20.17 Ensure 'Deny-all, permit-by-exception policy to allow the execution of authorized software programs'

Information

This policy setting ensures that a deny-all, permit-by-exception policy is deployed to the system. This policy will only allow the execution of authorized software programs.

Note: The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as allow-listing.

Using a allow-list provides a configuration management method to allow the execution of only authorized software which can decrease the likelihood of malicious software executing on the system.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configure an application allow-listing program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

If AppLocker is used, it is configured through group policy:

Computer Configuration\Windows Settings\Security Settings\Application Control Policies\AppLocker

Implementation guidance for AppLocker is available in the NSA paper:

Application Whitelisting using Microsoft AppLocker

.

Impact:

Only authorized software will execute on the system.

See Also

https://workbench.cisecurity.org/benchmarks/15105