application whitelisting

Contributor(s): Peter Loshin
This definition is part of our Essential Guide: Secure Web gateways, from evaluation to sealed deal

Application whitelisting is the practice of specifying an index of approved software applications that are permitted to be present and active on a computer system. The goal of whitelisting is to protect computers and networks from potentially harmful applications.  

In general, a whitelist is an index of approved entities. In infosec, whitelisting works best in centrally managed environments, where systems are subject to a consistent workload. The National Institute of Standards and Technology suggests using application whitelisting in high-risk environments, where it is vitally important that individual systems be secure and less important that software be useable without restrictions. To provide more flexibility, a whitelist may also index approved application components, such as software libraries, plug-ins, extensions and configuration files.

Application whitelisting vs. blacklisting

Unlike technologies that use application blacklisting, which prevents undesirable programs from executing, whitelisting is more restrictive and allows only programming that has been explicitly permitted to run. There is no consensus among security experts over which technique -- blacklisting or whitelisting -- is better. Proponents of blacklisting argue application whitelisting is too complex and difficult to manage. Compiling the initial whitelist, for example, requires detailed information about all users' tasks and all the applications they need to perform those tasks. Maintaining the list is also demanding because of the increasing complexity and interconnections of business processes and applications.

Proponents of whitelisting argue it is worth the time and effort needed to proactively protect systems and prevent malicious or inappropriate programs from entering the network. Using a whitelist that allows only applications that have been explicitly approved offers more protection against malicious software, rather than the looser standard used by application blacklists, which permit any software to run unless it has been discovered to be malicious and has been added to the blacklist.

How application whitelisting works

Implementation of application whitelisting begins with building a list of approved applications. The whitelist can be built into the host operating system, or it can be provided by a third-party vendor. The simplest form of whitelisting allows the system administrator to specify file attributes associated with whitelisted applications, such as file name, file path and file size.

Windows AppLocker, which Microsoft added to Windows 7 and Windows Server 2008 R2, allows system administrators to specify which users or groups of users are permitted to -- or not permitted to -- run particular applications. In addition to restricting access to specific applications, AppLocker can be used to restrict users from installing new software, define which versions of a piece of software are permitted to be run and provide control for running licensed software.

Risks of using application whitelisting

Attackers can replace whitelisted applications with malicious apps with relative ease by creating a version of their malware that is the same size and has the same file name as a permitted application, and then replacing the whitelisted application with the malicious one. Therefore, it is much more effective for application whitelisting software to use cryptographic hashing techniques coupled with digital signatures that are linked to the software developers.

See also: application security, Trojan horse, spyware, adware, drive-by download, pop-up download, barnacle, rootkit, malvertisement, clickjacking, scareware

This was last updated in January 2017

Continue Reading About application whitelisting

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What kind of application whitelisting technologies have you worked with, and how well have they performed?
How do you unwhitelist files?
We've always used an ever-changing list of USE THIS, NOT THAT (or whitelist, blacklist if you prefer).

When we launch a new project, we expect our hire to follow the list. Since many arrive with installed programs, we test those while closely track their use. By the time the project wraps, the new programs will be on one list or the other.... 
@Snogherjsk: The answer to your question depends on the kind of file, and the way you are doing application whitelisting -- and I don't have specific expertise in doing this (maybe someone else has such an answer?).

However, that said, application whitelisting systems may offer some control over which types of files that are opened with particular applications, such as Word or Excel files.

Other types of files, such as configuration files or plugins or any other type that might be considered "executable" would also likely to be covered by controls provided by the application whitelisting system in use.
In an environment in which employees have the latitude to download and install application for expedient purposes is well ripe for application whitelisting so as to prevent rogue application and limit infection and application vulnerabilities that can create a security risk for the organization.
Whitelisting is a great strategy for preventing information security incidents related to malicious (or otherwise unwanted) applications -- but whitelisting is just one such strategy.

By itself, whitelisting is not going to be a complete security solution.

And all organizations, even those that don't allow users to install any software at all, can still benefit from implementing whitelisting as a part of a fully in-depth security strategy.
Is whitelisting the domain the solution on Windows 10 to gain access to a secure domain?
Maybe -- though I'm far from an expert on Windows 10. 

Presumably, you already have access to that domain (if you don't, you probably shouldn't be trying to access it without permission), in which case (I guess?) it would work.

But, again, I'm not an expert...


File Extensions and File Formats

Powered by: