Bit9 Parity Suite or AppLocker?
By: Brien M. Posey, Microsoft MVP Published: June 2010
Abstract: Preventing the execution of unauthorized software on network endpoints must be a priority for any security conscious organization. Doing so is the only way to effectively prevent software piracy and malware infections, while maintaining a tightly controlled baseline configuration. Microsoft has recently introduced a feature called AppLocker that is designed to prevent the execution of unauthorized code. This whitepaper compares Microsoft's AppLocker and Bit9 Parity Suite.
About the Author: Brien M. Posey is a six time Microsoft Most Valuable Professional for his work with Windows Server, IIS, Microsoft Exchange Server, and File Systems Storage. Brien is a freelance technical author with over 4,000 technical articles to his credit. He has also written or contributed content to over three dozen books. As a freelance technical writer, Brien has written for Microsoft, TechTarget, Windows IT Professional, CNET, ZDNet, Relevant Technologies, and other leading technology companies. Prior to becoming a freelance author, Brien served as CIO for a nationwide chain of hospitals and healthcare facilities. He was also once a network administrator for the Department of Defense at Fort Knox. You can contact Brien by e-mail at [email protected]
Page 1
Contents
What is AppLocker……………………………………………………………………………………………………..………………………...3 The Potential for Catastrophic Side Effects…………………………………………………………………………………………….4 Accidental Lockdown…………………………………………………………………………………………………..………………………..4 Approval Mechanisms………………………………………………………………………………………………..………………………...4 Application Updates……………………………………………………………………………………………………………………………...5 File Identification…………………………………………………………………………………………………………………………………..6 Overall Effectiveness……………………………………………………………………………………………………………………………..7 The Verdict…………………………………………………………………………………………………………………………………………...7
Page 2
A few years ago, I wrote a whitepaper on running a fully controlled Windows desktop environment with application whitelisting (https:// www.softwaresecuritysolutions.com/PDF/ whitePapers/Bit9_AppWhitelisting_wp.pdf). In that paper, I talk about the criteria for achieving total control over the applications running on network endpoints, without creating an excessive administrative burden. The paper examines the shortcomings of the Windows operating system in this area, and why third party applications are really the only option for achieving true endpoint security.
Since the release of Windows 7, I have received a number of inquiries as to how well Microsoft’s AppLocker feature stacks up to Bit9’s Parity Suite, which is currently the highest rated Application Whitelisting solution on the market.
What is AppLocker?
In case you aren’t familiar with AppLocker, it is Microsoft’s next generation implementation of Software Restriction Policies, which were originally introduced nearly ten years ago in Windows XP. Although AppLocker is technically a new version of the Software Restriction Policies, it is not backward AppLocker’s lack of backward compatibility is an issue compatible with the Software Restriction Policies. that needs to be seriously considered prior to deploying AppLocker. Because of the way that Software Restriction Policies are designed it can take If for example, you presently use Software Restriction Policies to lock down your Windows Desktops, you a tremendous amount of work to create a set of can continue to use those policies even after you policies that accomplish the organization’s desktop deploy Windows 7. lockdown goals without being easy for the end users Once you begin creating AppLocker policies however, to circumvent. Unfortunately, Windows does not Windows 7 desktops will ignore any existing Software provide a mechanism for converting existing Software Restriction Policies. Likewise, any desktops that Restriction Policies into AppLocker rules. continue to run Windows XP or Vista will ignore your AppLocker rules. As such, those running AppLocker in mixed environments may find themselves having to maintain two separate sets of rules.
Page 3
Organizations that are currently using Software In my opinion, AppLocker is a part of Windows, so Restriction Policies for desktop lockdown will face a Microsoft should have designed AppLocker to tough decision once they begin bringing Windows 7 automatically trust the Windows system files once into the organization. Such an organization’s options they have been validated. Simply put, if the default include: rules are necessary, then they should be created by default. Continue to rely solely on the Software Restriction Policies. Accidental Lockdown Implement AppLocker for Windows 7 Desktops, and continue using Software It is surprisingly easy for an inexperienced Restriction Policies for legacy Windows administrator to accidentally lock down Windows in desktops (which requires maintaining two an unintended manner. Once the first AppLocker rules different sets of rules). are created, then any applications that are not Implement AppLocker and then deploy specifically allowed by that rule are prevented from Windows 7 to every desktop in the executing. Furthermore, this can happen even if rules organization. are not currently being enforced. Microsoft’s Deploy Bit9’s Parity Suite (which supports documentation for AppLocker states that “If Windows 7, Vista, XP, and 2000). enforcement is not configured but rules are present in the corresponding rule collection, those rules are The Potential for Catastrophic Side Effects enforced.” As such, it is a good idea to configure rule enforcement and to set the enforcement level to Although AppLocker offers numerous improvements Audit Only. That way, you can avoid an accidental over Software Restriction Policies, it must be lockout and you can get a feel for the effect that your configured with caution. Otherwise, it may be AppLocker rules will have before they are put into possible to accidentally lock yourself out of Windows. effect.
The reason why this is possible has to do with the philosophy behind the way that AppLocker rules work. In any organization, there are a finite number of applications that have been authorized for use. Conversely, there are a nearly infinite number of applications that are not authorized for use. As such, it is easier for AppLocker to allow the applications that are authorized (and block everything else) than AppLocker issues an ominous warning if you forget to block applications on an individual basis. to create the default rules. While I believe this philosophy to be solid, Microsoft has taken it to the extreme in that Microsoft actually requires you to create a set of default rules in order Approval Mechanisms to ensure that critical system files will be allowed to run. An inexperienced administrator who forgets to I have to give Microsoft credit for taking steps to create the default rules (they aren’t created make the initial rule creation process for AppLocker automatically) could potentially prevent operating easy. AppLocker is able to analyze a system that is in a system files from being able to run. known good state, and automatically approve everything on that system for use across the entire organization.
