The value of application whitelists

Complaints about UAC are mainly about the number of annoying notifications and consent dialog boxes the user is confronted with, particularly during the installation of software. Security is always a trade-off with performance and usability, and the workflow interruptions it causes are inevitable. Unfortunately, it's also inevitable that many users won't understand or appreciate the implications of clicking "Yes" or "No" in response to UAC's pop-up warnings.

Application whitelists: Better application control?
But better desktop security initiatives have to start somewhere, and the only way to win against malware is to prevent it from running on a system. An application whitelist -- what UAC is in many ways -- states which applications can run on a client machine. Whitelists are a powerful method for controlling what can and can't run on a system.

Yet managing enterprise-wide whitelists can pose a problem even in a managed environment where system administrators control what programs can and can't be installed and run by its users. Compiling the initial whitelist requires detailed reviews of users' tasks and the applications they need to complete them. The growing complexity of business processes and applications makes maintaining the list a lot of work. Plus there is the issue of enforcing segregation of duties -- ensuring employees are not assigned inappropriate combinations of application access rights. It can also be difficult to

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

I would like to receive a FREE subscription to Information Security magazine online.
YesNo

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

Asking the user to manage his or her whitelist is an imperfect solution. Frustration, lack of knowledge and sophisticated malware attacks using social engineering will lead many to still allow the installation of inappropriate software. To make application whitelists a success in your organization, you need not only senior management buy-in, but also a way of letting users quickly and easily request permission to run a new application. This could mean delegating approval rights to the department level, possibly with the right to grant a one-time run without full whitelisting.

One option could be to let a trusted source maintain an approved application whitelist. This already happens to an extent with AV software. For example, antimalware vendor Symantec Corp. uses a "Trusted Application List" of non-harmful applications. This type of list is also used by registry cleaners and spyware removers to determine if a given application is safe to keep, or needs to be removed. A more draconian step would be to allow systems to only install software that is digitally signed and downloaded from a trusted repository.

The real value of whitelisting
Whitelists, however, cannot fix an allowed program that has a vulnerability. Even in a whitelist environment, a typical buffer-overflow attack, for example, can still run malicious executables, because the system thinks it's the whitelisted, but vulnerable program running the code. Another shortcoming of many whitelist products is they lack any granularity of control. A simple "Yes" or "No" decision either allows the program to run or not, whereas it may be appropriate for some users to use a certain program, but only access certain features.

The real value of whitelisting is to control the applications running on a system, but as you can see, whitelists need to be bolstered by other technologies. Cisco Systems Inc.'s desktop host intrusion prevention, Security Agent, for example, provides application whitelisting and can also control what specific system resources they access, such as files and networks.

Various vendors are working on software restriction policies in the OS. Microsoft, for one, is pushing Address Space Layout Randomization (ASLR), which randomly positions key data areas, and Data Execution Prevention (DEP), which prevents the execution of code from a non-executable memory region. Both mechanisms can limit the damage that application vulnerabilities may cause. Microsoft certainly feels that application whitelists are an important part of a security strategy. Its virus and spyware protection technology for businesses, Forefront Client Security, is rumored to have whitelisting features added soon.

As always with security, layering protection is good practice, and it's good to see application whitelist technologies being used more widely as a layer of defense. Despite the management burdens, more enterprises should consider whether application whitelists should play a role in their security strategies.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG IAM Insights,   Malware, Viruses, Trojans and Spyware,   Information Security Threats,   Application and Platform Security,   Windows Security: Alerts, Updates and Best Practices,   Operating System Security,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT IAM Insights Best practices for a privileged access policy to secure user accounts Best practices: How to implement and maintain enterprise user roles Kerberos configuration as an authentication system for single sign-on How to use single sign-on for Web access control to prevent malware Identity and access management 2009: Staff cuts, insider threats Deleting user accounts: How to manage users during a layoff User provisioning: Emerging product features reveal market's future The steps of privileged account management implementation Trends in enterprise identity and access management Malware, Viruses, Trojans and Spyware New Trojan stealing FTP credentials, attacking FTP websites Cybercriminals exploit Michael Jackson, Farrah Fawcett deaths When BIOS updates become malware attacks Antispyware buying guide for Indian enterprises PCI compliance requirement 5: Antivirus Hacker attack techniques and tactics: Understanding hacking strategies Rootkit Hunter demo: Detect and remove Linux rootkits Botnet threats and countermeasures Conficker worm much smaller than feared New Conficker variant has ties to Storm botnet Windows Security: Alerts, Updates and Best Practices When BIOS updates become malware attacks Microsoft patches WebDAV security vulnerability in bevy of updates Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Hackers targeting unpatched Microsoft DirectShow flaw Microsoft warns of IIS zero-day vulnerability Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw How to perform Microsoft Baseline Security Analyzer (MBSA) scans Microsoft patches serious Excel zero-day, Windows flaws Microsoft Stirling Beta 2 release includes Exchange SaaS offering RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) Zotob  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.