For a general-purpose computer used for all manner of things (surfing the Web, reading email, running enterprise applications, evaluating new software, etc.), such restrictions are highly unwieldy and difficult to keep up to date. But, for a computer that doesn't have to do very many different things (like one used for just reading email and surfing the Internet with a small number of helper applications), such restrictions can greatly improve security. Unfortunately, most enterprise systems fall somewhere in the middle of these two extremes.
I recommend surveying system administrators to determine where your organization has pockets of relatively simpler computers, and then start using them to experiment with software restriction policy whitelists. Gradually move up to more complex classes of systems over time, until you reach the point of diminishing returns in maintaining such lists from an operational perspective. That point will likely be reached quickly, keeping whitelists on only the simplest of computers. Still, for those boxes, security will have improved significantly.
For more information:
- In this Q&A, learn if using whitelists and blacklists is an effective method for preventing spam.
- Michael Cobb unveils whether allowing only whitelist email messages will stop image spam.
This was first published in April 2008