Preventing Software Installation

If you’re planning on taking the Security+ exam, you should have a basic understanding of methods used to protect hosts, such as preventing software installation on workstations, servers, and mobile devices.

For example, can you answer this question?

Q. Your organization wants to ensure that employees do not install or play operating system games, such as solitaire and FreeCell, on their computers. Which of the following is the BEST choice to prevent this?

A. Security policy

B. Application whitelisting

C. Anti-malware software

D. Antivirus software

More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.

Whitelisting Versus Blacklisting Applications

Whitelisting and blacklisting are two additional methods used to protect hosts, including workstations, servers, and mobile devices. A whitelist is a list of applications authorized to run on a system. A blacklist is a list of applications the system blocks.

You can use Software Restriction Policies in Microsoft Group Policy for both whitelisting and blacklisting for computers within a domain. For a whitelist, you identify the applications that can run on the system, and Group Policy blocks all other applications. For a blacklist, you identify the applications that cannot run on the system, and Group Policy allows any other applications. For example, if users have been running a specific type of unauthorized P2P software, or operating system games such as FreeCell, you can add these applications to the blacklist. Group Policy will then prevent them from running.

Some antivirus software supports the use of whitelists. For example, Kaspersky Lab maintains a whitelist database. This list helps prevent false positives where antivirus software incorrectly identifies valid applications as malicious software. Note that in this example, the whitelist doesn’t include all the safe software in the world. Instead, it includes a list of applications that are known to be safe. Antivirus software doesn’t need to check these applications as closely as unknown applications.

Trusted OS

A trusted operating system (trusted OS) meets a set of predetermined requirements with a heavy emphasis on authentication and authorization. The overall goal of a trusted operating system is to ensure that only authorized personnel can access data based on their permissions. Additionally, a trusted operating system prevents any modifications or movement of data by unauthorized entities. With this in mind, a trusted OS helps prevent malicious software (malware) infections because it prevents malicious or suspicious code from executing.

A trusted OS meets a high level of security requirements imposed by a third party. For example, the Common Criteria for Information Technology Security Evaluation (or simply Common Criteria) includes requirements for a trusted OS. Operating systems that meet these requirements can be certified as trusted operating systems.

Q. Your organization wants to ensure that employees do not install or play operating system games, such as solitaire and FreeCell, on their computers. Which of the following is the BEST choice to prevent this?

A. Security policy

B. Application whitelisting

C. Anti-malware software

D. Antivirus software

Answer is B. Application whitelisting identifies authorized applications and prevents users from installing or running any other applications. Alternately, you can use a blacklist to identify specific applications that cannot be installed or run on a system.

A security policy (such as an acceptable use policy) can state a rule to discourage this behavior, but it doesn’t enforce the rule by preventing users from installing or running the software.

Anti-malware software and antivirus software can detect and block malware, but not applications.

See Chapter 5 of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide for more information on securing hosts and data.