From the course: CompTIA Security+ (SY0-701) Cert Prep

Application management

From the course: CompTIA Security+ (SY0-701) Cert Prep

Start my 1-month free trial

Application management

- [Narrator] One of the best ways to protect against malicious software is to prevent users from running unwanted applications with a technology called application control. Application control restricts the software that runs on a system to programs that meet the organization's security policy. There are two main approaches to application control, allow lists, and deny lists. In the allow lists approach, administrators create a list of all the applications that users may run on their systems. This works well in a very tightly controlled environment, but it can be difficult to administer if you have many different applications and roles. The deny lists approach offers users much more flexibility. Instead of listing the applications that users are allowed to run, administrators list prohibited applications. This is much easier for users, but it does reduce the effectiveness of application control. Application control technology provides important information for cybersecurity analysts. Therefore, you should connect application control logs to your security information and event management system or other central log repository. Once you have those logs in a safe, centralized location, you can watch them for signs of malicious activity. You might detect indications that an insider is attempting to misuse privileges, or that an attacker has compromised a machine and is trying to run exploit tools on it. That information won't be accessible to you unless you routinely store and analyze logs. Windows provides the AppLocker functionality to implement application control. Let's go ahead and build an AppLocker application control policy by creating a group policy object. I've opened the group policy management tool, and I'm going to create a new GPO in my domain. I'm going to give this GPO the name, Application Restrictions. And once it's created, I'm going to right click on it and choose Edit to open the group policy management editor. Then I'll find the AppLocker settings. They're under Computer Configuration, Policies, Windows Settings, Security Settings, Application control Policies, and then AppLocker. You can see here that I have choices for the different types of rules that I can create in AppLocker. Earlier in the course, you learned about the importance of applying security patches to your operating systems to protect against new vulnerabilities. It's also important to apply patches to applications as applications can also have serious security flaws. Different software vendors provide different patching mechanisms. Many of the update mechanisms are automatic and can be enabled within the application settings. For example, here's Adobe Reader running on a window system. If I want to verify the update status of the software, I can choose the Help menu, and then select Check for Updates. Here I see that there are no updates available because I have the most recent version of Acrobat Reader installed. Updates to applications may also be deployed by administrators through their normal software deployment mechanisms. It's not necessarily important how you apply updates as long as you do apply updates. Now that's just one example of application patching. Security administrators must maintain familiarity with the software installed in their environments and the update mechanisms for each. Finally, it's a good practice to conduct host software baselining using the system configuration manager of your choice. Host software baselining uses a standard list of the software that you expect to see on systems in your environment and then reports deviations from that baseline. You'll be able to identify unwanted software running in your environment.

Contents