Sense with Cents

A while back I wrote a long post about false positives and what works at the consumer and prosumer level for keeping a Windows computer safe. Near the end of that post, I mentioned that Windows ships with a pile of free built-in security controls that most people do not know about — restrictions on who can install software, where programs can run from, what requires administrator approval. I said it was worth a look, especially on a machine that runs a business.

This post picks up that thread. There is one of those built-in controls that matters more than the others. It is the one that addresses the problem most small business security advice quietly ignores.

The problem nobody names

Most security advice is written as if there is one computer and one careful person sitting at it. The careful person reads the warnings. The careful person does not click strange attachments. The careful person knows not to install software from sketchy websites.

That is not most small businesses. The office PC in the back of a restaurant gets used by the owner, by a night-shift manager who needs to print something, and by a bookkeeper who comes in twice a month. The retail shop computer gets used by whoever is on shift when the printer jams. The receptionist's desk is shared with anyone who needs to look up a number. The owner takes a laptop home and a kid uses it for homework. A spouse stops by the office and checks email on the machine in the corner. A contractor borrows a workstation for an afternoon project.

Every one of those is a moment when the device is operating without your judgment behind it. Your safe-hex habits do not transfer to the night-shift manager. Your skepticism about pop-up warnings does not transfer to your kid. Your decision not to install some free utility you have never heard of is yours alone — it is not embedded in the machine.

That is the actual exposure for most small businesses. Not the owner clicking the wrong thing. Someone else.

And even on a one-person machine, where you are the only person who ever touches it, there is something to be said for embedding your habits into the device itself. Your judgment can have a tired day. Your habits can lapse when you are in a hurry. A setting that quietly enforces the same discipline you would apply yourself is not a substitute for paying attention. It is a safety net for the moments when paying attention slips.

Two security models

There are basically two ways to do security on a computer.

The first way is to let any software run, then try to figure out which software is bad. Scan everything. Look for patterns. Guess at intent. Block the things that look suspicious. This is what most antivirus does, and it is the model the false-positives post was about. It is hard to do well, and the industry does not do it well. The customer ends up turning the security off to install legitimate software, then forgetting to turn it back on.

The second way is the opposite. Decide in advance which software is allowed to run on this computer. Let that software run. Block everything else.

This is called allowlisting, or whitelisting in older terminology. It is not new. It has been the model used in high-security environments for decades — places where the threat of running unknown software is worse than the inconvenience of having a fixed approved list. What is new is that Microsoft has put a workable version of it into Windows itself, free, where any small business owner can turn it on.

AppLocker

The version worth using is called AppLocker. It is built into Windows 10 and Windows 11 on the Pro, Enterprise, and Education editions — the editions most small businesses already have. It lets you write the rules. Allow anything signed by Microsoft. Allow anything signed by Adobe. Allow anything signed by Medlin Software. Block everything else. The strongest rule type is by publisher — the digital signature on the file — because the signature ties the program back to a real, verified company that paid for and was issued a code-signing certificate. AppLocker can also write rules by file path or by the file's cryptographic hash, but publisher rules are the ones to lean on. They survive software updates, they cannot be faked by dropping a file into the right folder, and they map cleanly to the question you actually want to answer — is this from someone I trust?

AppLocker also lets you apply different rules to different users on the same computer, which is useful for a shared device where the owner needs to install things and other users do not.

It takes setup. You write the rules. You test them in audit-only mode first, where Windows logs what would have been blocked without actually blocking it. You watch the log for a few days to make sure your real work is on the approved list. Then you flip it from audit to enforce, and the rules go live. When you add new software later, you update the rules.

That is more work than most security tools ask for. It is also why AppLocker is the right answer. The rules are yours. You wrote them. You know what is on the approved list, and so does the computer. Nothing is guessing.

For setup, the basic path is the Local Security Policy editor — Start, search for “secpol.msc,” then under Application Control Policies you will find AppLocker. Microsoft's documentation walks through the rule types and the default rules that keep Windows itself working. If you would rather have someone else handle the initial setup, this is exactly the kind of project a local IT person can do in an hour or two. After that, maintenance is light — most months, you do nothing.

How the pros do this

Worth mentioning what the next tier looks like, so you know what AppLocker is and is not. Microsoft itself offers a stricter, more capable allowlisting tool called App Control for Business — formerly known as Windows Defender Application Control. It runs deeper in the operating system than AppLocker does and is harder to bypass, but it also takes more work to set up and manage. For a small business, AppLocker hits the right balance of capability and setup effort. App Control for Business is what you would graduate to if the business grew into a managed IT environment with a dedicated IT person.

