Sunday, September 12, 2010

Tough-love security

AppLocker blocks everything except code that is expressly permitted by policy.

When I started using Windows 7 full time on my primary system, I wanted to take better advantage of the new operating system’s baked-in security features. I had been running as a limited rights user that needed a separate administrator password to effect system changes throughout my time with Windows Vista, and I had gotten used to the routine of right-click/Run as Administrator/password to install anything. Since I was going to use Windows 7 Ultimate, I decided to give the new AppLocker a try to see if such a lockdown was a feasible option on a heavily used workstation. AppLocker is Microsoft’s take on application whitelisting. It blocks everything from running except code that is expressly permitted by policy.

Initially, I set up AppLocker with the default rules. Myeveryday, limited-rights user account could only run executables and scripts installed to either the Program Files or Windows directories and could only install signed Windows installers (or unsigned ones saved to a specific folder in the Windows directory). After a period of acclimation, I deleted those exceptions for Windows installer packages as well. In sum, to run any application from a different directory or to install anything, I had to expressly run it as an administrator. So AppLocker dictates that my user account can only run apps installed in two approved locations, and Least Privilege/User Account Control says my user account cannot save things to those two locations.

It’s pretty good security, provided I don’t do anything stupid with my administrator password. After six months of use, I generally forget that AppLocker is running in the background, since I’ve trained myself to install new programs or updates in the new manner. Indeed, I’ve found it works well most of the time. There is still code that can’t deal with this type of security, and the most glaring examples are Web browser add-ons.
WebEx has been the most troublesome application.

Neither in Internet Explorer nor Firefox has my limited-rights user account been able to join a conference. The only solution I’ve found is to run IE as administrator (it doesn’t work in Firefox), but that defeats the purpose of locking down my security, as I am exempting one of the most commonly attacked platforms from my security policy. So I’ve started joining WebEx conferences from my iPhone instead. I know software developers have little impetus to design their code to work under such circumstances because hardly anyone is going to use their computer in that way.

AppLocker likely has an unheralded future ahead of it, if only because the
majority of Windows 7 users don’t have access to the feature. In January, Microsoft announced that it had moved more than 60 million copies of Windows 7 in the last two months of 2009. But what percentage of those are the Ultimate SKU, the only consumer edition to include the AppLocker feature? The volume licensed Enterprise edition also comes with AppLocker functionality, and I see some companies leveraging the feature for kiosks or other limited-use workstations. But I can’t see many companies deploying it to their user base. Many IT professionals I’ve talked to confide that they still haven’t taken away local admin rights from their users, so AppLocker isn’t even on their radar. Are there any corporations out there trying to implement AppLocker across their user base? If so, I’d love to hear your story.

Source of Information : eWeek February 15 2010

No comments: