Background: AppLocker is a security feature of the Microsoft Windows Operating System. AppLocker functions like a firewall between the file system and memory (RAM). In a virtual desktop environment, AppLocker is highly effective at preventing an unsuspecting user from executing malicious software code which would otherwise cause data loss, data theft, or damage to the system. AppLocker functions on the premise that malicious code is only a threat to a system once it is loaded into system memory. It is harmless if it exists dormant on the file system.
In a virtual desktop environment, users generally need access to the internet in order to perform daily tasks. Without proper security measures in place, internet access can create unique risks to the data which the virtual desktop platform was originally created to protect. As malware evolves, not all malicious email attachments or websites are able to be blocked through traditional reputation or heuristic scanning. This leaves users susceptible to inadvertently downloading and executing malicious code, the links to which may be masked in how a malicious email or website presents itself to the user. As malware mutates and evolves, a cat and mouse game emerges between the anti malware agent and the bad actors. As a result, zero day threats are difficult to block in this particular context. The white-list approach of AppLocker, ensures nearly 100% protection, regardless of how malware mutates.
AppLocker may be configured several ways. When deploying Published Desktops with the Desktop Deployment Wizard or reconfiguring existing Published Desktops with the Desktop Host Configuration Utility, AppLocker is enabled by default. In this default configuration, non-administrator users are prevented from running any executable or script, which does not reside in the Windows, Program Files, or Program Data directories. Because these directories are write-protected with respect to non-administrator users, malicious code that is downloaded by a user (whether intentional or not), will be blocked from executing in system memory. In practice, AppLocker can effectively prevent all ransomware attacks.
Additional Notes: AppLocker is susceptible to the following limitations. First, AppLocker is only effective at blocking malicious code for non-administrator users. If users are granted local administrator rights to the system, they are able to bypass the AppLocker security feature. There are three other scenarios where the default AppLocker configuration may be compromised. One scenario is where an administrator grants non-admin users write permissions to the Windows, Program Files, and/or Program Data directories of the file system. The second scenario would be a fault or bug in the AppLocker framework, which is designed and maintained by Microsoft; therefore it is important to always keep the operating system up to date. Finally, if a system administrator downloads malicious code inadvertently, and this code is saved to the Windows, Program Files, or Program Data directories, then any user may load the malicious code. In practice, the occurrence of any of these limitations is very rare.
Despite the above "theoretical" limitations, AppLocker in it's default configuration is highly effective at keeping a Windows operating system secure. This is especially true, when used in conjunction with the Windows Defender anti-malware agent, the Operating system is kept up to date with the latest security patches, and every day users are not granted local admin rights. Note that by default, users are not granted admin rights to a system. It is generally not recommended to enable AppLocker on a Standalone Server Operating System.