Beyond Microsoft's own tools, large companies that take this model seriously pay for commercial products built on the same principle. ThreatLocker is one of the better-known names. CrowdStrike, SentinelOne, and Carbon Black offer similar capabilities as part of their endpoint platforms.

The difference between those and AppLocker is who maintains the list. With a commercial product, the vendor maintains a catalog of known-safe software — thousands of common business applications, kept up to date as new versions ship. The customer's IT team reviews the auto-generated list, approves what fits the business, and then receives ongoing updates as the catalog grows. When a new version of an approved application ships, the vendor adds it to the catalog and the customer's allowlist updates automatically. Most products also offer a human-staffed approval service — if an employee needs an unfamiliar app, IT submits a request and a human at the vendor reviews it, usually in minutes.

That is a real service, and it is real money. ThreatLocker is sold through managed service providers, with all-in cost for a small business typically running in the meaningful-monthly-spend range per device, plus the MSP's setup and management fee on top. For a five-device office, you are looking at meaningful annual spend.

AppLocker gives you the same security model with none of that scaffolding. You write the rules. You decide what is approved. You update the list when you add new software. There is no vendor catalog, no human-on-call approval service, no automatic version updates. For a business that already knows what software it runs and does not add new applications often, that is a manageable trade. For a business that adds new tools regularly and does not have the patience to maintain the rules, the commercial product earns its money.

The point is that the model is the same. Both ends of the market — the free Microsoft feature and the paid commercial product — work because the underlying idea is sound. Approved software runs. Everything else does not. The difference is who keeps the list.

A note on Smart App Control

Windows 11 also includes a consumer-facing allowlisting feature called Smart App Control. It uses Microsoft's reputation data instead of rules you write yourself. In theory, that sounds easier — let Microsoft decide what is approved. It is the same general idea as the commercial products, with Microsoft acting as the vendor maintaining the safe list.

In practice, Smart App Control evaluates your usage pattern for a few weeks after a clean install, and if it sees you installing things that would get blocked, it quietly turns itself off and stays off. For most small business owners who occasionally install a new utility or a specialty tool, Smart App Control is going to disable itself before it ever does any work. It is not the wrong idea — it is just the wrong fit for most of the people who would benefit most.

AppLocker does not have that problem. The rules you wrote stay in force. New software gets blocked if you have not approved it, and that is the point.

What it actually prevents

Two things, both of them showing up in customer emails I have answered for years.

The false-positive problem mostly goes away. AppLocker does not guess at intent. It checks whether the software is on the approved list. Approved software runs. Unapproved software does not. No heuristic decides that Medlin Payroll looks suspicious today because of a definition update overnight. The question of whether the software is suspicious is not asked — the question is whether it is approved, which was decided in advance.

The actual attacks mostly go away too. Ransomware encrypts files when it gets to run. Fake-invoice malware steals credentials when it gets to run. The phishing email that tricks the night-shift manager into clicking the attachment — the attachment is software that needs to run to do damage. If unapproved software cannot run on the computer, none of those attacks land. The single defensive question — is this program approved — answers both threats at once.

The trade-off, honestly

You give up the ability to run any random thing you download. That is the cost. For a small business running known software — a browser, an office suite, payroll, accounting, maybe a few specialty tools — the cost is close to nothing. You already know what you run on this computer. Turning on AppLocker is just writing it down.

For a computer that is also used to try new software, install free utilities you saw mentioned somewhere, run games, or hand off to a tech-curious teenager — AppLocker will get in your way. That is by design. If that describes your situation, the right answer may be to keep allowlisting off on that machine, or to set up AppLocker so the owner account has more freedom and the other accounts do not. Different rules for different users is exactly what AppLocker is built for.

The bigger point

Microsoft Defender, mentioned in the false-positives post, is the first free thing in Windows worth turning on. AppLocker is the second. Defender catches what allowlisting misses, allowlisting prevents what Defender cannot keep up with, and together they cover most of what a small business actually needs.

The reason this matters more for small business owners than the average home user is that the small business computer is rarely a one-person device. Other people use it. The owner is not always in the room. The exposure is not the owner's habits — it is the moments when the owner's habits are not present. AppLocker is the setting that addresses exactly that gap. And for the one-person machine, it is the same discipline you would apply yourself, embedded in the computer so you do not have to remember to apply it every time.

It is free. It is built in. The setup is a one-time project. Worth knowing about.

See also: If I Had a Nickel for Every False Positive and Do You Really Have a Backup?

This post was lightly cleaned up with AI for grammar and flow. The opinions, the operator experience, and the company practices described are mine and Medlin's.