1. Open the Local Security Policy MMC snap-in by entering secpol.msc

in the Search programs and files box.

2. Double-click Application Control Policies and then double-click AppLocker in the console tree.

3. Right-click Executable Rules and in the resulting drop-down menu shown in Figure 12.7, click Create Default Rules.

Software Restrictions

FIGURE 12.7 Create default rules in AppLocker.

Cram Quiz

1. You are trying to use a software restriction policy to block a new game called GV.EXE. So, you make a policy based on the path. However, you soon find out that some users just renamed the GV.EXE to a different name to get around the policy. What can you do to overcome this?

❍ A. Use a certificate rule ❍ B. Use a Hash rule ❍ C. Use a Path rule ❍ D. Use a Zone rule

2. When using AppLocker, what are your rules based on?

❍ A. File passwords ❍ B. NTFS permissions of file ❍ C. Size of the file ❍ D. File’s digital signature

Software Restrictions

Cram Quiz Answers

1. B is correct. If you use a Hash rule, you can block the software regardless of where the file is accessed or what it is named. Answer A is incorrect because a certificate uses a digital certificate assigned to a file. Answer C is incorrect because the path did not work in the past and setting a new path can only be circumvented again. Answer D is incorrect because the zone is based on the Internet Explorer security zone.

2. D is correct. Creating rules based on the digital signature of an application helps make it possible to build rules that don’t need to be updated when a new ver- sion of the application is released. Therefore, the other answers are incorrect.

CHAPTER 12: Working with Applications

Review Questions

1. Which application can be used to test compatibility issues with UAC?

❍ A. Compatibility Administrator ❍ B. Application Compatibility Manager ❍ C. Setup Analyzer Tool ❍ D. Standard User Analyzer

2. Which application is used to test web applications and web pages for compati- bility problems with Internet Explorer 8?

❍ A. Compatibility Administrator ❍ B. Application Compatibility Manager ❍ C. Internet Explorer Compatibility Test Tool ❍ D. Standard User Analyzer

3. How do you enable and configure AppLocker?

❍ A. The Registry ❍ B. Group Policies ❍ C. Control Panel ❍ D. Computer Management console

4. Which of the following will AppLocker not support?

❍ A. .exe file ❍ B. .dll file ❍ C. .msi file ❍ D. Office document files

5. You upgraded your computer running Windows XP with SP2 to Windows 7 Professional. When you run the widget.exe program, you receive the following error message:

This application is only designed to run on Windows XP or later. What should you do?

❍ A. You should run the application with elevated privileges. ❍ B. You should run the application in VGA mode. ❍ C. You should install Windows XP Mode and run the application under

Windows XP mode. ❍ D. You should make sure your machine has all of the Windows updates.

Review Questions

6. You are having problems running a non-Microsoft application. Where can you get help in overcoming this problem? (Choose three answers.)

❍ A. Check to see if the software vendor has an update ❍ B. Look in the Microsoft Application Compatibility Toolkit ❍ C. Load the application in XP Mode ❍ D. Recompile the program

7. For you to run Windows XP Mode, which of the following are not requirements? (Choose two answers.)

❍ A. 2 GB of memory ❍ B. A video card with 512 MB of memory ❍ C. Processor and motherboard that supports hardware virtualization ❍ D. 15 GB of additional free disk space.

8. Which editions of Windows 7 can Windows XP Mode be used on? (Choose all that apply.)

❍ A. Windows 7 Professional ❍ B. Windows 7 Enterprise ❍ C. Windows 7 Home Premium ❍ D. Windows 7 Ultimate

9. Which type of rule would you use when creating a software restriction policy that blocks an application based on an exact location and name of the executable file?

❍ A. Hash ❍ B. Certificate ❍ C. Path ❍ D. Zone

10. Where do you configure an individual application to run as an administrator?

❍ A. Under a local security policy ❍ B. Use System Configuration Tool ❍ C. Computer Management Tool ❍ D. Application Compatibility Options under the application properties

CHAPTER 12: Working with Applications

Review Question Answers

1. Answer D is correct. UAC limits what an application can run, even if logged in as administrator. As a result, the Standard User Analyzer analyzes an application to identify compatibility problems with Windows 7 User Account Control. Answer A is incorrect because the Compatibility Administrator is a central database of known compatibility problems for hundreds of Windows 7 applications. Answer

B is incorrect because the Application Compatibility Manager (ACM) is a tool provided by Microsoft that enables you to analyze and collect information on running applications before you upgrade to or deploy Windows 7. Answer C is incorrect because the Setup Analyzer Tool is designed to analyze application setup programs for potential issues, including the installation of kernel mode drivers, installation of 16-bit components, installation of graphical identification, and authentication (GINA) DLLs and changes to system files and registry keys that are protected with the Windows Resource Protection (WRP).

