One of the best ways to protect against malicious software is to prevent users from running unwanted applications with a technology called application control. Application control restricts the software that runs on a system to programs that meet the organization’s security policy. Learn about implementing application control via whitelists and blacklists, patching applications, and host software baselining.
- [Instructor] One of the best ways to protect against malicious software is to prevent users from running unwanted applications with a technology called application control. Application control restricts the software that runs on a system to programs that meet the organizations security policy. There are two main approaches to application control. Whitelisting and blacklisting. In the whitelisting approach, administrators create a list of all of the applications that users may run on their systems. This works well in a very tightly controlled environment but can be difficult to administer if you have many different applications and roles.
The blacklisting approach offers users much more flexibility. Instead of listing the applications that users are allowed to run, administrators list prohibited applications. This is much easier for users but reduces the effectiveness of application control. Windows provides the App Locker functionality to implement application control. Let's go ahead and build an App Locker application control policy by creating a group policy object. I'm going to go ahead and open up the Group Policy Management Tool.
And then I'm going to expand the Group Policy Objects. Right click on this and say I want to create a new GPO. And I'm going to name this Application Restrictions. And click Okay. So I've just created the Shell GPO and I now need to put the rules into it. So I'm going to right click on this Application Restrictions GPO that I created. And choose Edit to open up the Group Policy Management Editor. Now what I need to do is go into the computer configuration. I'm going to go right here, I'm also going to expand the Policies folder.
Let me make this a little bit bigger so that you can see what I'm doing. Then I'm going to choose Windows Settings. Security Settings. And if I look down here, you can see it says Application Control Policies that sure sounds what I am looking for. I expand that and see App Locker as a choice. When I open up App Locker you'll see that there are several different types of rules that I can create about applications that I wish to control. I'm going to go ahead and create an App Locker Policy that prevents users from running Wireshark on my system.
That's a network monitoring tool and it can be used for eavesdropping on the network. So it's reasonable to want to prevent users from accessing that tool. We're going to do that with an executable rule so I click on that and I right click and click Create New Rule. And then a wizard pops up that's going to help me create this rule to deny everyone access to Wireshark. I'm going to skip past this introductory screen. The rule that I'm creating should apply to everyone as it says here, so that's okay. But I want to create a rule that denies access to a particular piece of software.
So I'm going to change this action from Allow to Deny. And click Next. Now I need to select the type of condition that I'm trying to create for this rule. I know the specific file that I don't want users to run, and where it's located. So I'm going to choose Path and click Next. And now the wizard is asking me to identify that file. So I'm just going to click Browse Files here. Go up to Search. And type Wireshark. And then Windows finds it, so I'm just going to click on that and choose Open.
And you can see it's filled in the path to wireshark.EXE. Now I'm going to just click Create. And a warning message pops up from App Locker telling me that there aren't any default rules created. So it's warning me that I'm trying to turn on application control, but I don't have enough rules in place for it to work efficiently. So I'm just going to tell it to go ahead and create those default rules. And if I make this window a little bigger you can see that there are four rules now here in this Group Policy Object that relate to application control.
This one on the bottom, the Deny rule, is blocking Wireshark, just like we asked. Then there are three other default rules up here. These are allowing some application use. The first rule is allowing all users to run any application that's located in the Program Files folder. The next rule's allowing everyone to run everything in the Windows folder. And there's also a rule allowing administrators to run any file assuming that they should have extra rights. So now what I have done is create an application control policy that prevents users from running the Wireshark tool.
Earlier in this course, you learned about the importance of applying security patches to your operating system to protect against new vulnerabilities. It's also important to apply patches to applications as they can also have security flaws. Different software vendors provide different patching mechanisms. Let's take a look at one of those. We're going to try to update our Adobe Acrobat Reader software. So I'm going to go ahead and try to open up Acrobat Reader. And when I do, I'm going to go to the Help menu.
And you can see there's a Check for updates option here. And that's included in a lot of applications. I'm going to click that and a special Acrobat Reader updater opens, quickly reaches out to Adobe's servers and checks to make sure that there are no updates available for Acrobat. So this is good to go. I'm nice and secure with my installation of Adobe Acrobat Reader. That's just one example of application patching. Security administrators must maintain familiarity with the software installed in their environments and the update mechanisms for each.
Finally, it's good practice to conduct host software baselining using the system configuration manager of your choice. Host software baselining uses a standard list of the software that you expect to see on systems in your environment and then reports deviations from that baseline. You'll be able to identify unwanted software running on computers on your network. Applications are a major source of security issues and, as a Security Plus professional you'll be responsible for monitoring application security in your computing environment.
Learn about communication and networking best practices, including TCP/IP networking, network security devices, and secure network design and management. Instructor and cybersecurity expert Mike Chapple also includes coverage of converged protocols, network encryption, and wireless networking. You can find Mike's companion study books for this series at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- IP addressing
- Switches and routers
- Content distribution networks
- Designing secure networks
- Specialized networking
- Managing secure networks
- Working with virtualized networks like SDNs
- Detecting and preventing network attaches
- Transport encryption
- Wireless networking
- Host security