Application restriction products or whitelist products let administrators configure client computers to run only specifically authorized applications. Rather than worrying about users running malware or dangerous scripts, administrators develop a list of authorized applications that users are allowed to run. If an application isn’t on the authorized list, the user is simply blocked from running that application. Depending on the complexity of the technology used for whitelisting, these approved applications can be identified by publisher certificate, a hash value “digital fingerprint,” or a simple path and filename.
Identification based on publisher certificate is typically the easiest way to manage application whitelisting. When you identify an application based on a publisher certificate, you often have the option of including all future versions of that application in any rule. One drawback of identification on the basis of publisher certificate is that there are still a large number of applications that aren’t digitally signed and can’t be identified in this manner. Some implementations of this technique only allow whitelisting based on the publisher’s name, whereas others allow whitelisting based on the name assigned to the application and the version of that application.
Identification based on hash value lets you generate a digital hash, something like a digital fingerprint, that identifies the target application’s executable file. A drawback of digital hashes is that every time the file is modified, through patching or the installation of a new version of the application, the hash value needs to be recalculated because the digital fingerprint has changed. If you’re whitelisting based on hash value, you need to come up with a way of keeping your hash values up-to-date as part of your regular patch management cycle.
Identification based on path is the simplest way of identifying files, but it’s also the least secure. An advantage of publisher certificates and hash values is that if an executable file is modified by malware, the file will no longer be whitelisted because it will no longer match the identifying properties of the publisher or hash rule. An infected executable file identified by pathname will still be whitelisted because even though the file itself might have become malicious, it will still be identified as safe by the whitelist.
Software Restriction Policies and AppLocker
Windows has had application restriction policies since the release of Windows XP. Software Restriction Policies (SRPs) let you create hash rules and path rules. SRPs have the following benefits and drawbacks:
- Include hash-based and location-based file identification.
- Include publisher certificate rules, but they work on an all-or-nothing basis. You either allow all applications signed by a publisher or no applications signed by a publisher. For example, you can’t use a publisher certificate rule to allow Adobe Acrobat but block Adobe Photoshop. You need a copy of the publisher’s certificate in .cer or .crt format to create an SRP certificate rule.
- Allow you to specify which file extensions indicate that a file is executable.
- Don’t include publisher rules.
- Rules must be created manually.
- No central reporting solution, other than combing event logs.
- Use native Group Policy functionality; don’t require installation of an extra client.
Windows 7’s AppLocker extends the functionality of SRPs. AppLocker offers the following improvements and differences over SRPs:
- You can create a publisher rule based on a sample file rather than needing a separate certificate file in .cer or .crt format.
- You can automatically scan a computer to have a set of publisher and certificate rules created.
- Doesn’t support clients other than Windows 7 Professional, Enterprise, or Ultimate editions.
- Must be applied through Group Policy. Lack of client software means administrators must perform substantially more work to get AppLocker working.
- Still doesn’t provide a central reporting solution.
If you want to use application whitelisting as part of your organizational security strategy, and you’re looking for a product that offers more than SRPs and AppLocker, consider using an application restriction product such as Lumension Application Control, Sophos’s Endpoint Security and Data Protection, or Bit9 Parity. All of these products provide substantially more functionality than application whitelisting. Although I mention this functionality, the focus of the following product reviews is to compare their application whitelisting functionality.
Lumension Application Control
Lumension Application Control is a whitelist-specific product that offers automatic application discovery, software update authorization, script and macro protection, application review options, local application authorization, and heuristics to detect the spread of malicious code that has been locally authorized on a specific number of computers. Lumension uses hash-based and path-based rules for file identification and lets administrators remotely scan clients to generate file identification lists.
Client deployment. The Lumension software ships with both an x64 and an x86 Windows installer in MSI format. Administrators can deploy the software to clients through either Group Policy or more sophisticated solutions such as Microsoft System Center Configuration Manager (SCCM).
Creating and updating policies. Lumension Application Control lets you perform discovery to identify which applications are present in your environment. You use the results of these scans to create application whitelisting policies.
After you identify the files that are present in your environment, you can use the Lumension Application Control console to add files to file groups. You use file groups as the basis for blocking or allowing applications. You can apply different application whitelists to different users by assigning the users to different file groups. File groups determine which applications are whitelisted for that user, as Figure 1 shows.
Benefits over AppLocker. The biggest benefit of Lumension Application Control over AppLocker is the extensive remote discovery functionality. With AppLocker, you must run the wizard locally on a reference system to create the application list. With Lumension, you simply point the wizard at a target system to generate the list after scanning that system.
Lumension also provides better monitoring functionality with centralized reporting. The product leverages the power of SQL Server databases in generating reports.
Finally, Lumension offers spread check functionality. The software automatically blocks the spread of suspicious executable files.
