1 00:00:00,970 --> 00:00:03,180 Restricting Applications. 2 00:00:03,180 --> 00:00:04,640 We've discussed how we can create 3 00:00:04,640 --> 00:00:06,630 a secure baseline image to use 4 00:00:06,630 --> 00:00:08,520 when we're installing a new computer. 5 00:00:08,520 --> 00:00:10,970 But how do we stop Gary down in accounting 6 00:00:10,970 --> 00:00:12,340 from downloading and installing 7 00:00:12,340 --> 00:00:14,850 unauthorized software on our network? 8 00:00:14,850 --> 00:00:16,370 To do this, we have to restrict 9 00:00:16,370 --> 00:00:19,880 which applications can be run on a given workstation. 10 00:00:19,880 --> 00:00:23,120 To illustrate how this works, let's consider an example. 11 00:00:23,120 --> 00:00:24,540 You and I decide we want to go 12 00:00:24,540 --> 00:00:26,870 to a trendy nightclub this Friday night. 13 00:00:26,870 --> 00:00:29,860 We show up at the door, and we're greeted by the bouncer. 14 00:00:29,860 --> 00:00:32,500 The bouncer looks at us, he asks if we're on the list, 15 00:00:32,500 --> 00:00:34,610 I give him my name, he looks at the list 16 00:00:34,610 --> 00:00:37,090 and realizes I'm not on the list. 17 00:00:37,090 --> 00:00:39,820 This means he's not going to let me get into the club. 18 00:00:39,820 --> 00:00:41,300 You're maybe cooler than I am, 19 00:00:41,300 --> 00:00:42,590 and your name might have been on the list 20 00:00:42,590 --> 00:00:45,010 and so you're able to get into the club. 21 00:00:45,010 --> 00:00:46,700 If you and I were each an application 22 00:00:46,700 --> 00:00:49,050 on the computer, this nightclub example 23 00:00:49,050 --> 00:00:51,160 shows that you would be able to get in 24 00:00:51,160 --> 00:00:53,663 based on whitelisting, while I would be denied. 25 00:00:54,720 --> 00:00:57,320 With application whitelisting, only applications 26 00:00:57,320 --> 00:00:58,850 that are on the approved list 27 00:00:58,850 --> 00:01:01,300 are allowed to be run by the operating system. 28 00:01:01,300 --> 00:01:04,110 All the other applications are blocked from running. 29 00:01:04,110 --> 00:01:06,070 If you remember your access control list 30 00:01:06,070 --> 00:01:08,260 back from Network+, this acts 31 00:01:08,260 --> 00:01:10,850 like an Explicit Allow statement. 32 00:01:10,850 --> 00:01:12,700 For my next example, my friend and I 33 00:01:12,700 --> 00:01:14,520 are going to head to the airport. 34 00:01:14,520 --> 00:01:16,660 We arrive and we walk up to the ticket counter, 35 00:01:16,660 --> 00:01:18,700 we try to check in with the agent at the counter, 36 00:01:18,700 --> 00:01:21,760 we hand her our passports, and she looks at our names. 37 00:01:21,760 --> 00:01:23,300 After consulting her computer, 38 00:01:23,300 --> 00:01:26,650 she sees that my friend's name is on the No Fly List. 39 00:01:26,650 --> 00:01:28,040 Since his name's on the list, 40 00:01:28,040 --> 00:01:29,890 he's denied the ability to check in, 41 00:01:29,890 --> 00:01:31,970 and he's not able to take the flight. 42 00:01:31,970 --> 00:01:34,450 My name, on the other hand, is not on the list, 43 00:01:34,450 --> 00:01:37,840 and therefore, I'm able to go and board the airplane. 44 00:01:37,840 --> 00:01:40,350 This is an example of how blacklisting works. 45 00:01:40,350 --> 00:01:42,630 With application blacklisting, any application 46 00:01:42,630 --> 00:01:44,210 that's placed on a list will be prevented 47 00:01:44,210 --> 00:01:46,420 from running, while all of the other applications 48 00:01:46,420 --> 00:01:47,670 will be permitted to run. 49 00:01:48,800 --> 00:01:50,330 If you're an application whose name 50 00:01:50,330 --> 00:01:53,060 shows up on the blacklist, you are going to be denied. 51 00:01:53,060 --> 00:01:56,100 But all of the others will be allowed to proceed. 52 00:01:56,100 --> 00:01:57,940 Why, you might be wondering, do we have 53 00:01:57,940 --> 00:01:59,830 two different types of lists? 54 00:01:59,830 --> 00:02:01,640 Well, using application whitelisting 55 00:02:01,640 --> 00:02:03,810 is much more secure, because everything 56 00:02:03,810 --> 00:02:06,360 is denied by default, and only the applications 57 00:02:06,360 --> 00:02:08,330 listed can actually run. 58 00:02:08,330 --> 00:02:10,710 Unfortunately, though, this is much more difficult 59 00:02:10,710 --> 00:02:12,530 to set up and manage. 60 00:02:12,530 --> 00:02:14,330 Every time an application is updated, 61 00:02:14,330 --> 00:02:16,410 you have to adjust your whitelist. 62 00:02:16,410 --> 00:02:20,080 After all, Microsoft Word 2016 version one 63 00:02:20,080 --> 00:02:23,760 is not the exact same code as version two, or version three. 64 00:02:23,760 --> 00:02:26,270 For this reason, many companies have chosen 65 00:02:26,270 --> 00:02:28,680 to use blacklist approach instead. 66 00:02:28,680 --> 00:02:31,140 But, there's problems with this approach too. 67 00:02:31,140 --> 00:02:32,470 Since everything is allowed 68 00:02:32,470 --> 00:02:34,620 except what's explicitly denied, 69 00:02:34,620 --> 00:02:37,850 every new variation of malware or a new program 70 00:02:37,850 --> 00:02:39,480 would be allowed until you create 71 00:02:39,480 --> 00:02:41,610 a blacklist rule for it. 72 00:02:41,610 --> 00:02:44,110 Another challenge with whitelisting and blacklisting 73 00:02:44,110 --> 00:02:46,160 is managing that list across all 74 00:02:46,160 --> 00:02:48,320 of the workstations in your network. 75 00:02:48,320 --> 00:02:49,770 Thankfully, though, if you're using 76 00:02:49,770 --> 00:02:52,360 a Microsoft Active Directory domain controller, 77 00:02:52,360 --> 00:02:54,070 you can centrally manage your lists 78 00:02:54,070 --> 00:02:57,737 and deploy them through your group policies.