Windows Insider

Approved Execution: The Security Mentality that Really Works

It may seem draconian at first (and a lot of work), but security policies based on 'approved execution' can be worth it.

I attended my very first TechMentor conference back in 2004. Sponsored by the same company that publishes this magazine, that conference taught me a lot about managing IT systems. (TechMentor will take place again this month in Orlando, Fla., and again in October in Las Vegas.)

I still remember one particular session from that 2004 conference. In it, the speaker talked about a technology called Software Restriction Policies (SRPs). Natively available in Windows Group Policy -- and therefore automatically present on every Windows computer -- SRPs were used to control the execution of applications.

Using an SRP, an admin could identify a list of executables not allowed to run on Windows computers. Via a process referred to as blacklisting, known bad apps could be added to this list and prevented from execution.

The opposite was also possible, although it required a bit more effort to implement. Called whitelisting, this approach instead began with a blanket "no" for every executable. Applications and their executables were then specifically granted permission to run if approved by IT and company policy.

As the speaker explained whitelisting, I remember one admin standing up to tell his success story. His organization had invested in the painful process of inventorying every application and executable. Having that list of everything that might run in the company's environment, the IT team made the conscious decision about which apps were approved for execution. Any new or updated application needed approval by his team before it could run.

At the time, I remember thinking, "What a draconian policy! How much effort is required to maintain that list, especially as product versions and executables change as they're patched and updated?" With SRPs, that level of effort could be substantial.

Yet what I didn't realize at the time was how powerful a policy of "approved execution" could be for security. Think about its end state: An environment of approved execution automatically sidesteps many forms of malware attack.

You can still find SRPs in Group Policy, although their approach in Windows 7 and Windows Server 2008 R2 has been deprecated by the new Microsoft AppLocker technology. I wrote a detailed explanation about AppLocker in an October 2009 TechNet Magazine article ("AppLocker: IT's First Security Panacea?"), which you can read here.

Far easier than SRPs to implement, AppLocker can automatically generate your environment's list of executables to allow or deny. But AppLocker isn't the only solution available. Third-party vendors have also jumped on the bandwagon of approved execution. Vendors such as Viewfinity, Beyond Trust, Avecto, Bit9 and others augment the basic functionality of AppLocker with greater control over administrator privileges in combination with execution control. Many add the ability to lock down individual actions -- such as ActiveX installation, changing the system time and updating drivers and network settings, among others -- to the list of approved actions.

While approved execution might seem to be a draconian approach to locking down desktops, the mere presence of these products suggests it's a security mentality that really works. Quite different than the antivirus, anti-malware and other anti-anything software that constantly monitors for activities, heuristics and malware-like behaviors in an almost reactive way, approved execution proactively prevents the world's bad software from ever getting initiated on your corporate assets. If you're still struggling with security, such a policy and its associated technology might be the missing link of your Windows environment.

About the Author

Greg Shields is Author Evangelist with PluralSight, and is a globally-recognized expert on systems management, virtualization, and cloud technologies. A multiple-year recipient of the Microsoft MVP, VMware vExpert, and Citrix CTP awards, Greg is a contributing editor for Redmond Magazine and Virtualization Review Magazine, and is a frequent speaker at IT conferences worldwide. Reach him on Twitter at @concentratedgreg.


  • Cloud Services Use on the Rise But Security Concerns Remain

    A recently published industry report suggested that use of public cloud services by organizations may nearly double in the next two years.

  • OneDrive Users To Get Storage Options, Plus New Personal Vault

    Microsoft announced a few OneDrive enhancements, including storage-option additions, plus a new "Personal Vault" feature for added security assurance.

  • Cloud Services Starting To Overtake On-Prem Database Management Systems

    Database management system (DBMS) growth is happening more on the cloud services side than on the traditional "on-premises" side, according to a report by Gartner Inc.

  • How To Replace an Aging Domain Controller

    If the hardware behind your domain controllers has become outdated, here's a step-by-step guide to performing a hardware refresh.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.