Hello! I'm trying to determine if the following setup would be valid to secure a laptop. I have a lab build laptop that I use for presentations, demos, as well as trying out new software that uses VMWare Workstation to manage a number of virtual machines. The only software that will be on the host machine itself is Windows 7, the VMWare workstation, and Symantec Endpoint. Everything is pretty much done in the VMs only. I'm thinking of locking down the host OS by setting up Applocker so that the only apps that can be installed (by users, admins, or anyone) much be from those three publishers (i.e. Microsoft, VMWare, or Symantec). This way regardless if I accidentally download something into a VM (and it somehow tries to escape the VM), unless its signed by those three publishers it won't excecute regardless if the user is a standard or admin. Does anyone see that as being an invalid setup that will cause trouble? The only thing I could see being an issue would be drivers, but I could permit those as they come along as well. Thanks in advance!

Users use applocker to block certain exe files and msi packages. Make sure you set the publisher correct and then test it first before you deploy it. Use the document in this link which answer all your questions. http://technet.microsoft.com/en-us/library/ee791835(WS.10).aspx Preparing to Deploy Applocker Policies http://technet.microsoft.com/en-us/library/ee791785(WS.10).aspx Manoj Sehgal

Thanks, and I have seen those documents... I'm curious though if anyone has tested an AppLocker policy that only allows files published by Microsoft for anyone on the machine (local admins, std users, etc.)... Would that "break" Windows? My guess is no, and while I can test the scenario if others have tried it I'd be interested in their experience.