Application Whitelisting? What Is It?

应用白名单？ 它是什么？

I consider a firewall to be a Yes / No device when you strip away all the “Next Generation” and Unified Threat Management (UTM) pieces. To some degree, Application Whitelisting works the same way by specifying which applications can execute (The Whitelist) leaving everything else implicitly or explicitly denied (The Blacklist).

当您剥离所有“下一代”和统一威胁管理(UTM)组件时，我认为防火墙是“是/否”设备。 在某种程度上，应用程序白名单通过指定可以执行的应用程序(白名单)以相同的方式工作，而其他所有内容都被隐式或显式拒绝(黑名单)。

There are applications in the middle (Greylist), but those are for administrators to decide, not the end-users. By the way, make sure the firewall mentioned above also has a default “deny all” rule in place! I have seen many installations where the final rule was an “Allow All” with millions of hits against it.

中间有一些应用程序(“灰名单”)，但这些应用程序是供管理员(而不是最终用户)决定的。 顺便说一句，请确保上述防火墙也具有默认的“全部拒绝”规则！ 我见过许多装置的最终规则是“全部允许”，并受到数百万次点击。

Application Whitelisting is a hot topic of discussion, and it continues to appear in many conversations focused on the Australian Cyber Security Centre (ACSC) Essential Eight or application and data security in general. It’s quite intimidating to think one needs yet another system to manage this, but the reality is that you can leverage your existing investment in Microsoft technologies.

应用程序白名单是一个讨论的热门话题，并且它继续出现在许多针对澳大利亚网络安全中心(ACSC)必备八级或总体而言应用程序和数据安全的对话中。 认为一个人需要另一个系统来管理它是非常令人生畏的，但是现实是您可以利用现有的Microsoft技术投资。

With Microsoft, you say? How do I do that?

您说与Microsoft合作吗？ 我怎么做？

Whether you realise it or not, even the most basic Microsoft deployment can do some degree of Application Whitelisting. How? Start with Active Directory (AD) Group Policy Objects (GPOs). As an aside, even policies that control Microsoft Office Macros and Windows Defender Firewall serve as a basic form of Application Whitelisting. From there, if you have Microsoft licenses up to and including E5, you may have access to AppLocker, Windows Defender Application Control, and Azure Adaptive Application Controls.

不管您是否意识到，即使最基本的Microsoft部署也可以进行一定程度的应用程序白名单。 怎么样？ 从Active Directory(AD)组策略对象(GPO)开始。 顺便说一句，即使是控制Microsoft Office宏和Windows Defender防火墙的策略，也是应用程序白名单的基本形式。 从那里开始，如果您拥有Microsoft许可证(最高包括E5)，则可以访问AppLocker，Windows Defender应用程序控件和Azure自适应应用程序控件。

Indeed, like the Lego box we all grew up with as kids, you likely have a lot of the pieces you need to get started, but let’s not get ahead of ourselves; first things first.

的确，就像我们都从小一起长大的乐高玩具盒一样，您可能有很多需要入门的知识，但不要让自己超越自我。 首先是第一件事。

Where Do I Start?

我从哪说起呢？

The first place to start should understand your information systems and which applications are needed to perform your business functions. If you don’t have this list already, please create it and engage a security specialist to help if needed. This list will become your “Whitelist”. It’s worth noting not every team in your organisation will use the same list…. there may be a core list (such as office applications) for everyone but different whitelists for other roles (such as Payroll and HR). Getting a handle on what applications you need and which you don’t want is crucial otherwise you can find yourself preventing good and allowing bad like a lousy B-grade superhero movie.

首先开始应该了解您的信息系统以及执行业务功能需要哪些应用程序。 如果您还没有此列表，请创建它，并在需要时聘请安全专家提供帮助。 此列表将成为您的“白名单”。 值得注意的是，并非您组织中的每个团队都会使用相同的列表…。 可能会有每个人的核心清单(例如办公应用程序)，但其他角色(例如薪资和人力资源)的白名单却不同。 掌握所需的应用程序以及不想要的应用程序至关重要，否则，您会发现自己像坏的B级超级英雄电影一样，可以防止出现不良情况并允许不良情况发生。

With many of us in a pure or hybrid cloud environment, using a Cloud Access Security Broker (CASB) like Microsoft Cloud App Security can help get a handle on things. There are many other great tools like Microsoft System Centre Configuration Manager (SCCM) that will help sniff out applications and programs throughout the network. The key here is to discover and take inventory of as many (if not all) of the applications possible. This inventory includes dependencies resident within your environment.

对于我们许多人来说，在纯云或混合云环境中，使用像Microsoft Cloud App Security这样的Cloud Access Security Broker(CASB)可以帮助您解决问题。 还有许多其他出色的工具，例如Microsoft系统中心配置管理器(SCCM)，可帮助嗅探整个网络中的应用程序和程序。 这里的关键是发现并盘点尽可能多(如果不是全部)的应用程序。 此清单包括您环境中的依赖项。

It may be a great idea to understand where your data resides so that in addition to the applications, you can follow the data they use, store, and transmit. An excellent service to use here could be Azure Information Protection, supported by a DLP solution (which Microsoft has) and use of the Office 365 eDiscovery in the Azure Security and Compliance Centre. No matter the solution you choose, ensure you find as many of the moving pieces as you can.

