Application allowlisting, formerly known as application whitelisting, is a cybersecurity practice that involves specifying a list of approved software applications or executable files that are allowed to operate on a computer system. The main goal of allowlisting is to enhance security by protecting computers and networks from potential cybersecurity threats such as ransomware and malware.
In the realm of information security, allowlisting is most effective in environments that are centrally managed, where systems adhere to a consistent workload. The National Institute of Standards and Technology (NIST) recommends the use of application allowlisting in high-risk environments where system security is paramount, even if it means sacrificing some level of usability without restrictions. To provide more flexibility, an allowlist may also include approved and trusted components like software libraries, plugins, extensions, and configuration files.
The implementation of application allowlisting typically begins with creating a comprehensive list of approved applications and IT components. This list can be built into the host operating system or provided by a third-party vendor. Application allowlisting allows system administrators to define file attributes associated with approved applications, such as file name, file path, and file size. By taking a proactive approach to security, allowlisting either allows or blocks any application that is not on the approved list.
An example of an allowlisting tool integrated into every Windows 10 and 11 system is Microsoft Windows Defender Application Control, now known as App Control for Windows. This tool empowers system administrators to specify which users or groups are authorized to run specific applications. It also regulates application execution rights by referencing parameters like file paths, file hashes, and publisher identities. App Control restricts access to certain applications, prevents users from installing new software, specifies permissible versions of software, and ensures the use of licensed software.
While there are numerous advantages to using application allowlisting, there are also certain risks associated with this approach. For instance, attackers can potentially mimic approved applications with malicious ones, making it crucial for allowlisting software to incorporate cryptographic hashing techniques and digital signatures. Moreover, maintaining an up-to-date allowlist can be challenging as organizations continually add new applications to their portfolios, necessitating modifications to the allowlist to include new applications and associated system components.
Despite its drawbacks, application allowlisting offers robust security benefits, including enhanced protection against ransomware and malware attacks, the ability to identify users accessing sensitive data, streamlined software license compliance, and reduced help desk costs. By adhering to best practices for implementing application allowlisting, organizations can effectively manage their allowlists, ensure good endpoint security, and seamlessly integrate allowlisting and patch management processes to boost overall system security and resilience against cyber threats.