The flip side of the coin can be just as compelling: If you lock your users out of everything, then how can they solve their own problems? What if John in HR wants to install some freeware that he feels he needs to get his job done? Can you afford to send support staff out on every single call you get? No, of course. But your consumers don't want to hear, No, that doesnt meet corporate standards so I wont support it, or Youll have to figure out some other way to get that done.
The tension between liberty and security is certainly not new. I say this not only as a security practitioner but also as a former history major. Read documents like the Magna Carta and the Constitution and youll see the conflict between liberty and freedom. Read The Federalist Papers and Common Sense and youll see the same clash.
Trying to maintain the delicate balance between freedom and security is an onerous task given the dire threat presented by todays malware. Enterprises are grappling with the need to keep users safe yet also to give them the tools they need to do their jobs. Endpoint management software has improved over the years and taken strides forward to try to balance these needs. IT groups now have the ability to install a variety of tools such as application whitelisting, configuration management, anti-malware, a software firewall, and H IPS, just to name a few.
Application white listing basically allows an IT department to establish and enforce security policies that allow users to run only known good applications. What youre basically saying is, I know that our custom business application is safe so that is allowed to execute, but I dont know whether that new .exe Fred is trying to run is malware or not. If I dont know for sure that the new .exe is good, then I wont allow it to run.
It goes without saying that any solution youre considering must have centralized management console with role based privileges so, for example, the help desk can see whats going on but cant change configurations. Typically, policy is maintained on the management console and enforced by agents running on user workstations.
The major area of concern for administrators is the ability to enroll acceptable applications and their updates on the whitelist quickly and easily. Make sure that the software simplifies this process, for example by automatically accepting all patches that are digitally signed. You should also have the ability to define different policies for different classes of user. In this way, a developer can have the freedom to install a new development tool, but the software on the kiosk in the waiting room cant be modified at all.
The major area of concern for users is the intrusiveness of whitelisting solutions. Early attempts to lock down workstations prevented users from doing just about anything. Look for a solution that can automatically request authorization for a new application from the central server without user intervention. Some products have a manual override that allows users to run software once without approval. The point is that keeping users safe shouldnt prevent them from doing their jobs and burdening your help desk.
Three whitelisting products for consideration:
AppLocker from Microsoft - Although not technically a product, Microsoft AppLocker can serve as a baseline for evaluating other application whitelisting solutions. You can also run a small pilot program to assess the applicability of whitelisting in your environment. Windows 7 Enterprise and Windows 7 Ultimate include AppLocker which can be managed locally or through Active Directory to provide application control. Administrators can build white- or black-lists to allow or deny execution of specific applications. Management is a bit more manual than the other solutions mentioned in this article. Policies are based on executable files, installers, scripts, and DLLs and can be assigned by user and/or group.
Bouncer 6.0 from Coretrace - Bouncer is considered one of the best application whitelisting solutions around and a new version is due to ship any day now. Bouncer relies on the concept of trusted change in order to make intelligent decisions regarding the execution of new applications based on factors such as whether or not the install package is digitally signed or resides on a trusted network volume.
New in version 6.0 is perhaps the coolest feature of any product in this class -- application intelligence determines which applications are commonly used by your users and by the Coretrace community in general and then decides whether or not the application should be trusted and executed. The new app gets added to an approval queue so IT staff can rollback the installation if it truly doesnt belong on the user workstation. Previously, only available as a hardware appliance, Bouncer 6.0 is available as a virtual appliance which simplifies installation.
Anti-executable Enterprise 3.5 from Faronics - Faronics makes a number of centrally managed software tools to lock down workstations by preventing modifications to the hardware and software. Workstations can be grouped together with different policies assigned by configuration or user job tasks. The product integrates with Active Directory or LDAP for directory based management. The solution allows you to create a white list from a properly configured workstation and push that configuration to other workstations on the network. During my testing, Anti-Executable Enterprise 3.5 performed extremely well and prevented all malware from running.
Matt Sarrel is executive director of Sarrel Group, a technology product test lab, editorial services and consulting practice specializing in gathering and leveraging competitive intelligence. He has over 20 years of experience in IT and focuses on high-speed large scale networking, information security, and enterprise storage. E-mail firstname.lastname@example.org, Twitter: @msarrel.