What is application allowlisting?
Application allowlisting, previously known as application whitelisting, is the practice of specifying an index of approved software applications or executable files that are permitted to be present and active on a computer system. Allowlisting aims to protect computers and networks from potentially harmful applications or cybersecurity risks such as ransomware or other malware.
In general, an allowlist is an index of approved entities. In information security, allowlisting works best in centrally managed environments, where systems are subject to a consistent workload.
The National Institute of Standards and Technology suggests using application allowlisting in high-risk environments, where individual systems must be secure, and it's less critical that software be usable without restrictions. To provide more flexibility, an allowlist might also index approved and trusted application components, such as software libraries, plugins, extensions and configuration files.
How does application allowlisting work?
Implementation of application allowlisting begins with building a list of approved applications and IT components. The allowlist can be built into the host operating system (OS) or provided by a third-party vendor. The simplest form of allowlisting lets the system administrator specify file attributes associated with allowlisted applications, such as file name, file path and file size. Allowlisting takes a proactive approach to security by either allowing or blocking any application that isn't on the allowlist.
One example of an allowlisting tool that's built into every Windows 10 and 11 system is Microsoft Windows Defender Application Control, now called App Control for Windows. It allows system administrators to specify which users or groups are permitted to run particular applications. It also controls application execution rights by referencing parameters such as file paths, file hashes and publisher identities. App Control restricts access to specific applications and limits users from installing new software. It can also define which versions of a piece of software are permitted to be run and provide control for running licensed software.
Advantages of application allowlisting
There are several benefits associated with using application allowlisting. It's worth noting, however, that some application allowlisting tools are more feature-rich than others and that not every tool delivers all of the benefits discussed in this section.
Enhances security against ransomware and malware attacks
Allowlisting performs deep inspections of all of the files and system components within these packages, thereby preventing embedded malware that could be hidden at deeper levels from triggering and exposing security vulnerabilities. Traditional antivirus software tends to be signature-based. In other words, when a user attempts to launch an executable file, the antivirus software compares the file's hash against a database of code known to be malicious. If no match is found, then the file is allowed to execute.
In some ways, antivirus software is similar to application blocklisting. It explicitly forbids the execution of software that's known to be malicious. However, new malware is created daily, so it's impossible for any antivirus software application to maintain a comprehensive database of malicious code.
In contrast, application allowlisting is far more restrictive. It doesn't allow any executable code to run unless an administrator has explicitly granted approval. This greatly diminishes the chances of a ransomware attack or other malware infection.
Helps identify who has access to sensitive data
Depending on an application allowlisting tool's reporting capabilities, it could help an organization determine which users are engaging in risky behavior or who have access to sensitive data. Some application allowlisting tools can create reports detailing which users have attempted to install or run unauthorized applications and any malware that has been detected.
Simplifies software license compliance
Most application allowlisting tools aren't designed to perform license metering. At the same time, however, restricting the use of unauthorized applications prevents situations in which an auditor might flag the organization for a license violation because of someone using an unlicensed application that the IT department didn't even know about.
Reduces help desk costs
Application allowlisting lets an organization's IT staff restrict which applications users can use and control which versions of an approved application can be run. These restrictions can reduce help desk costs, as they eliminate the possibility of users installing software that interferes with another application on the system. It also enables the IT staff to ensure that users are running application versions that are known to be stable and reliable.
Risks of using application allowlisting
Although allowlisting has many benefits, it also has the following drawbacks.
Potential for attackers to mimic apps
Attackers can replace allowlisted applications with malicious apps with relative ease by creating a version of their malware that's the same size and file name as a permitted application and then replacing the allowlisted application with the malicious one. Therefore, it's more effective for application allowlisting software to use cryptographic hashing techniques coupled with digital signatures linked to the software developers.
Difficult to maintain
Organizations constantly add applications to their portfolios. At the same time, the allowlist must be modified to include the new applications and all of the underlying system components they use. This adds another step to the application installation and activation process. Application allowlisting can also become more complicated than just allowlisting access for one application. For example, the application might be interrelated with other applications or system components that must also be on the allowlist for the application to run.
Might interfere with the installation of software updates and security patches
In some cases, vendors automatically install these updates and patches based on IT policy. In other cases, it's up to IT to install them. In all cases, IT must keep the allowlist updated to ensure that it's synchronized with each new software update and security patch. If allowlist updating is skipped, users won't be able to access the new software that has been installed. The failure to timely allowlist new software or updates can adversely affect users who need the new software immediately.
Application allowlisting vs. blocklisting
Unlike technologies that use application blocklisting, which prevents undesirable programs from executing, allowlisting is more restrictive and allows only programming that has been explicitly permitted to run. There's no consensus among security experts as to which technique -- blocklisting or allowlisting -- is better. However, proponents of blocklisting argue application allowlisting is complex and difficult to manage. Compiling the initial allowlist, for example, requires detailed information about all users' tasks and the applications they need to perform those tasks. Maintaining the list is also demanding because of the increasing complexity and interconnections of business processes and applications.
