Windows users today are more application oriented than ever, but that hunger often leads them to unsafe choices. In this presentation you’ll learn about the attributes of both free and commercial application security tools. You’ll also learn the key steps you need to follow to effectively accommodate user application needs without giving malefactors a foot in the door to your enterprise.

1. Application Explosion
How to manage
productivity vs. security
Mel Beckman Chris Merritt David Murray
Senior Director of Senior Product
Technical Director Solution Marketing Manager
Penton Lumension Lumension

2. Agenda
• Application vulnerabilities
• Key application control points
• Application identification trickiness
• Application control flow
• Microsoft’s default tools: SRP & AppLocker
• AppLocker limitations & gotchas
• Free application security controls
• Attributes of commercial application control
• The value of integration

3. Application Vulnerabilities
What Weʼre Up Against
1. Undesired Applications 5. Bloatware
Social networking, VoIP, Installed along with legitimate
chat, shopping, games software, such as Adobe Reader
Twitter, Skype, eBay, WoW Adobe DL Mgr, Google Chrome
2. Unauthorized Packages 6. Ad/Spy/Scare/Zombieware
Personal utilities, hacking Apps users want that have
tools, unlicensed software ulterior motives
iTunes, WireShark, PhotoShop WeatherBug, SystemFix, Gator
3. Liability Software 7. Malware, Bots, and Trojans
Peer-to-peer, copy cracking, Malicious code out to steal
network scanners contacts, data and identities
Limelight, freeme2, nmap Qhost, ZeuS, Trojan-BNK
4. Resource Hogs 8. Rootkits and Back Doors
Distributed computing, file Programs that modify the OS
sharing, streaming media to permit future hacker re-entry
seti@home, bittorrent, NetFlix TDSS, StormWorm, Stuxnet

4. Key Application Control Points
• Software installation
- .msi, .msp, .zip
• Binary program execution
- .exe, .com
• Scripts
- .bat, .cmd, .jar, .js, .jse, .mdb, .pif, .ps1,
.scr, .vb, .vbe, .vbs
• DLL & ActiveX
- .dll, .ocx

5. Key Application Control Points
• Control approach: default permit or deny?
- There are an infinite number of applications
that you don’t want to authorized
- Only a finite number of applications you do
• Default deny is the only viable approach
- Explicitly permit specific positively identified
applications
- Vulnerabilties are resilient** so it’s critical that you
don’t let them in in the first place!
- Anti-virus blacklists known threats, but AC rules
primarily specify which applications are permitted,
they are collectively termed a whitelist
• But there are exceptions
- Privileged users (e.g., local admin)
- Subdirectories
- Trusted publishers
**Secunia Yearly Report, February 14, 2012
http://secunia.com/company/2011_yearly_report

6. Application Identification Trickiness
• How to reliably identify an application?
- Name? File Size? Path? Contents? Source?
- What about changes: patches (good),
hacking (bad)
• Known application identification methods
- Path (including name)
- Hash (numeric signature of contents)
- Publisher (via digital signing)
- Source (during installation)
- Registry paths
- A combination of the above
• A single application can exist within a user
population in dozens of variations

7. Application Control Flow
Whitelist
Application
Inventory Audit
Control Assess
Automation
Tools
Enforce

8. Microsoft’s default tools:
SRP & AppLocker
• Software Restriction Policies (SRP)
- Windows XP, Windows 2003, Windows 2008, Vista,
and Windows 7 below Ultimate
- Implemented via Group Policy Objects (GPO)
and registry path restrictions
- Simple rule structure
• AppLocker
- Window 7 Ultimate & Enterprise only
- Also uses GPO
- Built into Windows 7 kernel
- Extended rule structure (e.g., exceptions)
(but no registry path restrictions)
- Whitelist wizards (default and analysis)
• SRP & AppLocker are mutually exclusive
(when AppLocker rules exist, they supercede SRP)

