Implementing application whitelisting involves the following high-level steps:
- identifying applications that are authorised to execute
- developing application whitelisting rules to ensure only those authorised applications can execute
- maintaining the application whitelisting rules using a change management program.
When determining how to enforce application whitelisting, the following methods are considered suitable if implemented correctly:
- cryptographic hash rules
- publisher certificate rules (combining both publisher names and product names)
- path rules (ensuring file system permissions are configured to prevent unauthorised modification of folder and file permissions, folder contents and individual files).
Conversely, the use of file names, package names or any other easily changed application attribute is not considered suitable as a method of application whitelisting.
To ensure application whitelisting has been appropriately implemented, testing should be undertaken on a regular basis to check for misconfigurations of file system permissions and other ways of bypassing application whitelisting rules or executing unauthorised applications.
In addition to preventing the execution of unauthorised applications, application whitelisting can contribute to the identification of attempts by an adversary to execute malicious code. This can be achieved by configuring application whitelisting to generate event logs for failed execution attempts. Such event logs should ideally include information such as the name of the blocked file, the date/time stamp and the username of the user attempting to execute the file.
Finally, it is important that application whitelisting does not replace antivirus and other security software already in place on systems. Using multiple security solutions together can contribute to an effective defence-in-depth approach to preventing the compromise of systems.