Proponents of allowlisting argue it's worth the time and effort needed to proactively protect systems and prevent malicious or inappropriate programs from entering the network. Using an allowlist that permits only applications that have been explicitly approved offers more protection against malicious software, rather than the looser standard used by application blocklists, which permit any software to run unless it has been discovered to be malicious and has been added to the blocklist. Allowlists are also an additional layer of security that can supplement other measures, such as zero-trust networks, firewalls and endpoint protection.
Application control vs. application allowlisting
Although the terms are often used interchangeably, application control and application allowlisting are different. Both technologies are designed to prevent the execution of unauthorized applications. However, application control isn't as stringent as true application allowlisting.
Application allowlisting is designed to monitor an OS in real time and prevent the execution of unauthorized files. This goes beyond simply preventing unwanted applications from running. Application allowlisting can also restrict the use of PowerShell scripts and other types of scripts to prevent ransomware attacks.
Although application control can be considered a form of application allowlisting, it's primarily designed to prevent unauthorized applications from being installed. When someone attempts to install a new application, the installation package is compared against a list of authorized applications. If the application is found to be authorized, then the installation process can continue.
While it's true that application control can be an effective tool for preventing the installation of unauthorized applications, the technology has more limited functionality than allowlisting and two significant shortcomings. First, application control works at the installation package level, not the file level. This means that it doesn't prevent someone from running a standalone executable file or an application that's already installed on the system. This means that while application control can be a useful tool for application management, it isn't particularly effective at preventing ransomware attacks or other cybersecurity breaches.
The other major shortcoming associated with application control is that its tools don't perform a granular inspection of application installation packages. When someone attempts to install an application, the application control mechanism only checks to see if the application is allowed. If the application is authorized, the application control tool assumes the application installation package is trustworthy. It doesn't verify the integrity or authenticity of the files within the application installation package. This can help prevent cyberthreats, but an attacker could install unauthorized code by slipping it into an otherwise legitimate application package.
5 best practices for implementing application allowlisting
The application allowlisting implementation process varies considerably depending on which allowlisting tool is being used. Regardless, the following best practices can be helpful during the implementation process.
1. Compile an inventory of applications
Before an organization begins deploying application allowlisting software, it must compile a comprehensive inventory of its applications and ensure they're included in the company's allowlisting policy. The application allowlisting software is designed to enforce endpoint security, so any software that isn't explicitly listed within the company's policy won't be allowed to run and won't be available to users.
2. Carefully identify allowlisted applications
Some organizations allowlist specific folders or file names. However, this approach can make the organization vulnerable to ransomware attacks and other threats. The problem with identifying applications by the files or folders they use is that malware authors can easily create malicious code that uses the same file names or folders as legitimate applications, thereby fooling the application allowlisting software.
3. Ensure good endpoint security
The best way to ensure good endpoint security is to identify applications using the publisher's signature or a cryptographic file hash. Most application allowlisting tools allow organizations to base their allowlisting policies around both identifiers.
A slightly less effective but still viable technique is to identify applications based on the registry keys they create. However, when building an allowlisting policy around a series of registry keys, not all executable code uses the registry. Most PowerShell scripts, for example, don't create registry entries.
Similarly, building an allowlisting policy that's based primarily on registry keys can expose an organization to various threats simply because it's easy for a malware author to spoof a legitimate application's registry keys.
4. Determine long-term management
Organizations must consider how they will handle the long-term management of the allowlists. Any time an organization adopts a new application, it must be added to the allowlist policy before it can be used. Similarly, an organization typically can't upgrade an existing application to a new version unless it first adds the new version to the allowlist.
5. Manage allowlisting and patch management processes
The bigger challenge associated with application allowlisting is intertwining the application allowlist management and patch management processes. Unless an organization has a plan for dealing with the patch management process, application patches will cause the allowlisting software to not recognize the patched application as legitimate.
Most organizations use Windows Server Update Services or a similar tool for patch management. These tools enable administrators to approve patches rather than allow endpoints to download patches automatically. As administrators approve a patch for deployment, they can also add it to the allowlist policy.
Another possible fix is to base the application allowlisting policy around vendor digital signatures. That way, if a vendor releases a patch, it will automatically be approved for use because it contains the same digital signature as the application it's updating.
Look for a vendor that keeps up with patch releases on the organization's behalf and automatically updates allowlists to reflect newly released patches. Of course, this approach might be slightly less desirable since the vendor could allowlist a patch that the organization doesn't wish to deploy.
Ensuring software is promptly patched helps minimize security risks and service disruptions. Learn what features patch management products offer and how to select the patch management software that best fits your organization's needs.