Page 4
As time goes on however, new applications are often adopted and organizations using AppLocker must AppLocker’s options for approving software updates create rules that will allow those applications to run. are somewhat limited. Updates can be approved AppLocker rules can be based on the publisher’s manually, or you can create a publisher rule. digital signatures, the application’s paths, or on the Publisher rules can be much more application specific file hash. In highly dynamic organizations, these than was possible with Software Restriction Policies. approval mechanisms may be too ridged for use in Previously, Publisher Rules were based solely on a highly dynamic organizations. software publisher’s digital signature. This meant that if approved a publisher, you automatically approved The Bit9 Parity Suite offers a much more flexible any of that publisher’s software unless you had other approach to application approval. Applications can be rules in place to prohibit certain applications from approved based on digital signatures, UNC paths, being used. network discovery, trusted users, and approved processes. The Bit9 Parity Suite also provides a AppLocker still uses Publisher rules, but the rules can mechanism for approving common applications that be created with varying amounts of detail. For may not necessarily be digitally signed. instance, it is possible to approve a publisher, a specific application from a publisher, or even a Application Updates specific version of an application. For example, you could authorize the use of Adobe Acrobat Reader version 9.0 or above. Today, practically every software publisher releases routine updates to their wares. These updates must be approved before they will be allowed to run on an AppLocker protected system.
An excerpt from Microsoft’s AppLocker documentation.
Page 5
Even though AppLocker is far more flexible than the As you can see, it is important for desktop lockdown Software Restriction Policies were, the process of software to prevent unauthorized code from running, approving updates can still be very tedious because but also to detect, identify, and report any you must create rules for each application. In unauthorized code residing on workstation hard contrast, Bit9’s Parity Suite goes to great lengths to drives. make it easy to approve software updates. A few of Bit9’s updates approval options include: This is one area in which AppLocker is extremely lacking. The only mechanisms that AppLocker has for Trusting everything residing on a designated file identification are the AppLocker rules that have network drive (a volume can be used as a been created. Beyond that, AppLocker does not have software distribution point) any mechanisms for identifying or reporting Automatically hashing and approving updates unauthorized code. issued by patch management products such as WSUS, SMS, Altiris, or BigFix. In contrast, Bit9 Parity Suite can produce a variety of Approving updates by digital signature (you reports regarding the software that has been can also approve code that you have signed detected on desktop systems. These reports go yourself). beyond simply listing the file’s name and location, and actually identify files in granular detail. This is important because some filenames are meaningless. File Identification For instance, countless applications include an I routinely receive -E mail messages from people installer named Setup.exe. If a report simply listed asking me if AppLocker can help them to stop users that Setup.exe was present on a system, you would from installing video games, peer networking be hard pressed to determine if the file was supposed software, or other unauthorized applications. The to be there or not. Bit Parity Suite remedies this truth is that you can accomplish this without using problem by taking a mathematical hash of the file, desktop lockdown software. Simply setting Windows and then looking the file up in Bit9’s Global Software permissions correctly will prevent users from Registry. installing applications. The Global Software Registry is a database containing The purpose of desktop lockdown is not just to information about every known executable file. prevent the installation of unauthorized software, but Because files in the database are identified by hash, it also to prevent unauthorized code that may already is possible to the difference between files of the exist on a system from executing. Simply blocking the same name. execution of such code may not be enough though. Having dormant code residing on workstation hard Bit9 takes this same approach to preventing malware drives can have the following consequences: infections. Every file in the Global Software Registry has been analyzed by a malware scanner and is rated Malicious code residing on the system could on a scale from one to ten based on its level of risk. potentially execute if an administrator with As such, the Bit9 Parity Suite is able to create risk unlimited permissions logs onto the system. analysis reports. If unauthorized applications are discovered during a software audit, it could subject an The Bit9 Parity Suite also takes some other steps organization to fines related to licensing toward preventing malware infestations. The violations. software monitors file propagation in real-time. If a Unauthorized software detected during a file is found to be propagating rapidly, an alert can be security audit could impact an organization’s issued. If an administrator determines that the file is regulatory compliance status. malicious, they can use a panic button feature to Dormant code consumes workstation hard instantly stop the propagation. disk space. Page 6
Overall Effectiveness Although the default rules are necessary, they have the potential to undermine AppLocker’s As I mentioned earlier, when you enable AppLocker, effectiveness. For instance, it is very common for you must create a set of default rules so that malware to pose as a part of the Windows Windows can continue to run. The default operating system. The default rules actually executable rules have the following effect: enable malicious code to execute so long as it is located in the Windows folder or in one of its sub Everyone is allowed to execute any file folders (which is where malicious code often located in the Program Files folder. resides). Everyone is allowed to execute any file located in the Windows folder or its Likewise, if a user wants to execute unauthorized subfolders. code, all they have to do is to copy it to the The Builtin\Administrator account is allowed Program Files folder or to the Windows folder. By to execute any code on the system. default, Windows 7’s NTFS permissions restrict users from writing files to the Windows or to the Program Files folders. However, some older applications are known to loosen permissions in these areas when installed.
The Verdict
In my opinion, AppLocker and the Bit9 Parity Suite both have their place. AppLocker is best suited to small organizations who use a relatively static configuration and who have a well defined application set. The Bi9 Parity Suite is better suited to medium and large organizations who require a high degree of flexibility. The Bit9 Parity Suite’s auditing, reporting, and alerting capabilities also make it ideal for use within organizations that are required to comply with government regulations.
Page 7