了解数据所在的位置可能是一个好主意，这样除了应用程序之外，您还可以跟踪它们使用，存储和传输的数据。 在此处使用的一项出色服务可以是Azure信息保护，它由DLP解决方案(Microsoft已提供)支持，并且可以在Azure安全和合规中心使用Office 365电子数据展示。 无论您选择哪种解决方案，都要确保找到尽可能多的活动部件。

Review the people and processes in place to ensure that, in addition to applications and data, you can control who has access to the data and how they access it. Adoption of a Zero Trust model and leveraging the Just-In-Time / Just-Enough-Administration approaches can help manage your regular and privileged users alike.

检查适当的人员和流程，以确保除了应用程序和数据之外，您还可以控制谁有权访问数据以及他们如何访问数据。 采用“零信任”模型并利用“及时” /“足够管理”方法可以帮助您管理普通用户和特权用户。

Inventory and understanding complete (or at least underway, it’s time to do something with all that knowledge!

完整的清单和理解(或者至少正在进行中，是时候使用所有这些知识来做一些事情了！

How I do I Make It Work?

我该如何运作？

Earlier I mentioned you probably already have the required hardware and software to make this a reality. Most modern endpoint protection applications, such as those from leading traditional security vendors, can perform application whitelisting. Advanced UTM firewalls that offer application control are not really “Whitelisting” but can add another layer of defence if you choose.

之前我提到过，您可能已经拥有实现这一目标所需的硬件和软件。 大多数现代的端点保护应用程序(例如来自领先的传统安全厂商的应用程序)都可以执行应用程序白名单。 提供应用程序控制的高级UTM防火墙并不是真正的“白名单”，但如果您选择的话，可以添加另一层防御。

Better still, if you have some of the core Microsoft Services and even some of the advanced subscription services like Defender ATP and Azure Adaptive Application Controls, you probably don’t need to look much further.

更妙的是，如果您拥有一些核心的Microsoft服务以及某些高级订阅服务(例如Defender ATP和Azure自适应应用程序控件)，则可能无需进一步了解。

You can start with Group Policy Objects (GPOs) in Active Directory, and you’ll find a wealth of controls available with the granularity needed to manage objects. If you’re using an Endpoint Detection and Response suite like Windows Defender ATP, you can leverage the Application Control component. AppLocker also plays in this space. The fact remains, you probably have most of what you need to start and keep going along with the tools to monitor and manage from a single point. Slick!

您可以从Active Directory中的组策略对象(GPO)开始，然后会发现大量管理对象所需的可用控件。 如果您使用的是Windows Defender ATP之类的端点检测和响应套件，则可以利用应用程序控制组件。 AppLocker也在此空间中播放。 事实仍然存在，您可能拥有启动所需的大部分内容，并与从单个点进行监视和管理的工具保持同步。 光滑！

Pitfalls?

陷阱？

Many, which is why I recommend getting the right people involved, and this means more than just the IT team. Management also needs to support and sign off on this initiative. Having it as part of your information security / general IT policies is also recommended. You need to know what applications are on your network and which ones are required. It’s not a smooth voyage, but one worth taking. At the heart of it, executing code is the cause of a lot of breaches. Also, consider that it’s not always malware; sometimes, what works against you are your tools and utilities!

很多，这就是为什么我建议让合适的人员参与其中，而这意味着不仅仅是IT团队。 管理层还需要支持并批准该计划。 还建议将其作为信息安全性/常规IT策略的一部分。 您需要知道网络上有哪些应用程序，以及哪些是必需的。 这不是一次顺利的航行，但值得一游。 从本质上讲，执行代码是导致大量违规的原因。 另外，请注意并非总是恶意软件； 有时，对您不利的是您的工具和实用程序！

Ghosts in the Machine?

机器里有鬼吗？

It’s us, plain and simple. We just want to do our jobs, get paid, and go home to our families. Be ready to uncover “Shadow IT” and related shadow data that often arise because of shortcuts (well-intended or otherwise) that we use to get the job done. Application Whitelisting can help secure the environment but prepare for some resistance from the masses.

是我们，简单明了。 我们只想做我们的工作，得到报酬，然后回家给我们的家人。 准备发现“阴影IT”和相关的阴影数据，这些阴影数据通常是由于我们用来完成工作的捷径(意图良好或其他原因)而产生的。 应用程序列入白名单可以帮助保护环境，但可以为大众带来一些阻力。

Anything Missing?

缺少什么？

Make sure you have the endpoint protection applied to every host that you can and think beyond just workstations; locking down the ability of applications to execute on your servers — especially database servers and web servers — can be an invaluable tactic.

确保将端点保护应用到您可以使用的每台主机上，并不仅仅是工作站。 限制应用程序在服务器(尤其是数据库服务器和Web服务器)上执行的能力是一种非常宝贵的策略。

Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; do not rely on it as such. Obtain appropriate legal advice in actual situations. All images, unless otherwise credited, are licensed through Shutterstock

免责声明：本博客中提出的想法和观点是我自己的，而不是任何相关第三方的想法。 提供的内容仅用于一般信息，教育和娱乐目的，并不构成法律建议或建议； 不要这样依赖它。 在实际情况下获得适当的法律建议。 除非另有说明，否则所有图片均通过Shutterstock许可