&#x;&#x;

Leverage Your Existing Microsoft Investments for Application Whitelisting
Specify which applications can execute, leaving everything else implicitly or explicitly denied

What Is It?

I consider a firewall to be a Yes / No device when you strip away all the “Next Generation” and Unified Threat Management (UTM) pieces. To some degree, Application Whitelisting works the same way by specifying which applications can execute (The Whitelist) leaving everything else implicitly or explicitly denied (The Blacklist).

There are applications in the middle (Greylist), but those are for administrators to decide, not the end-users. By the way, make sure the firewall mentioned above also has a default “deny all” rule in place! I have seen many installations where the final rule was an “Allow All” with millions of hits against it.

Application Whitelisting is a hot topic of discussion, and it continues to appear in many conversations focused on the Australian Cyber Security Centre (ACSC) Essential Eight or application and data security in general. It’s quite intimidating to think one needs yet another system to manage this, but the reality is that you can leverage your existing investment in Microsoft technologies.

With Microsoft, you say? How do I do that?

Whether you realise it or not, even the most basic Microsoft deployment can do some degree of Application Whitelisting. How? Start with Active Directory (AD) Group Policy Objects (GPOs). As an aside, even policies that control Microsoft Office Macros and Windows Defender Firewall serve as a basic form of Application Whitelisting. From there, if you have Microsoft licenses up to and including E5, you may have access to AppLocker, Windows Defender Application Control, and Azure Adaptive Application Controls.

Indeed, like the Lego box we all grew up with as kids, you likely have a lot of the pieces you need to get started, but let’s not get ahead of ourselves; first things first.

Where Do I Start?

The first place to start should understand your information systems and which applications are needed to perform your business functions. If you don’t have this list already, please create it and engage a security specialist to help if needed. This list will become your “Whitelist”. It’s worth noting not every team in your organisation will use the same list…. there may be a core list (such as office applications) for everyone but different whitelists for other roles (such as Payroll and HR). Getting a handle on what applications you need and which you don’t want is crucial otherwise you can find yourself preventing good and allowing bad like a lousy B-grade superhero movie.

With many of us in a pure or hybrid cloud environment, using a Cloud Access Security Broker (CASB) like Microsoft Cloud App Security can help get a handle on things. There are many other great tools like Microsoft System Centre Configuration Manager (SCCM) that will help sniff out applications and programs throughout the network. The key here is to discover and take inventory of as many (if not all) of the applications possible. This inventory includes dependencies resident within your environment.

It may be a great idea to understand where your data resides so that in addition to the applications, you can follow the data they use, store, and transmit. An excellent service to use here could be Azure Information Protection, supported by a DLP solution (which Microsoft has) and use of the Office 365 eDiscovery in the Azure Security and Compliance Centre. No matter the solution you choose, ensure you find as many of the moving pieces as you can.

Review the people and processes in place to ensure that, in addition to applications and data, you can control who has access to the data and how they access it. Adoption of a Zero Trust model and leveraging the Just-In-Time / Just-Enough-Administration approaches can help manage your regular and privileged users alike.

Inventory and understanding complete (or at least underway, it’s time to do something with all that knowledge!

How I do I Make It Work?

Earlier I mentioned you probably already have the required hardware and software to make this a reality. Most modern endpoint protection applications, such as those from leading traditional security vendors, can perform application whitelisting. Advanced UTM firewalls that offer application control are not really “Whitelisting” but can add another layer of defence if you choose.

Better still, if you have some of the core Microsoft Services and even some of the advanced subscription services like Defender ATP and Azure Adaptive Application Controls, you probably don’t need to look much further.

You can start with Group Policy Objects (GPOs) in Active Directory, and you’ll find a wealth of controls available with the granularity needed to manage objects. If you’re using an Endpoint Detection and Response suite like Windows Defender ATP, you can leverage the Application Control component. AppLocker also plays in this space. The fact remains, you probably have most of what you need to start and keep going along with the tools to monitor and manage from a single point. Slick!

Pitfalls?

Many, which is why I recommend getting the right people involved, and this means more than just the IT team. Management also needs to support and sign off on this initiative. Having it as part of your information security / general IT policies is also recommended. You need to know what applications are on your network and which ones are required. It’s not a smooth voyage, but one worth taking. At the heart of it, executing code is the cause of a lot of breaches. Also, consider that it’s not always malware; sometimes, what works against you are your tools and utilities!

Ghosts in the Machine?

It’s us, plain and simple. We just want to do our jobs, get paid, and go home to our families. Be ready to uncover “Shadow IT” and related shadow data that often arise because of shortcuts (well-intended or otherwise) that we use to get the job done. Application Whitelisting can help secure the environment but prepare for some resistance from the masses.

Anything Missing?

Make sure you have the endpoint protection applied to every host that you can and think beyond just workstations; locking down the ability of applications to execute on your servers – especially database servers and web servers – can be an invaluable tactic.

Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; do not rely on it as such. Obtain appropriate legal advice in actual situations. All images, unless otherwise credited, are licensed through Shutterstock