Additional notes. Lumension has a very involved installation process. Whereas the installation for both Endpoint Security and Data Protection and Bit9 Parity is primarily a short wizard that you can easily click through, Lumension Application Control installation involves closely following several pages of detailed instructions. A competent administrator won’t find this task to be problematic, but the more complex an installation process is, the more likely an administrator is to make mistakes when implementing it.
Although Lumension Application Control provides a quick and easy way of generating file identification data for use in whitelists, the product documentation suggests using path rules for applications that are regularly updated. As I mentioned earlier, path rules can be problematic from a security perspective because a path rule will still allow an executable file infected by malware to run whereas a certificate rule or hash rule will not.
Summary - Lumension Application Control
PROS: Straightforward detection of applications; whitelists are easy to create
CONS: Complicated installation routine; difficult to configure
PRICE: $45 license; $9 per year maintenance
RECOMMENDATION: Admins who are looking for more functionality than AppLocker provides might like this product; however, it has an unnecessarily complicated installation routine.
CONTACT: Lumension Security • 888-970-1025 • www.lumension.com
Endpoint Security and Data Protection 9.5
Sophos’s Endpoint Security and Data Protection 9.5 is an advanced endpoint security solution that includes antivirus, firewall, application control, device control, data loss prevention, encryption, and network access control functionality for Windows, Linux, Mac, and UNIX clients. As is the case with Bit9 Parity and Lumension Application Control, Endpoint Security uses a SQL Server 2008 Express back end to store application information.
Client deployment. Whereas Bit9 and Lumension both include standalone client installers, Sophos uses a push-based installer to push the client from the console to the computer that will be protected. It’s possible to download a client file directly from Sophos, but this file isn’t included by default.
Administrators have to prepare client computers before attempting to deploy the client from the Sophos console. This process involves modifying the default network and sharing settings, changing the Remote Registry service’s startup status, modifying User Account Control (UAC) settings, and modifying the firewall settings.
Creating and updating policies. Sophos application restriction policies are created by selecting the Application Control node under Policies in the Sophos Enterprise Console. You can create a new policy or edit the default policy. You apply policies to computer groups; a computer can belong to only one custom group at a time.
Sophos provides you with an extensive list of applications, sorted by functionality. The administrator creates a policy by going through the list and determining which applications to allow and which applications to deny. Sophos updates the list on a regular basis, which means that after you allow a specific application, all future iterations of that application will theoretically be identified by Sophos and that identification will pass back down to your endpoint installation. Sophos also continuously adds new applications to its list. It’s not directly clear how Sophos deals with custom applications.
The default policy authorizes all applications, although it’s relatively simple to block all applications and then add the applications used in your environment to the whitelist. Figure 2 shows an archive tool added to the whitelist. There appears to be no tool included in the product to automatically test which applications are installed on a computer—so unless you have an up-to-date software inventory, you should proceed with caution when building your application whitelist.
Sophos’s application control policies are applied on the basis of computer group. You can import existing computer groups from Active Directory (AD) or create your own group hierarchy. Computer accounts can be imported from AD or by scanning the network. As I mentioned earlier, a computer can belong to only one group. In addition, only one application control policy can apply to a group, although the same application control policy can apply to multiple groups.
I was unable to determine from the Sophos documentation or interface how to create whitelist rules for products that aren’t included in Sophos’s list of identified products. It’s unclear if Sophos uses a certificate-based, hash-based, or path-based file identification mechanism. To a certain extent, this is a moot point because the main benefit of using a certificate-based identification mechanism over a hash-based mechanism is ensuring that rules remain up-to-date after applications are patched. Because rule definitions are downloaded through regular updates from Sophos, this isn’t a problem.
Monitoring. Sophos has a specific console that lets you monitor all application control–related events. This tool lets you view application control events that occurred within a specific time period, occurred to a specific user, involved a specific computer, or involved a specific application type.
Benefits over AppLocker. Endpoint Security has several benefits over AppLocker. First, Endpoint Security creates identification heuristics for specific applications, so administrators don’t have to create them manually. In addition, Endpoint Security updates the application identification database. A drawback of the product is that it doesn’t appear to be possible to block a specific version of an application (e.g., Adobe Acrobat 9) but allow a later version of the same application.
Additional notes. Before deploying Endpoint Security and Data Protection, an administrator will need to apply policies to ensure that the appropriate settings are in place and services are started. Without an MSI installer, deployment occurs through the Sophos console. Some administrators might find that using the console for client deployment doesn’t scale well for their organizations. But if you’re in a heterogeneous environment, Sophos includes support for Mac, UNIX, and Linux clients as well as support for all Windows client OSs.
Handing off rule creation to the vendor has both benefits and drawbacks. The drawback is that it might be difficult to integrate custom executable applications into your rules. The benefit is that by letting Sophos handle rule updates, after you whitelist an application you don’t need to worry about maintaining rules for that application.
