An important distinction between AppLocker and so-called competitors is that AppLocker is really a service, a set of APIs and user-defined policies that other programs can interface with. Microsoft coded Windows and its built-in script interpreters to interface with AppLocker so that those programs (Explorer.exe, JScript.dll, VBScript.dll, and so on) can enforce the rules that AppLocker policies have defined. This means that AppLocker is truly a part of the operating system and not easily circumvented when the rules are correctly defined.
However, if you need to make a rule for a file type that is not defined in AppLocker's policy table, it can take some creativity to get the desired effect. For example, to prevent Perl script files with the .PL extension from executing, you would have to create an executable rule that blocked the Perl.exe script interpreter instead. This would block or allow all Perl scripts and require some resourcefulness to gain finer-grained control. This is not a unique issue, as most of the products in this review have the same sort of limitation.
AppLocker's configuration and rules can easily be imported and exported as readable XML files, the rules can be quickly cleared in an emergency, and all can be managed using Windows PowerShell. Reporting and alerting are limited to what can be pulled from the normal event logs. But even with AppLocker's limitations, Microsoft's price tag -- free, if you are running Windows 7 and Windows Server 2008 R2 -- can be a strong lure for up-to-date Microsoft shops.
This story, "Application whitelisting in Windows 7 and Windows Server 2008 R2," and reviews of five whitelisting solutions for enterprise networks, was originally published at InfoWorld.com. Follow the latest developments in information security, Windows, and endpoint security at InfoWorld.com.