Bit9

Welcome to Part 4 of my series on "Are You Ready for Enterprise Application Whitelisting?" Lots of people have been reading about application whitelisting - or at least wondering if there are easier ways of protecting endpoints than removing administrative rights - and are trying to figure out if now is the time to take a look at whitelisting.

So I'm presenting a number of questions that you can ask yourself to evaluate if you are in fact ready for whitelisting. And today we're going to talk about your users. Because if you have ever tried to remove administrative rights from users you know that it's an all-or-nothing proposition.

This leads us to the next question you can use to determine if you are in fact ready for enterprise application whitelisting:

Question 4: Do your users need flexibility (you can't lock them down too tightly)?

Let's talk a little more about removing admin rights from Windows computers. The motivation for doing this is because presumably users who can control the administrative aspects of their PCs are more likely to mess them up and get into trouble. Furthermore, any malware that may start running on the PC would be running with the privileges of the user, and if that was not at an administrative level the malware would be much less likely to inflict serious damage on the machine.

But because of the way that admin rights are implemented and managed in Windows, you practically are left with a very limiting and very inflexible choice. Either: 

1. You can remove administrative rights from your users but every time they need to make a change you have to send an IT admin to their desks to help them, or
2. You can't remove administrative rights because of legacy applications or cultural issues, and they can do anything they want to their PCs.

Most companies will assess each department individually to decide if the costs of supporting installations (#1 above) are higher or lower than the costs of managing, cleaning, and protecting against malware and unauthorized software (#2 above). On average, companies put about 75% of their users in bucket #1 and remove admin rights, leaving the other 25% of users in bucket #2, with admin rights.

But these results really aren't practical and don't meet the goals of the organization. Because IT needs more flexibility. And users need more flexibility. Why should a user who is locked down not be allowed to install the Adobe Acrobat Reader themselves if that is a well-known, trouble-free, and perfectly reasonable application to install? Why does IT need to get involved every time that happens?

The truth is: they don't. They shouldn't. Your protection strategy should be more flexible than that, and that is exactly where whitelisting comes in. Authorize users to install specific apps. Nothing else gets through.

If your users' behaviors and needs are complex... if you don't want to be babysitting them every time they need a simple non-standard installation done... then you are probably ready to look at enterprise application writelisting.