aidarrow-end-inversearrow-endarrow-left-angulararrow-left-angularWhy choose AvectoAchieve complianceOperational efficiencycompliancedefendpoint-coloureddefendpoint-thin-2DesktopScaleResources.iconsAsset 21insider-threatsavecto-logo-smallquotation-marksransomwareArticleUse caseWebinarResources.iconssafePrevent attacksAsset 19social-engineeringTrustedtriangleStop insider attacksAsset 20Resources.iconsResources.iconszero-days


Guide to defense in depth: The hidden flaws in Windows

Page 05 Download the eBook

Adding the rest of the needed security measures to your environment

Once you have removed administrative rights for your end users and deployed hard drive encryption, you can start to add the next needed technologies to secure your environment.

To achieve a secure environment, the next most important proactive measure is whitelisting your trusted applications. Before Windows 10, the number one inbox technology is AppLocker but it requires an Enterprise version of Windows.

My number one tip for successful whitelisting implementation is to stop whenever you find yourself adding a single application to your whitelist.

You should always create rules on a container basis with either using folders or publishers - never use hashes or files unless you really know you need to.

The drawbacks of AppLocker

In a Windows environment, the whitelisting has gotten better in every Windows version. Windows NT4 had the ability to list the names of allowed applications. Windows XP added Software Restriction Policies that could allow applications by path, hash or internet zone. Windows 7 Enterprise includes the most used whitelisting feature nowadays called AppLocker (internally called Software Restriction Policy V2) that allowed the ease of using certificates for allowing applications signed by a trusted party.

The biggest problem with AppLocker is impossible Microsoft to solve really as it's the lack of will from 3rd party application developers to get their code signed. This problem is taken care of in the future Windows 10 by using a more secure "AppLocker" called Device Guard and a signing service provided by Microsoft that will sign applications from 3rd party providers as well.

Windows AppLocker has a few weaknesses in it sadly. One weakness is actually in the OS itself, as Windows requires default rules to allow everything to be allowed from the Windows—and Program Files—folders.

As long as you don't have administrative access those folders should be write-protected, but sadly that's not exactly the case. You need to audit your installation with tools like AccessChk.exe from Sysinternals to find the few subfolders that need to be excluded from your AppLocker rules.

The other weakness is the monitoring of DLL-files. DLL-files are libraries of functions that can do whatever by default if an attacker so wants. These functions can be called by rundll32.exe which is needed by Windows and can’t really be blocked.

You can turn on DLL-monitoring in AppLocker but the impact on performance is often too much - test it out yourself as it depends on the environment it is used in.

Defendpoint's Application Control module can be used to make the whitelisting much easier to manage and more secure without affecting the performance. I use it a lot and I like it because I can use it with customers that don’t have the Enterprise version of Windows 7 or 8.1 as well.