What About Lockdown?

By Jason Brooks  |  Posted 2008-09-25 Print this article Print


Ideally, perhaps, business comput??íers would operate like stateless appli??íances, with administrators maintaining tight control over all system functions and permissions. However, the total lockdown model doesn't mesh well with the realities of today's Windows client environment.

For better or worse, the Windows software ecosystem is organized around the assumption that regular users also will be administering their machines, installing updates from various sources and pulling down plug-ins and exten??ísions to run on their browsers.

Users must have access to the applications they require to do their work, and considering the claims that Microsoft and others have made that as many as 80 percent of businesses allow their users to run with admin??íistrative privileges, locking down the client environment well enough to shut out malware can wreak col??ílateral damage on the ecosystem of beneficient applications and on the productivity of PC users.

Enter Whitelisting

Application whitelisting offers organizations an anti-malware option that can be more flexible than total lockdown yet more comprehen??ísive than the blacklisting approach embodied by anti-virus.

Rather than block known bad appli??ícations or react to suspicious behaviors, whitelisting products operate by allow??íing those applications and processes that have been specifically admitted by IT to run on a system. Whitelisting con??ítrols extend not only to installed appli??ícations, but also to executables that run from a user's home directory or from removable media. In this simplest form, this can boil down to complete lockdown, but the sort of whitelisting implemented by most vendors allows for enough flexibility to keep systems usable as well as secure.

For most application whitelisting products, the configuration process begins with a scan of an organization's golden image to create a database of identifying hashes for the executa??íbles contained in the image. From here, administrators can disallow particular applications that, while not harmful themselves, may be deemed unwanted by company policy. For instance, although Microsoft's Win??ídows Messenger does not qualify as malware, an organization may not want to allow instant mes??ísaging applications on their managed systems.

At this point, administra??ítors also can add other appli??ícations to their whitelist policies and, in most cases, determine separate allowed application policies for dif??íferent sets of users based on group information in Active Directory. Certain applica??ítion whitelisting products, such as those from Bit9 and CA, also offer administrators guidance in deciding which applications to include in their whitelists. Both ven??ídors maintain databases of scanned applications, along with trust ratings based on the vendors' analysis.

Of course, once released into the wild, desktop PCs very quickly diverge from the golden image. Even the most conservatively managed machines pick up large numbers of operating system and application updates, and more lib??íerally managed clients can rack up new applications at a rapid pace.

In order to maintain control in the face of these changes, application whitelisting products enable admin??íistrators to confer trusted status on specific change agents, including application updaters, specific soft??íware repositories and applications that carry approved digital signatures. In this way, organizations can enforce their application-vetting policies while allowing users to self-serve.

For cases in which users may find the need to access applications that fall outside of the whitelist policies defined by their IT organizations, most whitelisting products allow for a mid??ídle ground-typically called graylist??íing-in which unknown executables may be provisionally cleared for certain users, in certain circumstances or after vetting processes have occurred.

Application whitelisting vendor Core Trace allows administrators to identify trusted users who, upon attempting to install or run an unknown application, can be notified that they're running an unvetted application before the execut??íable in question runs. If the trusted user proceeds, then their local policy will be updated to allow the application. Core Trace's product, Bouncer 4.0, will then notify the IT staff, providing an oppor??ítunity to add the application to their master whitelist or to deny its use.

Bouncer 4.0, as well as other applica??ítion whitelisting products, can provi??ísion access to unknown executables to machines outside of the corporate network. For instance, an application may be allowed while a user is on the road or at home, but be blocked once that user returns to campus.

As Editor in Chief of eWEEK Labs, Jason Brooks manages the Labs team and is responsible for eWEEK's print edition. Brooks joined eWEEK in 1999, and has covered wireless networking, office productivity suites, mobile devices, Windows, virtualization, and desktops and notebooks. JasonÔÇÖs coverage is currently focused on Linux and Unix operating systems, open-source software and licensing, cloud computing and Software as a Service. Follow Jason on Twitter at jasonbrooks, or reach him by email at jbrooks@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel