Control Applications

You can combine Application Control's security methods - such as Trusted Ownership Checking - with rules in a configuration to control which users can install and run applications.

Application Control uses a method known as Trusted Ownership checking to prevent the execution of any user-introduced executable. Only applications installed by Trusted Owner - for example, administrators - are allowed to run by default. In the case of Microsoft applications such as Project and Visio that have been installed in a multi user environment, you can use Application Control to allow access only to these applications by specified licensed device.

The Application Control configuration contains two Group rules. These are BuiltIn\Administrators, who are unrestricted and can run any executable, and Everyone, who can only run executables owned by Trusted Owners. Each rule created has an Allowed Items and Denied Items list.

The Allowed Items list allows administrators to give access to executables that would normally be blocked by default rules, for example Trusted Ownership failure or Network Executables.

The Denied Items list allows administrators to deny access to executables that would normally be allowed by default rules.

Because Microsoft applications will often be licensed to run on only a few devices, it is best practice to use Application Control to initially deny access to the application for everyone, then allow access to the few, based on the allowed device.