Maintaining Application Control
Administrators must perform frequent maintenance tasks for operating system patches and service packs, software updates, new software installations, and frequently changing software application uses in any network environment. These tasks also require frequent updates to the Application Control central file authorization list.
Application Control provides different tools that address:
- Operating System Updates and Patches
- Frequently Changing Software Use
- Software Updates
- New Software Installations
- Macros and Other Changing Files
Operating System Updates and Patches
Operating systems are subject to continual updates and upgrades.
Microsoft® provides Windows® Server Update Services (WSUS) for downloading, approving, and managing the distribution of Windows Operating System (OS) updates for all computers in your network. You can use the Ivanti Device and Application Control Authorization Service tool to monitor and authorize OS changes and create updates for the central authorization list using Microsoft SUS or WSUS, thereby minimizing the network administration burden.
Frequently Changing Software Use
Some software applications must be updated daily, such as antivirus, antispam, or antispyware applications; other applications only receive periodic upgrades or updates. Using the Path Rules feature in the Management Console, combined with trusted ownership, you can allow software updates and modifications of frequently updated applications.
When software application updates are automatically allowed by your network administration policies, you can create specific path rules for each application that is frequently updated. Instead of individually authorizing application files using file groups, you can administer file authorization updates using path rules, if all of the following policies are true:
- You trust the source of the file updates.
- You are confident the update mechanisms can be trusted.
Finally, you can combine the path rules with trusted ownership verification to complete the Application Control authorization schema.
Software Updates
Periodic or single instance software application updates can modify a few application files or constitute a completely new installation. The methods for authorizing these types of software application updates vary, depending upon the source of the update and the computers and users targeted for the update.
Depending on the type of update and the targeted computers you can:
- Create an application-specific template to assign authorized users and user groups, using the Scan Explorer.
- Use the Log Explorer to identify the software application and assign users and user groups to corresponding authorized file groups.
- Use the Authorization Wizard.
New Software Installations
All enterprise network systems routinely deploy new software installations. For planned, known, and trusted source installations of new application software, the Authorization Wizard is the most administratively efficient method for authorizing new software application installations.
New software application installations are generally deployed from the following locations:
- Deployment from a central file server repository.
- Using Microsoft Systems Management Server (SMS) packages.
- Directly on a client computer using a CD/DVD source.
Regardless of the new software application deployment method, you can use the Authorization Wizard to scan, identify, and authorize the new application software executable files.
Macros and Other Changing Files
As an administrator you may be constantly challenged with authorizing files containing embedded macros. The content of such files may change frequently because any user can edit the macro content stored in the file.
Macros embedded in files with a previously calculated hash, for example Microsoft Word or Microsoft Excel files, are unique. These are legal files that are authorized to run. However, after a file is modified and re-saved in the system, the file no longer corresponds with the hash calculated when the file was initially authorized.
The next time a user attempts to run the modified file, access will be denied because the hash does not match the hash originally calculated. A good practice is to discourage modifying the macro content embedded in files and assign these types of files Windows® Read-Only file permission.
Deleting Local Authorization Files
Local authorization should only be granted to trusted users. Depending upon your security policies, you may need to periodically delete local user authorization lists.
You can delete locally authorized software applications when:
- An application is locally authorized by numerous users and merits control by central authorization, instead of local authorization.
- Policy changes require that all file authorizations must be centrally controlled.
- A user can no longer be considered trusted.
- A user mistakenly authorizes an application file.
Local authorizations are stored in a local file on the client. To remove local authorization files, delete the .locauth files stored in the %WINDOWS%\system32\sxdata folder. You can perform local authorization file maintenance on a per-user basis or delete file batches at startup by defining a task in the Windows Scheduler.
Globally Disable Local Authorization
You can disable locally authorized executable files, scripts, or macros using file group assignments.
When you do not want to delete local authorization files, you can still disable access to locally authorized files through user file group assignments.
- Create a file group named Not Allowed.
- Add all applications that are not allowed to run to the Not Allowed file group. Do not assign this file group to any user or user group.
- Send updates to all computers.