Approved Execution: The Security Mentality that Really Works
It may seem draconian at first (and a lot of work), but security policies based on 'approved execution' can be worth it.
- By Greg Shields
I attended my very first TechMentor conference back in 2004. Sponsored by the same company that publishes this magazine, that conference taught me a lot about managing IT systems. (TechMentor will take place again this month in Orlando, Fla., and again in October in Las Vegas.)
I still remember one particular session from that 2004 conference. In it, the speaker talked about a technology called Software Restriction Policies (SRPs). Natively available in Windows Group Policy -- and therefore automatically present on every Windows computer -- SRPs were used to control the execution of applications.
Using an SRP, an admin could identify a list of executables not allowed to run on Windows computers. Via a process referred to as blacklisting, known bad apps could be added to this list and prevented from execution.
The opposite was also possible, although it required a bit more effort to implement. Called whitelisting, this approach instead began with a blanket "no" for every executable. Applications and their executables were then specifically granted permission to run if approved by IT and company policy.
As the speaker explained whitelisting, I remember one admin standing up to tell his success story. His organization had invested in the painful process of inventorying every application and executable. Having that list of everything that might run in the company's environment, the IT team made the conscious decision about which apps were approved for execution. Any new or updated application needed approval by his team before it could run.
At the time, I remember thinking, "What a draconian policy! How much effort is required to maintain that list, especially as product versions and executables change as they're patched and updated?" With SRPs, that level of effort could be substantial.
Yet what I didn't realize at the time was how powerful a policy of "approved execution" could be for security. Think about its end state: An environment of approved execution automatically sidesteps many forms of malware attack.
You can still find SRPs in Group Policy, although their approach in Windows 7 and Windows Server 2008 R2 has been deprecated by the new Microsoft AppLocker technology. I wrote a detailed explanation about AppLocker in an October 2009 TechNet Magazine article ("AppLocker: IT's First Security Panacea?"), which you can read here.
Far easier than SRPs to implement, AppLocker can automatically generate your environment's list of executables to allow or deny. But AppLocker isn't the only solution available. Third-party vendors have also jumped on the bandwagon of approved execution. Vendors such as Viewfinity, Beyond Trust, Avecto, Bit9 and others augment the basic functionality of AppLocker with greater control over administrator privileges in combination with execution control. Many add the ability to lock down individual actions -- such as ActiveX installation, changing the system time and updating drivers and network settings, among others -- to the list of approved actions.
While approved execution might seem to be a draconian approach to locking down desktops, the mere presence of these products suggests it's a security mentality that really works. Quite different than the antivirus, anti-malware and other anti-anything software that constantly monitors for activities, heuristics and malware-like behaviors in an almost reactive way, approved execution proactively prevents the world's bad software from ever getting initiated on your corporate assets. If you're still struggling with security, such a policy and its associated technology might be the missing link of your Windows environment.
Greg Shields is a senior partner and principal technologist with Concentrated Technology. He also serves as a contributing editor and columnist for TechNet Magazine and Redmond magazine, and is a highly sought-after and top-ranked speaker for live and recorded events. Greg can be found at numerous IT conferences such as TechEd, MMS and VMworld, among others, and has served as conference chair for 1105 Media’s TechMentor Conference since 2005. Greg has been a multiple recipient of both the Microsoft Most Valuable Professional and VMware vExpert award.