Implementing Application Whitelisting
Download ACSC Protect Notice, Implementing Application Whitelisting (PDF), April 2016
- Application whitelisting is the most effective strategy in the Australian Signals Directorate's (ASD) Strategies to Mitigate Targeted Cyber Intrusions.
- This document has been developed by ASD to provide high-level guidance on what application whitelisting is, what application whitelisting is not and how to implement an application whitelisting solution.
What application whitelisting is
- Application whitelisting is a security approach designed to protect against unauthorised or malicious code executing on a system. It aims to ensure that only authorised applications (eg, programs, software libraries, scripts and installers) can be executed.
- While application whitelisting is primarily designed to prevent the execution and spread of malicious code, it can also prevent the installation or use of unauthorised applications.
- Implementing application whitelisting across an entire organisation can be a daunting undertaking; however, implementation on systems used by high-value or often-targeted staff members, such as executive officers and their assistants, human resources staff, FOI staff or public relations staff, can be a valuable first step.
What application whitelisting is not
- The following approaches, while still valuable for defence-in-depth, are not considered to be application whitelisting:
- providing a portal or other means of installation for authorised applications
- using web or email content filters to prevent users from downloading applications from the internet
- checking the reputation of an application in a cloud-based database before it is executed
- using a next-generation firewall in an attempt to identify whether network traffic is generated by an approved application.
How to implement an application whitelisting solution
- Implementing an application whitelisting solution comprises the following high-level steps:
- identify applications which should be permitted to execute on a given system
- develop whitelisting rules to ensure only those authorised applications can execute on that system
- restrict users to a subset of authorised applications required to undertake their specific duties
- prevent users from being able to bypass the application whitelisting solution or change associated whitelisting rules
- maintain the application whitelisting solution and associated whitelisting rules using a change management program.
- When determining the method used by an application whitelisting solution to specify whitelisting rules, the use of cryptographic hashes, publisher certificates (combining both publisher names and product names), absolute paths and parent folders are considered suitable if implemented correctly. However, if whitelisting rules based on absolute paths or parent folders are used, particular care should be taken with the implementation of file system permissions to ensure users do not have the ability to write and execute content in any path that has been whitelisted, as doing so would enable them to bypass the application whitelisting solution.
- To ensure an application whitelisting solution has been appropriately implemented, testing should be undertaken on a regular basis to check for misconfigurations of file system permissions and other ways of bypassing application whitelisting rules or gaining execution of unauthorised content on a system.
- In addition to preventing the execution of unauthorised applications, an application whitelisting solution can contribute to the identification of attempts by an adversary to execute malicious code on a system. This can be achieved by configuring an application whitelisting solution to generate event logs for failed execution attempts. Such event logs should ideally include information such as the name of the blocked file, the date-time stamp and the user name of the user attempting to execute the file.
- Finally, it is important that an application whitelisting solution does not replace antivirus and other internet security software already in place on systems. Using multiple security solutions together can contribute to an effective defence-in-depth approach to preventing the compromise of systems.
- The Australian Government Information Security Manual (ISM) assists in the protection of official government information that is processed, stored or communicated by Australian Government systems
- ASD’s Strategies to Mitigate Targeted Cyber Intrusions complements the advice in the ISM.
Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.
Australian businesses and other private sector organisations seeking further information should contact CERT Australia.