I find that many companies think that whitelisting can be an amazing security technology for their enterprise. I agree with them… to a point. Where I disagree is in the overall approach to deploying the whitelisting solution, as I find that many organizations want whitelisting to be more than it is. I don’t know of anyone that has been talking about least privilege more than I have over the past 10 years, but I put most of my eggs in the least privilege basket, rather than the whitelisting basket. The reasons are very compelling and I believe that by the end of this article, you will be converted to thinking the way that I do on the subject! The overall goal, of course, is to reduce your security risks while reducing cost and effort to achieve this goal.
What is Whitelisting?
Whitelisting is a technology that is used to control applications that are run on a computer. Typically the computer is a desktop or laptop, not usually a server or domain controller. Whitelisting is often referred to as application control. This makes sense, as the technology is really controlling the applications that are allowed to run on each endpoint.
Whitelisting is also combined with the term blacklisting in most instances. The two terms are really lists of applications. The whitelisting list defines the applications that are allowed to run. The blacklisting list defines applications that are denied the ability to run.
In order to build our scenario for the article, let's work with the following lists:
As you can clearly see, the whitelist of applications are typical applications that someone might run for a company. The blacklist is a list of applications that you would typically not want users in a corporation to run, as they can be used to attack the network and gather information about the environment that a typical user does not need to know.
I am sure that most of you know what least privilege is, but just in case. Least privilege is the concept that all users (especially non IT employees) should run as a standard user on their computer, not as a local administrator. This means that the user should not have any local administrative credentials. The reason for least privilege is rather simple. If users have administrative privileges they will (not maybe, as we know most users) cause disruption in their normal computing day. They might alter a setting which can cause errors, they could download a virus from the Internet without knowing, they could install an application that causes a conflict with a production application, etc.
Least privilege is easy to configure. The user is simply removed from the local Administrators group! That is all that is required to accomplish the implementation of least privilege.
Benefits of Least Privilege
As I have written about least privilege so often, I will not go into detail about all of the benefits, but rather will list them here:
- Users can’t install applications that require local admin privileges (this is well over 50% of applications)
- Users can’t install malicious applications that require local admin privileges (this is well over 90% of applications)
- Users can’t run locally installed or network applications that require local admin privileges (this number varies for each corporation)
- Users can’t run malicious applications that require local admin privileges (this is well above 75% of all applications)
- Over 90% of all viruses, worms, malware, etc can not function
- Users are standard users when browsing the Internet, so malicious applications don’t have local admin privileges to the computer
- Users are standard users when reading email, so any errant clicks on “bad links” will not install malicious application (approximately 90% are negated)
- Users desktops remain secure and stable
- Users do not lose product ivy due to errant or malicious configurations to their computer, causing down time
Whitelisting, without Least Privilege
If we now look at different combinations of whitelisting and least privilege, it will expose some rather intriguing results. Take a desktop which has a user running as a local administrator. This user will be able to run the applications that are listed on the whitelist AND most likely run the applications listed on the blacklist! Why is this the case?
Well, if I am a local administrator on a computer, it means that I have FULL CONTROL over the computer. I can add/remove any application that I wish. I can stop and start any service I wish. I can take the computer out of the domain, hack the Registry, make a change to any file/setting, etc.
Therefore, when a user is granted local admin privileges, there is little to nothing a network/domain admin can do to control this user.
Whitelisting, with Least Privilege
If we now take the local admin privileges away from the user, we run into a totally different situation with our user on their desktop. Now, the whitelist and blacklist are not 100% accurate. We must determine if the application listed requires local admin privileges.
For our blacklist, Cain requires local admin privileges, so it will not run regardless of being on the list. LDP can run as a standard user, so this application should remain on the blacklist if the user is only a standard user on the computer.
Now, for the whitelist. Word and Powerpoint do not require local administrator privileges, so these applications will function. However, Quickbooks requires the user to be a local administrator in order for it to function. The fact that this application is on the approved (whitelist) has no bearing as to whether the application will run if the user is a standard user! The whitelist is not an “elevation list”, rather an approved list. Approval does not elevate!
Least Privilege without Whitelist
If we go with just least privilege and don’t even consider the whitelist, what results do we get? Well, our list of applications that will be denied from running include Cain, as this will not run with the user being a standard user. LDP will still function if installed, but it can’t be installed by a user that does not have local admin privileges.
The applications that will run include Word and PowerPoint, as these run fine as the user running without local admin privileges. Quickbooks will not run, as it does require local admin privileges.
As you can see, I don’t need to have a blacklist in this scenario, as the applications that I don’t want the user to run can’t run anyway.
I do have one small issue, which is Quickbooks will not function. However, please note that adding a whitelist solution will not allow Quickbooks to run either! I need another solution!
So, you can see in this scenario, our whitelisting solution is null and a complete waste of time. I can achieve my desired goals of security with least privilege. If I have a whitelist solution in place without least privilege, I have not achieved any security as the user must be a local admin in order for the applications to run.
In order to get the best bang for your buck, I suggest that you get a solution that provides least privilege and if you so desire/need, also whitelisting. The key is that least privilege provides the best overall solution for security, as you don’t even need to add many applications to the whitelist/blacklist, since least privilege controls which applications can be installed/run.
The blacklist would only be necessary for the applications that can run as a local admin, which are not desired.
My suggestion for such a product is PowerBroker for Windows by BeyondTrust (www.beyondtrust.com). This solution is leaps and bounds ahead of the competition and comes with some amazing new features which can take your security solution to levels you never expected before.
Whitelisting is a great idea… in theory. When it really comes down to securing your endpoints, you need to consider least privilege first! Whitelisting without least privilege is sort of like putting your valuables in a bullet proof locker, but not locking the locker. You can achieve the security you desire with least privilege and only a small listing of blacklisted applications. You can either get a product that can elevate applications and blacklist, or you can use a product that elevates applications and a built in blacklist like AppLocker. Regardless, spend your time with least privilege not whitelisting solutions!