On Tue, Feb 14, 2012 at 3:08 PM, Kurt Buff <kurt.b...@gmail.com> wrote: > Not huge news, but perhaps a useful technique. > http://www.nextgov.com/nextgov/ng_20120210_8712.php
It's absolutely a useful technique. It's something I've been doing (and even occasionally advocating) for years. The theory is simple: Don't let software run from unauthorized locations. Don't let users modify the authorized locations. Implementation concept: Set permissions such that users can't write to locations where programs can run from. For example, don't let them write to <C:\Program Files> or <C:\WINDOWS>. Then use Software Restrictions Policy (SRP) to only allow execute from those locations. Now executables in user's profile folders, temp directories, etc., can't run. So even if a user downloads malicious or unauthorized software to their home directory, the system will refuse to run it. It is akin to the Unix-world's practice of mounting /tmp and /home with the "noexec" option, although Microsoft's approach with SRP gives you much more fine-grained control. One potential pitfall: SRP uses file extensions to determine executable status. Windows sometimes uses file content to determine executable status. For example, a Portable Executable renamed to have a .LNK extension will be executed anyway, depending on how you invoke it. So for SRP to close all holes, you have to apply it to *.LNK files, which means users' desktop shortcuts and "Recent Items" lists break. Pick your poison. I suspect the major reason that large organizations pay such big money for "application whitelisting" solutions is that they have poor control over software. One admin does one thing, another does something else, and there's no central control. Plus lots of crap software that wants to write to system locations. (I'd call it "legacy software" but let's face it, crap like that is pushed out brand new every day.) So they try and buy products to fix the mess. While this approach is not without value, I can't help but think of Ed Crowley's maxim on technological solutions and behavioral problems. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin