Applocker: Scenarios for Use and Deployment
As many enterprises evaluate their plans for the 'next generation' endpoint device in their organization, large challenges loom and large opportunities abound. Is now the time to consider switching your desktop management platform? How about anti-virus software for the desktops? With Windows 7 on the horizon, there is a clean slate to start with and lots of decisions to make.
Many organizations are migrating from Windows XP to Windows 7, having skipped Windows Vista. From Windows XP's release in 2001 to Windows 7's release in late 2009, a lot has changed in the operating system ecosystem. Windows XP was missing a lot of core components that are required for a desktop to survive, especially on a hostile network like the Internet (or a typical corporate network, for that matter). Windows 7 Enterprise now includes a number of capabilities 'out of the box' that are comparable to what you may have purchased and deployed from a third-party for previous operating systems. Simplifying the desktop image and adding additional capability make a lot of sense, especially during the image build process.
Over the next few articles, we'll cover each of the integrated Windows 7 security features in-depth: Applocker, User Account Control (UAC), BitLocker and the new and improved Windows Firewall. These reviews are intended to help the IT Professional decide which capabilities satisfy the requirements necessary and where a third party may still make sense.
System Integrity: A brief synopsis
An overwhelming concern when defining a system security policy for endpoints is how administrative rights and privileges are controlled and distributed. An overwhelming percentage of automated attacks rely on inappropriate permissions on files or permissions to execute these files. While taking 'Administrator' privileges away has become less of an all-or-nothing proposition with User Account Control, it's still a fairly complex process to deal with during operating system planning and deployment, especially when large and complicated application compatibility issues are involved. In Windows 2000, Windows Server 2003 and Windows XP, a capability was available known as 'Software Restriction Policy' (SRP). SRP was controlled via Group Policy and allowed an administrator to define rules to block or allow programs to run. Being able to define programs and controlling their ability to execute was a unique way to increase system integrity and reduce instances of malware infection.
So, what was the issue with SRP? By and large, adoption of SRP never really took off in the enterprise or even in smaller environments. A number of factors contributed to this, mostly involving the complexity of the rule-sets and the lack of a logical exception structure. Microsoft took these deficiencies into account when it designed AppLocker, a Windows 7 Enterprise feature. It's important to understand that SRP doesn't 'go away' in Windows 7, it's simply augmented by the more advanced AppLocker capability.
AppLocker is designed to be a more flexible enterprise solution that complements a defense-in-depth security approach on both the endpoint and the server. In addition to being a re-write of SRP, it's got much tighter integration into the operating system (See Figure 1) to provide granular versioning and application control (e.g.: only permitting certain versions of Internet Explorer to run). To give the reader a few creative ideas on where AppLocker could be useful, several scenario-based examples have been detailed below.
Figure 1: Group Policy Executable Rules - Internet Explorer Version 8 and above permit rule.
Scenario 1: White Listing for The Automated Teller Machine, SCADA device, Factory Process Controller, etc..
IT professionals rarely manage a set of uniform desktops; inevitably there are a number of devices that run Windows and (like any operating system) need to be maintained, patched, monitored and so on. The configuration of these devices is often very straightforward; an application or two that need to run on top of the operating system with varying levels of security (financial services and energy being some of the most security sensitive sectors). A properly configured and secured operating system can be augmented with AppLocker policy in what's referred to as a 'white list' approach; deny all executable content by default and only permit certain applications to run. Operating system functionality can be permitted, anti-virus software can continue to operate but any additional executable files will need to be manually permitted through the AppLocker configuration policy. This configuration is best suited for a fairly homogenous environment. If the environment contains a lot of identical devices with identical configurations, a simple and uniform AppLocker policy also adds a very high bar for an attacker to overcome in addition to more stringent change management and configuration control.
Scenario 2: Application inventorying capability and licensing
A common issue in IT organizations large and small is getting a comprehensive list of what's installed on different devices and enforcing licensing agreements. The fines for being out of compliance with licensing can be staggering; cracking down on users installing illicit software is also valuable. While more 'rich' functionality for inventorying and licensing compliance is enabled in broader enterprise management tools like System Center Configuration Manager, AppLocker allows the IT Pro to capture this data in 'audit only' mode or search for applications via a publisher name natively (See Figure 2).
Figure 2: Publisher-based conditions in an AppLocker rule creation wizard. By filtering or creating rules based on publisher, an organization can easily perform application inventorying or license compliance reporting.
Running a report looking for outdated versions of software (e.g.: anything prior to Office 2010) in audit-only mode allows for quick reporting and data gathering to understand where targeted software installation may have failed and where remediation should be targeted when looking for out of date files. The 'active' enforcement mode can be used gradually (enabled per Organizational Unit in Group Policy, for example) to phase out older versions of software as well.
Scenario 3: Controlling access to kiosks and shared desktops
Perhaps an IT organization has a kiosk environment where shared access is required or a healthcare environment requires that several users interact with a device throughout the day. By leveraging the permissions capability in AppLocker, different policies can be applied to different users based on identity, group membership, etc. This allows for more relaxed or restricted access and for a very different experience. In a kiosk environment, Microsoft used to offer a product called Windows Steady State; unfortunately, it's since been discontinued and IT shops are back to building their own kiosk environment from a clean Windows 7 image. AppLocker allows for restrictive access (white listing) for a kiosk user when logged in (see Scenario 1: very restricted and limited executable content permitted). When an administrator or other corporate user logs on, they are provided a different set of AppLocker policies. This combination of object-based permissions and user capabilities integrated with AD creates a powerful tool for presenting different experiences to different users while protecting the device from malicious attack, misuse or other integrity-based attacks
So, does AppLocker really stack up in an enterprise environment? While it's very powerful, it's missing a very critical feature in many administrators' minds: a database of content ranked by reputation, perhaps in a hash or other digitally signed format. There are third party offerings from companies such as Bit9 (www.bit9.com) that offers similar functionality (just not integrated into Windows) with access to a cloud-based database of software reputation. Third party tools like these leverage the 'white list' application tool as more of a malicious software detector and less of a pure policy enforcement engine, but may be more attractive to administrators that have the budget for a tool like this and want a more holistic solution.
For policy enforcement and for certain scenarios like the ones detailed in this article, AppLocker is very handy. The integration into Windows and the Group Policy framework provides for very seamless and flexible policy application, reporting and control. Of course, a healthy Active Directory and logical hierarchy is required to make the most use of this. A very deep understanding of the environment protected with AppLocker is recommended as well; while AppLocker has auto-discover capability, defining the rules as tightly and explicitly as possible provides for the most secure experience.
For organizations with a solid patch management strategy, a solid anti-virus strategy and a good monitoring strategy that are looking to provide additional capability, especially starting in more 'special purpose' scenarios, AppLocker is a winner. Once you've got the 'basics' in place, consider this as a part of your Windows 7 and Windows Server 2008 strategy.