Restricting Applications

(OBJ .)

Least Functionality

• Involves configuring systems with only essential applications and services
• Least functionality aims to provide only the necessary applications and services
• Unneeded applications should be restricted or uninstalled to reduce vulnerabilities
• Over time, personal computers accumulate unnecessary programs

Managing Software

• Keeping software up-to-date is crucial for security
• New programs may be installed without removing old versions
• Large networks require preventive measures to control excessive installations

Creating Secure Baseline Images

• Secure baseline images are used to install new computers
• Images include the OS, minimum required applications, and strict configurations
• These images should be updated based on evolving business needs

Preventing Unauthorized Software

• Unauthorized software installation poses security risks
• Application allowlisting and blocklisting are used to control which applications can run on a workstation

Application Allowlisting

• Only applications on the approved list are allowed to run
• All other applications are blocked from running
• Similar to an "Explicit Allow" statement in access control

Application Blocklisting

• Applications placed on the blocklist are prevented from running
• All other applications are permitted to run
• Any application on the blocklist is denied

Choosing Between Allowlisting and Blocklisting

• Allowlisting is more secure, as everything is denied by default
• Managing allowlists can be challenging as updates require list adjustments
• Blocklisting is less secure, as everything is allowed except what's explicitly denied
• Managing blocklists can be difficult, as every new program variation would be allowed until a rule is created

Centralized Management

• Microsoft Active Directory domain controllers allow centralized management of lists
• Group policies can be used to deploy and manage allowlists and blocklists across workstations in a network