Educause Security Discussion mailing list archives
Re: Endpoint Protection - App Whitelisting?
From: Rich Graves <rcgraves () BRANDEIS EDU>
Date: Mon, 13 Nov 2017 14:09:44 -0600
I could not recommend campus-wide AppLocker deployment without a comprehensive central logging setup. You can't let your alerting mechanism be help desk calls. It needn't be expensive, just pick one: winlogbeat to logz.io or loggly, built-in Windows event forwarding to a central server (see Jessica Payne's walk-through), or Splunk/ELK if you have it. You should start gathering audit-only data from *all* users immediately. Central collection of eventid 8003 events helps build the policy and can alert you to malware. Then start enforcing in phases, starting with IT, HR, and other higher-risk departments. At my last job, to reduce the inconvenience especially for power users, we openly supported self-service AppLocker bypass via a path rule. Move your program to a special directory, and it will run. The whitelisted directory is not posted on the open web, but it's fairly openly shared, since clients can enumerate the applicable AppLocker policy anyway. Abuse is fairly easy to identify because eventid 8002 includes the rule name.
Current thread:
- Endpoint Protection - App Whitelisting? Chad Tracy (Nov 13)
- Re: Endpoint Protection - App Whitelisting? Scott Stoops (Nov 13)
- Re: Endpoint Protection - App Whitelisting? Hudson, Edward (Nov 13)
- Re: Endpoint Protection - App Whitelisting? Erik D Evans (Nov 14)
- Re: Endpoint Protection - App Whitelisting? BRIAN R GRILLI (Nov 13)
- Re: Endpoint Protection - App Whitelisting? Shen, Philip *HS (Nov 13)
- <Possible follow-ups>
- Re: Endpoint Protection - App Whitelisting? James McClure (Nov 13)
- Re: Endpoint Protection - App Whitelisting? Rich Graves (Nov 13)