I'm looking at defining a process to allow for white-listing network paths. I'm looking for positive or negative feedback on the approach below:
- Application Control will deny execution for network paths unless the path is added (whether using Allow untrusted owner or not). Other than blocking all network executables completely (which would be the better idea), applications will need to be white-listed.
- To allow execution, the AC administrator can add the path to the Allowed list of a rule (e.g. Everyone).
- For larger organisations with applications all over the place, there could be applications on multiple file servers, paths etc. This can potentially require a complex set of white-listed paths.
- Instead of white-listing specific executable paths (i.e. full path) and using metadata such as Vendor or file hashes, define a high-level folder path instead (and enable sub-folders).
- Create a process external to the Application Control configuration that requires application owners and administrators to set the correct Trusted Ownership on the target locations and remove Full Control for everyone except the application owner/administrator.
The intended process should simplify the Application Control configuration, rely on Trusted Ownership and push the responsibility back to the application owners to get an application to execute. This of course relies on trusting application owners, but no different to trusting any other administrator who could get code to execute on an end-point. The process would require a rigorous validation of applications on the network, but again, I see this as no different to a ConfigMgr administrator (for example).
Any feedback is appreciated.