On Sun, Apr 15, 2012 at 23:24, Ken Schaefer <[email protected]> wrote: >> To drive the point home - If I had to choose between whitelisting >> applications and blacklisting data, I'd choose whitelisting applications, >> every time. > > Why would you have to make a choice? They are not mutually exclusive options.
You are correct, they are not, and I'd prefer to be able to do both, but it sharpens the point. I think blacklisting is basically a dead technology, even though it's all I have at the moment. When the bad guys can morph executables in minutes and blast them out via email or compromised web sites (and other modes, too) many times a day, it's gone beyond whack-a-mole. <snip> >> Whitelisting helps those who help themselves (corporately or individually). >> Think of it as evolution in action. > > Those people generally don't run into problems in the first place. Digital > signatures, signed kernel mode code etc. can be used to verify that software > you are running is mostly legitimate. Digital signatures, signed kernel mode code, etc., are whitelisting. > The tools already exist for whitelisting applications running on your home > computer - even Windows includes Software Restriction Policies, Applocker > etc, but I doubt you've implemented it - it's simply too much hassle to > create a digital signature of each and every single executable you want to > allow, and then restrict each and every .dll or resource file that the .exe > is allowed to load into its process space, and then also ensure that every > application doesn't provide some shared memory space or other way for code to > end up inside the permitted process. > You are correct- I haven't implemented them yet for our users. But, I am doing so for myself. I've put my user account and my machine into a test OU, and am applying policies that are more restrictive than what apply to standard users now. I do understand how difficult it is. I recently ran md5sum against one of our older standard image machines, prior to deployment (booted from a USB stick to have complete access), and redirected the hashes into a text file. I ran the machine through a round of patches, and did an md5sum again, then ran a diff. It was amazing how many files changed. NSA has put up a good approach, however, that might be workable - but for it to be really useful, users should not have admin rights, among other things. It also specifies SRP, as opposed to BitLocker - I'm sure that can be factored in. http://www.nsa.gov/ia/_files/os/win2k/Application_Whitelisting_Using_SRP.pdf ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
