the wizard you can specify the properties for the created rule. The following properties are available here:
   
   • Any publisher ( Any Publisher ). This property is responsible for all publishers for the file category you select. For example, if you initially select the "Allow" value , then in this case this rule will further prohibit the execution of unsigned applications. Or, of course, you can once and for all prohibit the use of any packaged applications;
   • Publisher ( Publisher name ). Using this control element, you can specify that all files signed by a publisher with a specific name should fall under the scope of the rule;
   • The name of the package ( Package name ). This property of the rule allows you to add the name of the packaged application package itself to the rule in addition to the information about the publisher. In this case, it is Microsoft.BingSports;
   • Version of the package ( the Package version ). This is the most flexible property of the created rule. Here you can determine the version of the application you are managing. For example, to indicate a specific version of a packaged application, you, as in the case of regular exe files or dynamic libraries, can check the options with custom values, then manually specify the version number and choose whether you want the rule to be applied to applications whose version is higher than the value you specified, below it, or that the rule applies only to a specific version of the software product.
   
   Since applications are updated quite often, we will now ignore the version of the application and move the slider to the package name. It looks like it's done. We proceed to the next page of the wizard.
   
   
   Fig. 5. Setting properties that define the rule for a packaged application
7. We will not add exceptions now, so we go to the last page. As you see in the following illustration, the name of the rule here is quite digestible, therefore, to create our new rule, immediately click on the "Create" button .
   
   
   Fig. 6. Last page of the AppLocker rule creation wizard

Immediately check what we got. We update the policy settings, and go to the Home screen "Start" . Let's try to open our sports application.
As you can see in the last illustration in this article, a message appeared saying that this application was blocked by the system administrator, that is, the message that we expected to see. Consequently, the focus was a success.


Fig. 7. Verification of completed actions

To summarize

In this short article, you learned how to restrict access to one of the innovations of Microsoft in their latest operating system - packaged applications, which are often called by many Metro-applications. It was told how exactly such rules can be created, on what they are based, as well as about one important preliminary requirement, which must be met before the deployment of such rules. Do you use packaged applications in your company and do you plan to restrict users access to some APPX files?