Following the release of Windows Server 2003, the capability to implement Software Restriction Policies (SRP) has been widely accepted as one of the safest ways to secure corporate networks. Integrated via Microsoft Active Directory and Group Policy features, SRP identifies and controls the programs running on a domain to increase reliability, integrity and manageability of the devices within an environment.
A common SRP technique is blacklisting where known threats are blocked from running through your anti-viral or anti-malware programs. Utilizing blacklisting methodologies within your organization is an essential aspect of any security strategy as it is a cost effective approach to threat detection; however, this is a reactive defense that cannot scale to today’s growing volume and variety of threats. In the instance of a zero-day attack, such as Heartbleed and Shellshock which leveraged previously unknown system vulnerabilities, blacklisting techniques alone will leave your organization completely susceptible as it can only protect you against the known, and in today’s highly ambiguous grey area of security certainty, organizations must be preparing for evolving threats to remain secure and successful.
Enter: Application whitelisting.
Whitelisting is a proactive approach to SRP configuration where, instead of blocking known attacks, a network administrator defines a limited set of permitted programs, called a whitelist, which are allowed to run on a domain. By default, this prevents all other programs – including most malware – from running within the environment. Essentially, it functions as an “if-than” filter thwarting unauthorized applications from breaching a system. When employed in conjunction with traditional security measures, it creates an additional layer in an organization’s defense-in-depth strategy.
Take, for example, if an employee opens an email or inserts a USB drive containing malicious code; through the effective use of whitelisting, it will be unable to run within the domain, maintaining the integrity of your organization’s network. Traditional downtime in such situations ranges from a couple hours to a number of days, depending on the penetration of the malware. While you may feel that your network data is secure, can your business withstand an extended outage?
For an effective application whitelisting solution, network administrators should note that all executable code must be blocked by default so only approved, whitelisted programs can run. Additionally, network users cannot have modification abilities on the files allowed to run, and all installations and downloads of new applications will involve administrator authorization. While there are definite advantages to application whitelisting, like the defense against current malware and the absence of daily oversight, there are some disadvantages to consider before implementing in your organization. Efficient application whitelisting requires regular maintenance of the whitelist as new applications are added and removed based on the approval process defined within your organization. This, in turn, requires some performance overhead for enforcement and continuous improvement definitions. It is also important to consider that end-users will be limited on downloads, applications, and files they are permitted to use which can create some frustration and annoyance. Proper communication on the importance and necessity of rigid policies should be a priority within your security strategy as staff will be more receptive to restrictions when they are made aware of the reasoning. Engage your employees as advocates on your journey to network integrity and never underestimate the importance of a communication plan with all organizational changes.
Mike Arvidson is the Director of Eide Bailly Technology
Consulting’s Infrastructure Services. With more than 20
years of experience in the IT industry, Mike’s wealth of
knowledge includes network systems implementation,
integrated new technologies, and information security.