Modern operating systems have a bewildering number of settings and are thirsty for programs to run. Enterprise policy management products allow administrators to establish a single, solid, enterprise-wide configuration, with fine-grained control of managed machines. Some policy management tools let an administrator list specific applications that should be given permission to run. Such a whitelist can block all other non-authorized applications.
Policy management products, however, can also be used to establish a blacklist that prevents certain applications from running, such as specific games, peer-to-peer file sharing programs and malware. Of course, to create an effective blacklist, you'll either have to work hard to create your own, or subscribe to a service that provides signatures for programs whose execution you may want to block. Defining applications that a system should or should not run is sometimes referred to as "application execution control" or "software restriction policy."
Management through Group Policy
Microsoft has provided enterprise policy management capabilities via software like Group Policy and Active Directory. Through Group Policy, thousands of settings for users and/or Windows machines in a given domain can be tweaked. To get a feel for what can be configured on your own, take a gander at the Group Policy Microsoft Management Console (MMC). Here's how it works:
- On Windows XP Pro, 2003, or Vista Business/Ultimate, go to "Start -- Run:"
- Type "mmc" and hit Enter.
- Go to "File -- Add/Remove Snap-in"; then click the Add button.
- Choose the Group Policy Object Editor from the list and select Add.
- Select the default ("Local Computer") and hit Finish.
- Click Close in the "Add Standalone Snap-in" window and OK in the "Add/Remove Snap-in" window.
For example, to display a warning banner for users when they log on to a system, you can go to "Local Computer Policy -- Computer Configuration -- Windows Settings -- Security Settings -- Local Policies -- Security Options." Then, select Interactive logon: Message Test for Users Attempting to Log On. You can enter text in that window. Sure, there is a registry key setting for this option, and you can also set it via the secpol.msc Microsoft control. This overall Group Policy MMC, however, gives you access to nearly every setting on the Windows machine all in one handy place.
As another completely unrelated example, you can go to "Local Computer Policy -- Computer Configuration -- Administrative Templates -- Windows Components -- Internet Explorer." Then, select "Security Zones: Do not allow users to add/delete sites." With this setting, you can stop users from adding Web sites to the trusted zone of Internet Explorer. Most users have no idea of what should or should not be trusted, and you can control this setting across your empire via Group Policy.
Beyond those examples, within the Group Policy Editor that was just invoked, you can define a whitelist or blacklist of programs that should or should not be allowed:
Go to "Console Root -- Local Computer Policy -- Windows Settings -- Security Settings -- Software Restriction Policies."
Windows identifies whitelisted or blacklisted programs based on a variety of factors, including the MD5 or SHA-1 hash of the program, its location in the file system (its path), and where the program came from (e.g., the Internet, intranet or from the local computer). Microsoft describes how to write these Software Restriction Policy rules in detail.
Management through the endpoint security suite
Other vendor products offer alternative policy management mechanisms. Most major endpoint security suites -- tools that roll together antivirus, antispyware, personal firewalls and host-based intrusion prevention systems -- contain fine-grained policy management, including application execution control.
During the past three months, my colleague Matt Carpenter and I analyzed the execution control capabilities of various endpoint security product suites. We found that McAfee Inc., eEye Inc. and Symantec Corp. offered the most flexibility for software execution control, with custom-designed whitelists and blacklists based on executable path, hash or regular expression matching. CA Inc.'s blacklist and whitelist capabilities were also impressive, augmented by a graylist function that allows admins to define specific program execution rules based on user role and time of day. Sophos had the most limited control in this arena, supporting only application blacklists, for which the vendor generates a specific signature.
Beyond the Group Policy and endpoint suites, other vendors offer useful security policy management capabilities, including Altiris SecurityExpressions (now owned by Symantec), BigFix Inc.'s Security Configuration Management and numerous others.
While built-in Group Policy options are powerful and fine-grained, they are often cumbersome to configure and difficult to understand. Endpoint suites are another alternative, but each provides varying capabilities. Your choice should be based on your organization's comfort with policy configuration.
About the author:
Ed Skoudis is a SANS instructor and a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions related to information security threats.