AppLocker Integration with Privilege Endpoint Management

This white paper examines the pros and cons of AppLocker, and illustrates how using AppLocker alone as a solution for Least Privilege is not enough to protect your enterprise. However, integrating AppLocker with BeyondTrust Privilege Endpoint Management enables users to run with standard user rights, while simultaneously providing them the access they need to perform their job. This equates to a perfect complement of solutions to achieve least privilege.

Executive Summary

The introduction of AppLocker in Windows 7 allows organizations to use built in technology to implement application control policies across the enterprise. By controlling what applications can and cannot run on an endpoint, organizations can significantly improve security by preventing unknown code, including malware, from running on client computers.

Not only can this improve security, but it can also improve license compliance and prevent malicious insiders from doing harm. AppLocker is not a panacea however, and it is vital to continue to implement fundamental security best practices. Desktop hardening, Group Policies, virtualization, anti-virus and User Account Control alone are not enough to secure Windows 7 desktops. In order to have real control over the endpoints, users must be provisioned as Standard Users, not Administrators.

When a user runs as an Administrator, that user has full control over the computer, regardless of the security technologies installed on the endpoint. Users with full administrator privileges can easily circumvent all security controls that are intended to protect the business from security breaches. This whitepaper will discuss how important it is to remove administrator privileges from end users as a critical first step in a successful AppLocker implementation.

Introduction

AppLocker's complete functionality is only available in Enterprise and Ultimate SKUs of Windows 7. Designed as a replacement for Software Restriction Policy (SRP), AppLocker is designed to overcome the shortcomings of SRP. AppLocker is a set of Group Policy settings that evolved from Software Restriction Policies to restrict which applications can run on a corporate network. The methodology of controlling application execution with AppLocker is performed by creating either a "blacklist" or "whitelist" of applications.

Small and medium enterprises rarely deploy SRP, especially in Windows XP, mainly due to problems with launching applications from shortcuts, and because path rules are too easy to circumvent. In many cases, SRP certificate rules offer limited configuration options and hash rules are problematic when applications are upgraded. Applications that are on an AppLocker blacklist are blocked from executing, whereas applications on an AppLocker whitelist are allowed to run. Typically, organizations choose to implement either a white list approach or a black list approach, with the goal of attaining least privilege.

While AppLocker is a huge improvement over SRPs, it still falls short in a number of areas to ensure that organizations are meeting least privilege. As an employee's access requirements become more complex, AppLocker creates a difficult challenge for IT departments to continually update policies.