Application whitelisting is one of the oldest forms of end point security, and used with a security in depth approach can protect end points which may have limited function, or still be running older operating systems and applications.
The growing number of Internet connected end points makes the job of securing applications inside the network harder every day. Multi-function printers, IP enabled telephone systems and various IP enabled data centre management devices (IP-KVM, IP-serial controllers, iPDUs) all fall into the category of single application devices which may run a full operating system under the covers. How are you addressing the security of those devices?
Windows XP and later have good support for application whitelisting. And while this functionality isn’t as rich or flexible as a solution from vendors like Lumension or CoreTrace, “Software Restriction Policies” rolled out as Group Policy can control the types of applications users may run and restrict from where applications may run. Windows 7 takes the functionality into the 20th century with “AppLocker”.
According to Microsoft, “AppLocker provides simple, powerful, rule-based structures for specifying which applications can run that are centrally managed using Group Policy. It introduces "publisher rules" that are based on an application's digital signature, making it possible to build strong rules that account for application updates.”
This policy applies to versions of software (”allow all versions of Microsoft Word later than 11.0 to run if signed by Microsoft”) and applications.
So why is it that application whitelisting appears to be absent in many corporate environments today? Why don’t single purpose appliance solutions utilise whitelisting as part of their security posture, and what about server builds and even embedded systems? With the seemingly never ending appearance of malicious software perhaps it is time to use application whitelisting more aggressively on desktops?
The concept of application whitelisting is simple.
Only applications which have been identified and defined are allowed to execute. A machine which has the task of being a DNS server can run only applications relevant to this DNS function, and cannot, for example, be used to browse the web.
One complaint about application whitelisting on the desktop is that users need to run too many applications in a modern organisation, and blocking each new application until an Administrator can approve it is next to impossible.
The technology has significantly improved in the last few years and vendors like McAfee even offer a centralised ‘knowledge base’ SaaS solution to help identify new applications and automatically assign an identity to software trying to install itself on a users machine. Through an application trust model some software can be implicitly allowed, and all other software can be blocked from installing or running. This allows windows update to work, but blocks a fake anti-virus application like avc2011.exe from ever running.
Dynamic whitelisting based upon trust, standalone operation solutions and whitelisting applications with memory protection capabilities can provide benefits for devices which are not permanently connected to the corporate LAN, and application whitelisting can be implemented across servers, laptops and desktops.
- Ask your appliance vendor if application whitelisting is part of the underlying operating system. If the response is “but we have never been hacked” or “it’s a toughened operating system” you need to press further to understand exactly what security features protect the appliance from hackers.
- Your existing security vendor may have an application whitelisting solution already. They can provide you with options suitable for your environment and help identify the highest risk platforms to tackle first.
- Application whitelisting is often called Application Control, consider identifying a small group of machines in your environment which have a limited function and rolling out application control to those machines.
Remember that application whitelisting is not a silver bullet and does not replace other end point protection, but used together with good anti-virus and anti-malware implementations, gateway security and a strong security policy you’re making it much harder for the bad guys to compromise your network.
JT Keating of CoreTrace explains “The bottom line is, combining application whitelisting as the primary mechanism for preventing the execution of unknown and malicious applications, with Cloud-based blacklists for reporting and compliance purposes, covers both known and unknown malware code from exploiting a system — and does so in a way that does not impact performance.”
“While we agree that whitelisting enforcement alone is not a complete replacement for antivirus, an anti-malware strategy that includes both whitelisting and blacklisting for application control gives organisations the best of both worlds”.