SEARCH

How-To Geek

Ensure a Windows PC Never Gets Malware By Whitelisting Applications

whitelist-applications-on-windows-without-applocker-using-family-safety-app-restrictions

A whitelist should be a foolproof way to secure a relative’s PC. Select a handful of approved applications and only allow them to run. If someone using the PC downloads another .exe file, Windows will refuse to run it.

AppLocker does this, but it’s only included on Enterprise editions of Windows. We’ll be using the Family Safety feature for this — it’s like AppLocker in disguise for all editions of Windows.

Set Up Family Safety

RELATED ARTICLE
How to Secure and Manage a Relative’s Computer
Sure, maybe your parents don’t need any help with their PC and your kids are better at technology than you... [Read Article]

We’ll be demonstrating how to do this on Windows 8, which comes with Family Safety built-in. However, this should also be possible on Windows 7. You can install Family Safety from Microsoft’s Windows Live Essentials package on Windows 7. Open the Windows Live Family Safety Application afterwards and select the accounts you want to monitor. They can then be controlled on the same website below.

We’d expect this to work much better on Windows 8 where the feature is built-in on the operating system level, however.

whitelist-applications-with-windows-live-family-safety-on-windows-7

On Windows 8 or 8.1, you can only apply application whitelists to “child” accounts. This may feel a bit silly if you’re securing your parent’s PC, but it’s a necessary part of the process. A “child” account is just a managed, restricted account — it’s managed by a corresponding “parent” account.

You could even use this method to whitelist applications on your own PC — set up a “child” user account to use most of the time and sign into your administrator account when you want to allow a new application.

First, open the PC Settings app by pressing Windows Key + I and clicking Change PC settings. Navigate to Accounts > Other accounts. (If you try to use the desktop Control Panel instead, you’ll just be redirected to the full-screen PC Settings app.)

windows-8-add-an-account

If you’re adding a new account to the system, click Add account, and click Add a child’s account. If the computer has an existing account you want to make into a child account, click an account, click Edit, and make it a child account.

windows-8-added-child-account

The child account will be managed by the administrator account on your system, which is considered the “parent” account. So, if you’re locking down someone else’s PC, you’d log in with your administrator account and create a new child account for whoever’s using the PC. The administrator account you use has to be a Microsoft account. You’ll have to manage your whitelist through a web-based interface.

Configure Your Application Whitelist

RELATED ARTICLE
How to Monitor and Control Your Children’s Computer Usage on Windows 8
Windows 8’s Family Safety features allow you to monitor your children’s computer usage, get weekly reports, set time limits for... [Read Article]

Click the “Manage Family Safety settings online” link on the users configuration screen or head to https://familysafety.microsoft.com/ and log in with the administrator account’s username and password. You’ll see the account you marked as a child account here. If you restricted other accounts — even accounts on different PCs — they’ll all appear here.

family-safety-change-settings-for-an-account

Click the “child” user account’s name and select App restrictions. Set the App restrictions slider to On.

set-up-app-whitelisting-on-windows

Go through the list and allow the specific applications you want that user account to have access to. The list includes both Microsoft’s “Store apps” and Windows desktop applications on the system. All applications — including new .exe files users download — will be blocked until they’re specifically allowed here.

whitelist-exe-files-with-app-restrictions

Feel free to click around the control panel and set things up. For example, “Activity reporting” is enabled by default. If you’d rather not keep track of what websites the user account is accessing — after all, this is just about whitelisting applications — feel free to disable Activity Reporting. This feature makes more sense for monitoring what your kids are doing online, not for spying on your parents or relatives’ web browsing habits.

Using the Restricted Account

You can now sign into the restricted account — you’ll probably want to do this to set things up. For example, you might want to pin the allowed applications to the desktop taskbar so people who use the PC know the applications they have access to.

set-up-system-for-application-restrictions[4]

If the person using the user account tries to access an application that isn’t whitelisted — whether it’s an application already on the system or an .exe file they download from the web — Windows will display a pop-up saying Family Safety blocked the application from running. This will prevent malware, spyware, and all kinds of other software from running on the computer. Only the handful of applications you allowed will run.

block-all-unapproved-applications-on-windows

Users can click the pop-up to request access to a new application. If you’re using this feature whitelist applications on a PC belonging to someone who isn’t your child, the “Ask a parent for permission” request may seem a bit weird to them — but there’s not much we can do about that! You may want to explain the dialog ahead of time before they see it so they know what to expect.

ask-for-permission-to-whitelist-application-with-family-safety-app-restrictions

You’ll see these requests under the Requests option on Microsoft’s Family Safety website, so you can allow applications to run from anywhere you have a web browser. Click the Allow button to allow a request and the user will be able to run the application. Be careful to allow only safe applications onto your whitelist!

family-safety-app-restriction-request


In spite of its name, Family Safety isn’t just for parental controls. It’s the only built-in application whitelisting feature you can use on any edition of Windows — no AppLocker and Enterprise edition of Windows required. It may not be quite as powerful as AppLocker, but it’s easier to set up and can even be configured remotely thanks to Microsoft’s web-based interface. We just wish it was a bit more flexible and didn’t refer to these restricted accounts as “child” accounts.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 08/28/14