Application Security Redux: It’s All about the Apps (Part 3)

If you would like to read the other parts in this article series please go to:

Introduction

In this article series, we got started in Part 1 with a broad overview of application security, and specifically the different components of an effective and comprehensive application security strategy and began to address some of the different types of application security issues, then focused on coding defects, how they occur, types of app vulnerabilities, and how to prevent or fix them. In Part 2, we started with a look at how to protect applications from tampering or access and also took a closer look at the special case of mobile applications.

This time, in Part 3, we’ll discuss how you can block undesirable applications and restrict what users are able to do with the apps that you do allow them to use. We’ll look at this from two different perspectives: blocking and controlling applications in Windows desktop operating systems, and blocking/controlling mobile apps on smart phones and tablets.

Blocking applications in Windows

There are a number of different ways to control the use of specific programs in Windows, and which one is appropriate in a given case depends on exactly what you need to accomplish as well as, in some cases, your computer and network configuration. It also depends on whether you want to block applications network-wide or only on specific computers.

Note that some of the methods we’re going to describe in the following sections work only with particular versions of Windows. Microsoft currently supports Vista, Windows 7, Windows 8.1 and Windows 10 client operating systems. You may have any or all of these running on computers in your organization. Some companies still have systems that are running Windows XP.

Here we’ll go into some detail about each of the following ways to control or block applications on Windows computers:

  • Preventing users from installing applications via Group Policy
  • Using a registry hack to block applications
  • Using third party software to prevent users from installing programs
  • Using a firewall to block applications from accessing the Internet or block web-based (cloud) applications
  • Using AppLocker (the administrative tool formerly known as Software Restriction Policies) to control running of installed applications
  • Using terminal services, remote app or VDI to control the applications to which users have access

Preventing users from installing applications via Group Policy

Users can’t run applications that aren’t installed (well, okay, they can run web apps, but for the moment we’re talking about local applications. We’ll get to blocking web sites later). Thus one of the simplest ways to keep them from using undesirable applications – whether because the apps present security concerns or because they become time-wasting activities that negatively impact the users’ productivity – is to keep those programs from being installed in the first place.

You can start by giving users who don’t need more privileges a standard user account. This type of account allows them to use most of the programs that are installed but doesn’t allow them to install or uninstall software or hardware. A potential problem with this is that some applications they might need to use require administrative privileges. We’re talking here about local accounts as opposed to Microsoft accounts. Although local accounts are still alive and well in Windows 8/8.1 and 10, those operating systems are more cloud-centric and users may log on with their Microsoft accounts.

In Windows 8 and Server 2012 and later, you can use group policy settings to prevent users from adding Microsoft accounts on a computer. It can be set in the domain policy or local policy settings. This is found in the following location in the Group Policy Editor console (GPEdit.msc):

GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

If you enable the Users can’t add or log on with Microsoft accounts policy setting, users will not be able to log on with their existing Microsoft accounts and they will not be able to create new Microsoft accounts on the computer or switch a local account to a Microsoft, nor will they be able to connect a domain account to a Microsoft account.

Note that enabling this as a domain policy will not affect computers that are running versions of Windows prior to Windows 8 and Server 2012.

Another way to block users from installing programs in Windows that works with with any account, you can use group policy to disable Windows Installer. This method will work on Windows XP, Vista, 7, 8/8.1 and 10 as well as the Windows Server operating systems. This setting can be found at the following location in the Group Policy Editor:

Computer Configurations > Administrative templates > Windows Components > Windows Installer.

Set the policy to Disable Windows Installer. There are several options:

  • Always will disable Windows Installer completely. Note that this doesn’t prevent users from installing programs via methods other than Windows Installer.
  • Never will fully enable Windows Installer so that users can use it to install or upgrade programs.
  • For non-managed apps only is a middle ground setting by which you can restrict users to installing only the programs that you assign to them or publish.

Block applications by editing the Registry

Another way to prevent users from installing software is to block it through a registry hack. Of course, all the usual precautions pertaining to editing the registry apply: back it up first in case of a mistake. To use this method, you’ll need to navigate to the following key in the Registry Editor:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Explorer\DisallowRun

Now you need to create a string value in that key, give it a name and set its value to the name of the executable file for the program that you want to block. If you want to block more than one, you’ll need to create additional string values, one for each applications. Obviously this is a tedious task if you want to block many programs, but can be useful if you only want to block a few.

Using third party software to prevent the installation of software

Yet another way to block the installation of applications by users, as well as automatic installation of malware, spyware, and adware from “drive-by” attacks, is to use products designed to monitor and control software installation. There are a number of third party programs, including some designed for enterprise use, that will prevent installers such as Microsoft’s Windows Installer, InstallShield and other commonly used commercial installer programs from running without authorization.

Many of these make it easy to whitelist authorized users to allow them to install software without restrictions. Those who attempt to install software without authorization can receive alerts to let them know that it’s not allowed. You can also prevent users from uninstalling software with these utilities, and disable the web browser(s).

Using a firewall to block applications

Despite the many proclamations regarding the demise of the perimeter and how firewalls are obsolete in today’s “networks without borders,” this guardian of the gateway’s death has been greatly exaggerated. Both network and host-based firewalls continue to be an essential part of a comprehensive corporate or personal security strategy, and firewalls can be used both to block users from downloading applications from the Internet and to block installed apps from accessing the Internet.

Whether you’re using the Windows firewall built into the client operating system or a sophisticated server-based or appliance-based firewall at the network level, blocking applications is done by creating firewall rules that deny the ports or protocols used by the application to communicate. Windows firewall makes it relatively easy to block programs by creating outbound rules in the Advanced Settings. You just create a new rule and select to block a program and then browse to find the path to the specific executable files for the program you want to block. You can also apply the rule to a specific network or networks (Public, Private or Domain). This tutorial contains detailed instructions for blocking programs using the Windows 10 firewall.

With a network firewall, it’s a bit more complicated but you also have more control and flexibility. Firewalls that support layer 7 firewall rules can block clients from accessing specific online applications. You can filter Internet apps such as Facebook or Spotify using web filtering. Network-based application layer firewalls operate for the specific purpose of blocking input and/or output or access to applications and services.

Of course, today’s networks are very cloud-centric and as you might expect, there are now cloud-based web application firewalls that can be used without installing software or hardware on the host computers. In general, they work by routing traffic through the cloud-based firewall and that means you’ll usually have to configure DNS to do so.

Summary

This third installment in our series on application security began a discussion of ways to block applications in Windows, and we covered how to prevent users from installing applications via Group Policy, using a registry hack to block applications, using third party software to prevent users from installing programs and the use of a firewall to block applications from accessing the Internet or to block web-based (cloud) applications.

Next time, in Part 4, we’re going to delve into Microsoft’s AppLocker, which was introduced in Windows 7 and Server 2008 R2 and grew out of the previous Software Restrictions Policies feature. Be sure to join us then.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top