-----Original Message-----
From: Kurt Buff [mailto:[email protected]]
Sent: Tuesday, 17 April 2012 2:57 AM
To: NT System Admin Issues
Subject: Re: Whitelisting
>>> Whitelisting helps those who help themselves (corporately or individually).
>>> Think of it as evolution in action.
>>
>>Those people generally don't run into problems in the first place.
>> Digital signatures, signed kernel mode code etc. can be used to verify that
>> software
>> you are running is mostly legitimate.
>
>Digital signatures, signed kernel mode code, etc., are whitelisting.
And the point I'm making is that these whitelisting technologies are *not*
helping make the problem I'm describing go away.
1. For SOHO environment, the end user simply overrides the warnings
a. Only when the end user cannot override the settings (e.g. Windows x64
kernel code signing requirements) has any major improvement occurred
i. I doubt
that this type of central control by Microsoft would be tolerated for user mode
applications
ii. It could
still be bypassed by packaging a CA cert with the malware – I’m surprised that
this isn’t more prevalent.
2. For corporate environment of small size, the “administrator” is
responsible for managing this on behalf of their users. Many smaller orgs are
probably over staffed, so there is bandwidth to manage this
3. In the enterprise, this can’t be centrally controlled without
impacting business agility. So the response from software vendors will be to
create more applications like Access which allow *end users* to develop
applications. How are you going to stop malicious applications like this? It’s
just like spam – a never ending, escalating war.
You are correct- I haven't implemented them yet for our users. But, I am doing
so for myself. I've put my user account and my machine into a test OU, and am
applying policies that are more restrictive than what apply to standard users
now. I do understand how difficult it is. I recently ran md5sum against one of
our older standard image machines, prior to deployment (booted from a USB stick
to have complete access), and redirected the hashes into a text file. I ran the
machine through a round of patches, and did an md5sum again, then ran a diff.
It was amazing how many files changed.
And this is just files on a disk. Are you also going to monitor which files are
loaded by which processes (e.g. which .dll files are loaded by which .exe
files?) Not just what the on-disk signatures, but an actual mapping of .dlls
used by which .exe? Otherwise, a new, malicious dll file can be loaded into an
existing, trusted, application.
Cheers
Ken
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
