How does one configure Windows not to execute tampered binaries?

Edit: I forgot AppLocker!

Before performing the following procedure, ensure that you created the default rules for the rule collection that is described in Preventing Standard Users from Running Per-user Applications.

To allow only signed applications to run

1.To open the Local Security Policy MMC snap-in, click Start, type secpol.msc, and then press ENTER.

2.In the console tree, double-click Application Control Policies, and then double-click AppLocker.

3.Right-click Executable Rules, and then click Create New Rule.

CautionCaution

This rule prevents unsigned applications from running. Before implementing this rule, ensure that all of the files that you want to run in your organization are digitally signed. If any applications are not signed, consider implementing an internal signing process to sign unsigned applications with an internal signing key.

4.On the Before You Begin page, click Next.

5.On the Permissions page, click Next to accept the default settings.

6.On the Conditions page, click Next.

7.On the Publisher page, note that the default setting is to allow any signed file to run, and then click Next.

8.On the Exceptions page, click Next.

9.On the Name and Description page, accept the default name or enter a custom name and description, and then click Create.