Today I’m starting a post series that will describe a great security addition, whitelisting technology — Software Restriction Policies (SRP). I already posted a ton of exclusive Secret Knowledge (aka Тайное Знание) on my Russian weblog: SRP. If you are familiar with Russian or have a good translator — try Russian version. In this series I’ll post a summarized information.

What is Software Restriction Policies?

One smart guy (I think it was Richelieu, not Rothschild) told: who owns the information owns the world. With computer era started a new wave of information battle — computer information battle. Some want to get information, some want to protect it. This is why there are computer viruses, worms and other malware. some malware was written just for lulz, some not. Malware and antimalware was born at the same time, but the result is not very good — thousands infected computers every day. Many of them are protected by the most modern antiviruses and result is still the same — fail. Format-reinstall and new live from scratch till another infection. There is no end with just antivirus protection.

While some people can consider this acceptable (to spend their time on system reinstall), companies cannot afford this, because they lost money when computer idles. An employee cannot do his/her work. In worst cases a sensitive information can be stolen and they lost even more money till bankruptcy. Therefore companies takes additional attention on computer security.

Malware is not a magic or something mystical — this is just another application that runs on computer. Malware cannot launch itself, someone should run it. In 99% infection cases only the user is to blame for the infection. He or she launches unknown file (for example, “Tera Patrick Hard Core.avi.exe”) and the action begins. Almost all antimalware applications work on blacklist basis: if the file contains suspicious code, antimalware application may decide to block it.

To address this issue, another methodology was designed — whitelisting. Whitelisting means that you can run anything that was previously approved. If something is not approved, you cannot run it. Plain and simple. This is how works Software Restriction Policies. In SRP you create a set of rules where you define which applications can be launched. Anything that is not listed here is blocked, regardless whether the file is infected or not.

While SRP is very powerful, it is not a complete answer, it is just a part of entire protection. For example, if you are using administrative account for everyday tasks (internet surfing, gaming, video watching, etc.), SRP is not a big deal. There are a lot of security rules which you should follow. I will not talk about them, just recommend a post from my colleague Peter Gubarevich: Preventing computer malware by using Software Restriction Policies. This post is a nice high-level description of the problem and how it should be solved (in which ways).

Target audience

This series is intended for IT Pros, security administrators and engineers. The series will be focused on enterprise environment. I will assume that employees in your company have standard user rights on their computers. Also I would recommend to read a TechNet article to get basic concepts about SRP: http://technet.microsoft.com/en-us/library/cc766330(v=WS.10).aspx. In the next post we will start real stuff.


Share this article:

Comments:


Post your comment:

Please, solve this little equation and enter result below. Captcha