Summary - Endpoint Security and Data Protection 9.5
PROS: Automatic rule maintenance reduces the amount of time administrators have to spend updating whitelist rules; supports Mac, Windows, and Linux platforms
CONS: Unclear how to add either custom software or software not in Sophos’s existing list
PRICE: $11 per user per year for up to 99 users
RECOMMENDATION: This product is part of a broader security suite and might suit organizations with a heterogeneous client deployment of off-the-shelf rather than custom software.
CONTACT: Sophos • 888-767-4679 • www.sophos.com
In addition to offering application whitelisting functionality, Bit9 Parity also offers registry protection functionality, configuration monitoring and drift management, and file inventory functionality.
Client deployment. Bit9 Parity’s client deployment is through MSI files that can be deployed either traditionally via Group Policy or with an application deployment tool such as SCCM 2007 R3. Users can also install the Bit9 client software directly from file shares on the management server.
Creating and updating policies. Bit9 Parity uses policies to organize computers into groups with similar security requirements. The client software blocks and allows executable files based on settings within the policy. When you create a policy, you configure options for how to deal with approved and unapproved executables, including blocking unanalyzed or unapproved scripts and executables and blocking specific filenames and hashes. Figure 3 shows a Bit9 Parity policy.
The file approval settings that you can configure include (but aren’t limited to) the following:
- Approval by Trusted Directory—Approved files are listed in this directory, which Bit9 Parity queries.
- Approval by Publisher—Lets you approve files based on digital certificate, similar to AppLocker publisher rules.
- File Approval Rules—Lets you approve files based on a hash value.
You can subscribe to a database hosted by Bit9 that automatically updates your whitelist so that users can run applications that are proven to be safe. Applications that are shown to be unsafe or problematic are automatically blocked.
Monitoring. Bit9 Parity offers monitoring and automatic detection of new applications, as well as administrator notification. This feature lets administrators quickly determine whether any new applications have entered the environment and decide whether to authorize those applications. Unknown applications are blocked by default. After an administrator reviews an application, he or she can approve it.
Benefits over AppLocker. Bit9 Parity has several benefits over AppLocker. First, the product works on Windows Vista and XP clients. In addition, Bit9 Parity includes an online file identification functionality that ensures that when an application is blocked, you can find more detail about the application, such as whether Bit9 considers the file to be a threat or benign. You can also submit blocked applications to Bit9 for the company to provide a threat assessment. Bit9 Parity has substantially better reporting functionality than AppLocker provides. Finally, Bit9 Parity’s web-based monitoring console lets administrators connect to multiple clients without having to install a separate management console.
Additional notes. Bit9 Parity currently requires IPv6 to be disabled on the management server. Although the vast majority of organizations aren’t using IPv6 on their internal network, this might be a problem for the small number of organizations that have transitioned to an IPv6 infrastructure.
Bit9 Parity has extensive application control functionality. The only drawback of the product is that the extensive functionality can be challenging to leverage for administrators who are unfamiliar with the interface.
Summary - Bit9 Parity
PROS: Extensive feature set
CONS: Interface needs reworking to make it easier to leverage the product’s extensive functionality
PRICE: $39 for a perpetual license
RECOMMENDATION: Administrators who are looking for better functionality than AppLocker provides and who take the time to master Bit9 Parity’s way of doing things will find the product to be a highly effective whitelisting solution.
CONTACT: Bit9 • 617-393-7400 • www.bit9.com
Your Best Bet
Whether you choose to use an application whitelisting product or the native Group Policy functionality depends a lot on your organization’s environment and needs. Whitelisting products can substantially reduce the cost of malware infections and unauthorized applications, because an application won’t run unless it’s on the whitelist. Whitelisting products that go beyond the default functionality that’s built into the Windows Server OSs are necessary for most organizations because unless you’re running a pure Windows 7 client environment, administrators will spend more time than it’s worth to keep SRPs up-to-date.
Maintenance is of critical importance. The biggest cost involved in deploying application whitelisting isn’t the products themselves but the amount of time systems administrators will need to spend setting up and maintaining their application whitelists. Bit9 Parity and Lumension Application Control allow for the automatic detection of changed files, giving administrators the ability to quickly adapt to the changing application ecosystem they’re responsible for managing. The Sophos approach provides a central list of applications from which whitelists can be generated, but administrators might have questions regarding whether Sophos’s list includes all the applications in use at their organization.
It’s important to note that the products I reviewed are part of broader endpoint security suites. This review looks at only one specific aspect of these suites rather than attempting to make a comparison across all the features present in each suite. Depending on their taste, administrators might find it easier to accomplish important whitelist maintenance and management tasks using the Bit9 Parity interface than the interface that ships with Lumension Application Control or Sophos’s Endpoint Security and Data Protection.