Russinovich rescues the TechEd 2009 keynote with Windows 7 AppLocker demo
In the absence of many dramatically new product announcements (notices about the Office 2010 technical preview and Windows Mobile 6.5 were already expected), it was Senior Vice President Bill Veghte's job for the first time to rally the troops during this morning's TechEd 2009 keynote address in Los Angeles. But perhaps not everyone has Bill Gates' knack for holding an audience captive with sweeping gerunds and participles, or Ray Ozzie's outstanding ability to conjure a metaphor as though it were a hologram hovering in space, and describe it for countless minutes without relating it to the physical universe.
What may have kept attendees affixed to their seats for the time being was the promise of Mark Russinovich, Microsoft's Technical Fellow who always dives right into a real-world demonstration in the first few minutes, and is always affable enough to be forgiven for the inevitable technical glitch. Though Russinovich's stage time today was shorter than usual, one of his highlights was a demonstration of a feature Windows 7 RC downloaders had already received but may not have known they had: a way using group policy to block specified software from running on client systems even after it's been upgraded or revised.
It's Windows 7's new AppLocker feature, which he calls "SRP [software restriction policy on steroids." Think of it as a firewall but at the kernel level: When enabled in a network environment, by default, AppLocker disables any application from running that isn't recognized as part of Windows. That, by itself, isn't something anyone would want; so using group policy or using Local Security Policy at the client level (yet another reason why the Windows client should not disable group policy management) a user or admin can program exceptions to this default rule. Those exceptions can monitor the operating system for metadata pertaining to running applications, enabling selected software to run even after it's been upgraded.
While application disablement has existed in Windows Vista, the problem it's had up to now is that whenever programs change, the rules for disablement have to change with them. Network administrators use these fairly strict rules as means of prohibiting employees from installing just any old software they find, or from downloading media that triggers the download and installation of something very much unwanted.
During Russinovich's demonstration, he launched one of his own line-of-business apps called Stock Viewer that, under the default rule, failed the execution test after a revision. He used that failure as leverage for launching a new wizard in Win7 that lets the admin quickly create a new allowance rule to mitigate future failures.
While SRP in Vista limited group policy rules to filename and file hash (a hash signature based on the unaltered binary contents of the executable file), Windows 7's new rule class, called "Publisher," lets the admin tailor the rule to account for a wide or narrow scope of metadata. In this particular figure, we used IEXPLORE.EXE (Internet Explorer 8 in Win7) as a template for entering fully qualified publisher metadata into a rule. From there, the wizard cleverly uses the slider control to dial up or down the level of control the admin needs for the rule, with down representing deeper control.
As Russinovich described, "The slider over here on the left lets you dial up or down the specificity of your rule. For example, if I trusted everything from SysInternals [his own company, acquired by Microsoft] -- which you should, obviously -- then you'd want to set this slider to here [Publisher]. But if I slide it all the way down to here [File Version], I'm creating a rule that says that only Stock Viewer is allowed to run, and only versions 1.0 or higher. So I've really controlled exactly which application from this publisher is allowed to run, but I've still made it flexible because if version 2 comes out, I don't have to go revisit this rule. It's just going to magically work."
Group policies in modern Windows can be modeled on one computer and then applied to multiple clients in a network. Alternatively, for a less Draconian approach, you can set up AppLocker to allow everything to run except those applications you specify; and there, you can use Publisher class rules to use metadata to help you craft exceptions. But that's not always helpful. For example, with the template you see in the figure above, for instance, we can set up a rule prohibiting anyone from using Internet Explorer older than version 8, by effectively enabling version 8 and higher to run; what gets prohibited are the versions you omit.
Microsoft has published a quick demonstration video of AppLocker at work, downloadable from this address.
AppLocker wasn't the only demonstration garnering enthusiasm this morning; later during his time, Mark Russinovich demonstrated the first effective use of PowerShell version 2 to generate scripts for applying group policy objects. And later he received some rousing applause for the revelation that Windows 7 can mount and even use virtual hard disk (VHD) files -- the kind usually reserved for Microsoft-brand virtual machines. This way a user can have access to a VHD's contents without invoking the actual virtual host that created it. This also enables new possibilities for VHDs' portability between devices. For example, Windows 7 and Windows Server 2008 R2 can now both be set up to boot from a VHD, regardless of where it's located -- on portable storage, maybe over a network, maybe in the cloud.