2. Answer C is correct. The Internet Explorer Compatibility Test Tool collects com- patibility information for web pages and web-based applications in real-time. When completed, it can identify compatibility problems with web applications and pages for Internet Explorer 8. Answer A is incorrect because the Compatibility Administrator is a central database of known compatibility prob- lems for hundreds of Windows 7 applications. Answer B is incorrect because the Application Compatibility Manager (ACM) is a tool provided by Microsoft that enables you to analyze and collect information on running applications before you upgrade to or deploy Windows 7. Answer D is incorrect because the Standard User Analyzer analyzes an application to identify compatibility prob- lems with Windows 7 User Account Control.

3. Answer B is correct. Software Restrictions and AppLocker are used to allow or disallow applications from running on a Windows 7 computer. Both software restrictions and AppLocker are configured through Group Policies including the computer’s local policy. Answer A is incorrect because the Registry is a central- ized database that contains configuration information for Windows, applications, and hardware devices. Answer C is incorrect because although the Control Panel is the primary configuration tool for Windows 7, the Control Panel is not used to configure software restrictions. Answer D is incorrect because the Computer Management console is used to perform most administrative tasks for Windows.

4. Answer D is correct. AppLocker is used to allow or disallow .exe files, .msi files, scripts, and DLLs. AppLocker does not allow or disallow data files, including office document files. Therefore, the other answers are incorrect.

5. Answer C is correct. When an application does not run under Windows 7 that was written for an older version of Windows, you should try compatibility mode or run the application under Windows XP Mode. Because the application needs to run under Windows XP Mode, running under elevated privileges or in VGA mode does not work. Therefore, Answers A and B are incorrect. Answer D is incorrect because Windows updates do not allow the application to run under Windows 7.

Review Question Answers

6. Answers A, B, and C are correct. You should always look to see if the vendor has an update. You can also look in the Microsoft Application Compatibility Toolkit. If that does not work, you can always try to load the application in XP Mode. Answer D is incorrect as you typically cannot recompile the program because you do not typically have the source code and recompiling the program requires special skills and software.

7. Answers B and C are correct. To run Windows XP mode, you need a minimum of 2 GB of memory (Answer A) and an additional 15 GB of free disk space (Answer D). When Windows 7 was first released, you needed a computer that was capa- ble of hardware virtualization (Intel-VT or AMD-V virtualization) and a BIOS that supports hardware virtualization (Answer C). You do not need additional memory on the video card (Answer B) to run Windows XP Mode.

8. Answers A, B, and D are correct. To run Windows XP Mode, you need to be run- ning Windows 7 Professional, Enterprise, or Ultimate edition. Answer C is incor- rect because Windows 7 Home Premium does not run in Windows XP Mode.

9. Answer C is correct. The path criteria specify the local or universal naming con- vention (UNC) path and name of where the file is stored. Answer A is incorrect because the hash criteria is based on a cryptographic fingerprint based on a mathematical calculation of the file that uniquely identifies a file regardless of where it is accessed or what it is named. Answer B is incorrect because the cer- tificate criteria are based on a software publisher certificate used to digitally sign

a file. Answer D is incorrect because the zone criteria is based on the Internet Explorer security zone.

10. Answer D is correct. If you right-click the executable and select properties, you can select the Compatibility tab to configure what OS to run under, 256 colors, 640 × 480 resolution, and privilege level. Answer A is incorrect because local policies can only be used to restrict an application, not to elevate an application when it runs. Answer B is incorrect because the System Configuration Tool is used to troubleshoot startup problems. Answer C is incorrect because although it includes many tools within a single console, none of them are used for config- uring individual applications.

This page intentionally left blank

CHAPTER 13