Malware really stinks, but in many ways anti-malware stinks as well.
In fact, anti-malware vendors are in a continuous race with attackers since they can’t protect us against threats until those threats surface in the wild. That means we’re always at risk of being the first ones to encounter some new threat that we cannot yet detect.
In Windows XP, Microsoft introduced a technology called Software Restriction Policies, or SRPs, which contain a list of allowed software applications. By simply defining all of your allowed applications, all others are blocked, including undiscovered malware and those inappropriate applications you wish never existed.
Unfortunately, SRPs aren’t as simple as they seem since modern organizations run hundreds -- and often thousands -- of applications. Tracking them down and defining them is impractical, and so is the governance in maintaining that list as the applications age and evolve. Therefore, few organizations fully deploy SRPs in a production environment because they’re so difficult to set up. Still, SRPs are a good theory -- one which Microsoft didn’t give up on.
The high-level name for this concept is whitelisting, which enables you to list the applications you want to allow and prevents anything else from running. Anti-malware software is technically a form of blacklisting, meaning you list the applications you don’t want to allow. In reality, an SRP could be used for blacklisting and whitelisting, although manually creating any kind of comprehensive blacklist isn’t practical. Even anti-malware vendors don’t rely solely on a strict, SRP-style blacklist. They also use pattern recognition, behavior recognition and other techniques since a purely blacklist approach will not catch every single piece of malware.
Windows 7 and AppLocker
Microsoft unveiled a new application management tool in Windows 7, called AppLocker, which doesn’t use the old SRPs -- although it functions in much the same way. The key difference is that Microsoft has simplified the process of creating an inventory of allowed applications with AppLocker.
AppLocker includes tools that take inventory of the applications your users have installed so that you can build a list of what’s happening. By editing down that list you can quickly and more easily create that needed list of allowed applications.
This is a big job, however, as most organizations don’t have a single, standard desktop. As a result, you’ll have to perform the AppLocker inventory process on every different kind of computer to make sure you’ve captured all the different applications in your enterprise. The AppLocker toolset makes this process much easier than the old SRP approach and makes whitelisting a practical method for many more organizations.
AppLocker has three ways of identifying an application. A path rule allows any application residing within a particular folder to run, or can enable a single executable via its path and file name. Nevertheless, enabling a whole folder can be dangerous, as malware would simply have to get itself into that path in order to bypass AppLocker security. A hash rule is safer because it uniquely identifies a specific executable. Updating that executable to a new version, however, invalidates the hash, requiring you to re-do the rule. The best method is the publisher rule, which enables any application that has been digitally signed using a digital certificate. Even if a new version of the application is deployed, AppLocker’s publisher rule can recognize and authorize it based on the signature.
Publisher rules are also flexible. For instance, you can allow an entire publisher -- say, Microsoft -- a product (Microsoft Word), a file name or even a specific version. This flexibility brings an opportunity for change control: “Yes, we allow Word, but we only allow known versions. If you attempt to run any other version before we’ve approved it, you won’t be able to do so.”
Different types of AppLocker rules include grant or deny. For example, some organizations allow all software to run -- relying on their anti-malware software to protect them from attacks -- but deny known problematic applications using AppLocker rules. While this is a valid approach, it ignores the practicality of the whitelisting technique.
If you haven’t yet considered whitelisting, now is indeed the time. Evidence that it represents a worthwhile tactic is found through the growing number of third-party vendors who have created their own tools. With names like Viewfinity, Beyond Trust, Avecto and Bit9, these tools add superior inventory capabilities and improved lists of preventable actions to AppLocker’s EXE restrictions.
Is AppLocker entirely effortless? Of course not --no security system is. And it doesn’t replace anti-malware software. What it does do is create defense in depth, an additional layer of protection that can help meet business goals, as well as security goals.
ABOUT THE AUTHOR:
Don Jones and Greg Shields are co-founders of Concentrated Technology, an IT education and strategic consulting firm. Contact them through http://ConcentratedTech.com.
This was first published in April 2011