9. AppLocker Control Flow

10. AppLocker Limitations
• Capability limitations
- Supports only Win7 Ultimate & Enterprise
- Computer-based, rather than user-based
• Security limitations
- Local admin can circumvent (e.g., stopping appld srv)
- Scripts vulnerable to exploitation
• Reliability limitations
- Application updates break rules
• Usability limitations
- Generated whitelists are large and complex
- Default rules too permissive
- DLL filtering impacts performance
- Event logs exist only on local machine
(LogsMicrosoftWindowsAppLocker)
- Limited reporting

11. AppLocker Gotchas
• Can inadvertently lock user out of Windows
• DLL filtering can break applications in mysterious
ways (ergo, it’s off by default)
• WindowsInstaller objects can execute even when
unsigned
• WindowsTemp is world write-able, world-
executable
• Inadvertently grant permissions by crea5ng an
excep5on to a Deny rule
• LOAD_IGNORE_CODE_AUTHZ_LEVEL exploit
- http://tinyurl.com/LOAD-IGNORE
• SANDBOX_INERT exploit
- http://tinyurl.com/SANDBOX-INERT

12. Free Application Security Controls
• Open source and free tools
- Ad Hoc blocking of installed apps
- Application inventory
• OCS Inventory NG (ocsinventory.sourceforge.net)
• CFEngine Nova (cfengine.com)
• Open PC Server Integration (opsi.org)
• Uranos (uranos.sourceforge.net)
• Example: Windows Application Blocker
( http://tinyurl.com/winappblocker )
- Per-application password lock
- Must be manually configured
- No central administration

13. Free Application Security Controls
• Uranos open source: software inventory only
• No application control capability

14. Attributes of Commercial App Control
• Full Windows spectrum:
- XP, Vista, 2003, 2008, all Win7 editions
• Cohesive whitelist generation
- Driven by site-wide application discovery
- Automatically optimize rules
• Flexible whilelist policy structure
- Multiple filter types
- User-based policies for consistent desktop and laptop
enforcement
- Extend coverage to local admin user
• Ability to approve trusted patches and identify
patched applications
• Situational awareness
- Centralized event monitoring
- Comprehensive reporting

15. The Value of Integration
• Application control is an
endpoint problem
• Other endpoint problems
- Network Access Control (NAC)
- Antivirus remediation
- Patch management
• Integrated endpoint tools have frameworks that:
- Deliver a consistent, cohesive user interface
- Consolidate client enumeration and agent tracking
- Provide a centralized database for objects and events
- Streamline auditing and reporting
• Integrated tools deliver better overall protection
- Event correlation provides early warning of trouble
- Situational awareness provides defense in depth

16. The story so far...
• Bad application are a prime source of endpoint
vulnerabilities in the enterprise
• Applications must be controlled at installation, and
then by positive identification
• Applications come in many forms and change
frequently, making them hard to identify reliably
• Application control has a procedural flow
• Microsoft’s SRP & AppLocker don’t do the job
• Free security tools are not enterprise-grade
• Select commercial tools based on key features
• Integrated endpoint security tool sets ultimately
deliver more capability and are easier to administer

17. More Information
•Overview of Lumension® Intelligent Whitelisting™
» http://www.lumension.com/Resources/Demo-Center/Overview-Endpoint-
Protection.aspx
•Application Scanner Tool
» http://www.lumension.com/Resources/Security-Tools/Application-Scanner-Tool-2-
0.aspx
•Whitepapers
» Think Your Anti-Virus Software is Working? Think Again.
• http://www.lumension.com/Resources/WhitePapers/Think-Your-AntiVirus-
Software-Is-Working-Think-Again.aspx
» Intelligent Whitelisting: An Introduction to More Effective and Efficient Security
• http://www.lumension.com/Resources/Whitepapers/Intelligent-Whitelisting-An-
Introduction-to-More-Effective-and-Efficient-Endpoint-Security.aspx
17