Your Windows 10 enterprise is only as secure as the shadiest app allowed to run. No matter how carefully you configure the OS itself, it can still run recklessly insecure applications. The obvious solution is; don’t let users run garbage apps!
The Garbage App Law: Windows 10 apps are guilty of being garbage until proven to be totally secure.
This does not mean that the apps are insecure. It just means that your IT department must classify them as insecure until and unless there is evidence to the contrary.
So, how do you prevent users from running them? Traditionally the answer is whitelisting. However, the answer is increasingly becoming cloudlisting. In this blog, I’ll explain both. I’ll also tell you why I believe that the future of app security is in the cloud.
A Brief History of Windows Whitelisting
You’re all familiar with whitelisting, right? This is where you take time to make a list of all known-good applications that are specifically allowed to run in your organization. Then you enforce the list, so people can only run applications on it. If somebody tries to run an application that is not on the list, the operation is denied.
Microsoft introduced AppLocker in Windows 7 Enterprise and Ultimate to address this need. It’s available in Windows 10 Enterprise and Education. AppLocker is more than just a simple allow list. It lets administrators to create a set of rules to allow (or deny) applications based on the name of the file, who the publisher is, or where the application is installed.
It’s not automatically foolproof. There are several common methods for bypassing it such as installing a forbidden executable to a whitelisted location. Of course, with careful implementation and maintenance, AppLocker is extremely secure.
Whitelisting is effective, and a great security tool for enterprises. However, it can take a fair amount of time and effort to create whitelists and keep them current. Enter cloudlisting.
A Brief-ish History of Cloudlisting
Cloudlisting uses the cloud reputation of desktop apps (downloaded installers and executables) and web apps (websites/URLs) to build allow/deny lists. Cloudlisting lets you enforce application security using an automatically maintained whitelist in the cloud.
Disclaimer: cloudlisting is not technically a word. I made it up because the technology needed a clearer identifier. So, if you mention it by the water cooler, you can expect blank stares.
What Is Cloud Reputation?
In the Windows world, cloud reputation refers to the trustworthiness an app as ranked in a “service that Microsoft maintains.” This service may look at things like telemetry data on how many people are using it without problem, services that report on phishing and malware websites, the credibility of an app publisher, whether an app is registered in the Microsoft Store, or other factors.
Microsoft’s exact algorithm is not published, so cloudlisting is predicated on trust of Microsoft. Seems safe to me! Microsoft has never steered me wrong (with the possible exception of Windows ME).
Cloudlisting Started in the Browser
Microsoft introduced cloudlisting for websites/URLs in Internet Explorer (IE) 7 with the Phishing Filter. IE 8’s SmartScreen Filter enhanced the checking of websites/URLs for trustworthiness. IE 9 introduced SmartScreen Application Reputation, which looked at downloads of executable files to warn if they didn’t have a safe reputation.
Then it Moved to the Desktop
The Windows 8 SmartScreen Filter brought cloudlisting to desktop apps downloaded from the Internet. In Windows 10 the technology is called Windows Defender SmartScreen and is very mature. Group Policy or MDM settings can prevent users from running apps that lack a good reputation or are known as malicious.
Windows 10 still protects web browsing with cloudlisting, via Edge browser’s SmartScreen Filter for websites/URLs.
Cloudlisting Will Go Virtual
Microsoft recently introduced the Windows Defender Application Guard. The word application here refers to web apps, ostensibly because of all the cloud services that appear to users as websites. Application Guard lets administrators whitelist websites, cloud resources, and internal networks. Anything not whitelisted is considered untrusted and is automatically run in a virtualized browsing session.
Forcing untrusted apps into a virtual Edge browser session is brilliant. Any damage an attacker inflicts will be limited to the virtual machine it’s running in, not the host OS. Access to resources will be limited as well.
For now, Application Guard does not use cloudlisting. It’s pure whitelisting. Mark my words, it’s just a matter of time before this concept is extended to use cloud reputation. It makes perfect sense to virtualize apps that are neither known to be safe nor proven dangerous.
The Cloud(list) Will Save Us
Some companies will always maintain comprehensive allow/deny lists, straight up whitelists. Enterprises and certain industries such as financial institutions usually require total control. These companies may never use cloudlisting.
Many smaller companies are already using cloudlisting and calling it a day. Cloudlisting will get smarter and more secure every day. Microsoft will continue to improve it. (This is my prediction, not an official Microsoft statement, but I’d be surprised if it weren’t true.)
Over time though, most companies will trust cloudlisting. The world is moving too fast to keep up with it all the new applications and threats and countermeasures in every application. Business will let cloud reputation be your guide.
Which Should You Use Today?
Whether you choose whitelisting, cloudlisting, or both one thing is clear. You can’t let people run all the applications they want to. The modern security landscape demands that you lock down the list apps people are allowed to use. Do that, and you’ll be one step closer to a secure Windows 10 enterprise.