Yes, I do. I've been searching online on tutorials of how to use AppLocker (as suggested by
@neemobeer and
@garlin), but the results didn't help.
Not to toot my own horn but I have what I think is a pretty comprehensive tutorial on setting up AppLocker:
If you already came across it and decided that it was too complicated, I actually think for your desired purposes, simply the default automatically generated executable rules (shown at 9:02) would do exactly what you want as-is:
- Allows only running programs from Program Files or Windows Directory
- Allows admins to run from anywhere
You'd want to enable the default rules for all the categories including DLLs, I show all that in the video. For "Windows Installer Rules" I would delete the "All digitally signed windows installer files" Allow rule and in the "Packaged App Rules" category you might actually want to just make your own instead of the default, to only allow those within program files, but that's really the only manually created one you'd have to do.
If you want you can also right click and go to the properties of each rule and select which users specifically they apply to, but assuming you're using an admin account for yourself the defaults should be fine since they have that rule to allow anything for admin accounts anyway.
I'd also recommend at least watching the entire thing even if you don't end up using it beyond enabling the default rules so you at least know how things work or how to fine tune it further. The rest isn't all that relevant in your case because you're using it to protect users who are just running at standard user level permissions anyway.
I also talk about how AppLocker doesn't 100% protect from powershell scripts and there are other ways to deal with that.
