Every system administrator worries about what end users might install on their computers. Many people simply don’t understand that a seemingly innocent pop-up inviting them to download something may be dangerous. One solution is whitelisting, which allows only preapproved programs to run.
Windows Server has this ability built in. Those running Pro versions of Windows on their desktops can use Software Restriction Policies to implement whitelisting. SRP offers several ways to add programs to the whitelist.
1. Add Programs to a Whitelist By Path
This is the broadest method, allowing administrators to add entire folders. This is the method used to add the default items, such as the Windows folder. This should only be done with trustworthy paths that cannot be written to by users. If a user has access to write to the path, it isn’t safe.
2. The Filename Method of Adding Programs to a Whitelist
This allows administrators to specify a particular location (for example, c:\MyProgram) and only allow a certain filename to run from it. This is a little more restrictive than allowing an entire folder, but if users can write to this location, there is the chance that they might delete the real program and replace it with something of their own. This isn’t very likely to happen, though, except with tech-savvy users determined to undermine the policy.
3. Hash Rules Are a More Secure Method of Creating a Whitelist
With this option, SRP will create a hash of the desired file, and then it will be allowed to run no matter what folder it happens to be in. This is considerably more secure than a path rule because only this exact file will be allowed. If the administrator ever needs to update the file, he or she will need a new rule to create a new hash.
4. Certificate Rules Are the Most Secure Whitelisting Method
This is probably the most secure type, because it is based on a certificate from the manufacturer. Because of this, more work is required from the PC, which can slow down processing. Each time a user runs a program with a certificate rule applied, it has to check in with the server to see if the certificate is valid and if it’s expired or not. When the certificate does expire, a new rule is needed.