Block Untrusted ExecutablesPowerBroker for Windows allows for rules to elevate applications as well as verifying applications meet specific criteria. Below is a screen shot of a basic ruleset elevating specific applications, trusting authorized vendors and custom applications, and denying any other executable that does not meet this criteria. This will stop any non-authorized application from executing regardless of the source if it is not properly digitally signed.
Stopping DroppersUnfortunately, trusted applications can launch other applications to perform their intended functions. This includes browsers, mail programs, and even PDF readers. The consistent part of this problem is that these executables almost always launch from temporary file directories. Using PowerBroker for Windows File Integrity Rules, administrators can track, alert, and block rogue dropper executables that appear in these directories. Below is a screenshot of what this rule looks like for Microsoft Outlook. Please note, the temporary directory path can vary per operating system and Outlook version. Multiple rules may be needed to cover each of your deployed platforms.
Blocking Vulnerable ApplicationsPowerBroker for Windows contains patented technology called Vulnerability Based Application Management (VBAM). This Risk and Compliance feature allows for real-time assessment of vulnerable applications based on the Retina Vulnerability Database and user interaction of a system. To that end, policies can be established to deny (or notify of) the launch of a vulnerable application that could be leveraged in a ransomware attack. This helps ensure service level agreements are being met for patch management and no system is left out that could pose an unacceptable risk. Below is a screenshot of a basic Risk and Compliance rule that will Deny an application from launching if the documented vulnerability is critical and over 30 days old.
While no solution is 100% effective in stopping ransomware, there are plenty of good products that can drastically reduce the risk. Thankfully, creating rules like these in PowerBroker for Windows can accomplish this goal and reduce the overall risk to your assets by adopting the concept of least privileged across all you endpoints (including Mac’s with PowerBroker for Mac). If you would like to learn more about how PowerBroker can help mitigate the risks of ransomware, contact us today. For more tips on optimizing PowerBroker for Windows to defend against ransomware, please see Ransomware – Fine Tuning PowerBroker for Windows Rules, Part 2.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.