Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1146
  • Last Modified:

Application Whitelisting

Hi Experts.
I have been asked to implement application whitelisting using Microsoft Software Restriction Policies, or similar. All up there are around 300 individual applications across the site many go through upgrades, version changes etc. Keeping track of that many applications via SRP would be painful. Not only that but testing each application and all its DLL’s and EXE’s against any policies would take weeks of work not days as the onsite I.T consultant seems to thing. What are you guys thoughts, is it recommended we do this using Microsoft SRP? Or is there a better solution available?
Advise and thoughts/suggestions would be most appreciated.
0
craigleenz
Asked:
craigleenz
  • 4
  • 3
2 Solutions
 
jax79sgCommented:
Policy wise, i think it would be a good idea to perform an initial baseline.A baseline refers to a state of a client machine when it is deployed (Its patch level, security settings, applications installed...etc). In most cases, there would be a single baseline, and a few variations to cater for specific groups. The initial base-lining would be time consuming, but it would prove to be easier on the administrator for subsequent configuration changes.

Technical wise, you might like to read a bit on Microsoft System Center Configuration Manager. There are many other such Configuration management software in the market, a quick google can give you a clearer idea.
0
 
craigleenzAuthor Commented:
thanks jax79sg, will have a read. I sorting wanting more info on the likes of advantages vs disadvantages of using Microsoft SRP.
0
 
Justin OwensITIL Problem ManagerCommented:
Are you wanting to use SRP in AD 2003 or 2008 (what is the functional level)?  Also, what is your desired end result?  It may be that SRP is a good choice, or it may be the another option would be better.  Without knowing exactly what you are wanting to accomplish, it will be very difficult to give advice one way or the other.

Have you read any documentation in SRP itself, such as this, to see if it even does what you are trying to accomplish?

DrUltima
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
craigleenzAuthor Commented:
thank you for the response DrUltima, at present we are wanting to use this in AD 2003, the desired result is to allow only applications that is apart of this "whitelist" to be able to run on workstations/laptops on the domain
0
 
Justin OwensITIL Problem ManagerCommented:
Depending on how it is deployed, you can get SRP to work for you if this is your only requirement.  You will have difficulties the more exceptions to policy you make, of course, and you will have to make updates if version changes happen (Depending on setup for hash check, folder location, etc).

Honestly, it will be a lot of effort on the administration side.  This would be great for KIOSK type machines which you don't want folks to mess with at all and you don't foresee often changing.  If you are using for standard, production machines, there are more efficient ways of handling this, such as SCCM, etc.

DrUltima
0
 
craigleenzAuthor Commented:
thanks DrUltima, I think I will try and pitch the amount of effort involved from an administration point of view, this has been pointed out by a few staff in our organization who is more familiar with Microsoft SRP.
I will look into hte SCCM option, I guess it also comes down to cost....
0
 
Justin OwensITIL Problem ManagerCommented:
If cost is your primary motivation, you will have to measure the amount of dollars spent in man hours for the free product against the upfront cost of something like SCCM, which should have a lower number of man hours.  Viewed holistically, there is a high probability that when accounting for man hours cost, SCCM is still less expensive than the "free" utility.

DrUltima
0
 
craigleenzAuthor Commented:
has given me enough ideas on how to approach this task at hand
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now