Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Executable Whitelisting via GPO
Executable Whitelisting via GPO [message #156419] Tue, 16 June 2009 15:36 Go to next message
Kord  is currently offline Kord  United States
Messages: 2
Registered: June 2009
Junior Member
I am wondering if anyone has had any experience with whitelisting
executables via a GPO. I have not yet tried this and am thinking about
moving towards this as an added measure of prevention and security. Any
thoughts/comments/real world experience would be great. Also, any links
to papers discussing this would help too.


--
Kord
------------------------------------------------------------ ------------
Kord's Profile: http://forums.techarena.in/members/106380.htm
View this thread: http://forums.techarena.in/active-directory/1198676.htm

http://forums.techarena.in
Re: Executable Whitelisting via GPO [message #156427 is a reply to message #156419] Tue, 16 June 2009 17:52 Go to previous messageGo to next message
Marcin  is currently offline Marcin  United States
Messages: 273
Registered: July 2009
Senior Member
Kord,
that's certainly more challenging than blacklisting - since it requires
considerably more preparation and - depending on how dynamic your
environment is - maintenance. In additoin, with some rule types (e.g. hash
or certificates), you will also need to carefully approach each deployment
of patches/service packs/software upgrades..
You cand find some basic info at
http://technet.microsoft.com/en-us/library/bb457006.aspx - but ultimately,
it is a matter of thorough testing and tight control of your environment
(including full change management)

hth
Marcin

"Kord" <Kord.3tw47a@DoNotSpam.com> wrote in message
news:Kord.3tw47a@DoNotSpam.com...
>
> I am wondering if anyone has had any experience with whitelisting
> executables via a GPO. I have not yet tried this and am thinking about
> moving towards this as an added measure of prevention and security. Any
> thoughts/comments/real world experience would be great. Also, any links
> to papers discussing this would help too.
>
>
> --
> Kord
> ------------------------------------------------------------ ------------
> Kord's Profile: http://forums.techarena.in/members/106380.htm
> View this thread: http://forums.techarena.in/active-directory/1198676.htm
>
> http://forums.techarena.in
>
Re: Executable Whitelisting via GPO [message #156442 is a reply to message #156419] Wed, 17 June 2009 03:55 Go to previous messageGo to next message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Kord,

Kord schrieb:
> I am wondering if anyone has had any experience with whitelisting
> executables via a GPO. I have not yet tried this and am thinking about
> moving towards this as an added measure of prevention and security. Any
> thoughts/comments/real world experience would be great. Also, any links
> to papers discussing this would help too.

Marcin is right. Given the possibilities you have with Software
Restriction Policies in Group Policy or 3rd party software, you can do
that pretty reliably.

The hard parts of what you're trying to do is the planning and testing
software restrictions (possibly across all forms of business units and
their LOBs and side-applcations) and test them accordingly. You'll
probably need a plan how to handle mobile computers and how they should
be treated and tested.

Maintenance is the next part as new software comes along, new software
releases, service packs and hotfixes change signatures of executables.
Depending on what restriction method you use (hash for example), updates
and service packs can break things. You surely need to
develope/re-create your software maintenance plan and include the
restriction testing into it.

Software restriction policies are a good thing to look at if you're on
Windows XP and above machines. Windows7 brings a new bunch of policies,
called "AppLocker". Basically Software Restriction Policies next generation.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Re: Executable Whitelisting via GPO [message #156447 is a reply to message #156419] Wed, 17 June 2009 07:01 Go to previous message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Hi
That could be a nightmare depending of your needs and network size :)


--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"Kord" <Kord.3tw47a@DoNotSpam.com> wrote in message
news:Kord.3tw47a@DoNotSpam.com...
>
> I am wondering if anyone has had any experience with whitelisting
> executables via a GPO. I have not yet tried this and am thinking about
> moving towards this as an added measure of prevention and security. Any
> thoughts/comments/real world experience would be great. Also, any links
> to papers discussing this would help too.
>
>
> --
> Kord
> ------------------------------------------------------------ ------------
> Kord's Profile: http://forums.techarena.in/members/106380.htm
> View this thread: http://forums.techarena.in/active-directory/1198676.htm
>
> http://forums.techarena.in
>
Previous Topic:DNS Best Practise
Next Topic:Format of userParameters for Terminal Services
Goto Forum:
  


Current Time: Fri Oct 20 03:03:55 EDT 2017

Total time taken to generate the page: 0.03914 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software