Happy WDAC Wednesday! As we’ve covered previously Application Control for Business (ACFB) is a very powerful and effective solution for combating malware within your environment. ACFB achieves this by using a whitelist of allowed software that is allowed to execute – and everything else is blocked.
For most organisations implementing ACFB it is a transition from a blacklisting approach – where some applications are blocked explicitly – and solutions like Microsoft Defender or Crowdstrike are used to protect against and block anything malicious, to one where unlisted software is blocked by default. This is a significant change in approach which shifts how IT needs to operate and manages software, but can have a significant impact on how the wider business operates.
In this WDAC Wednesday I want to cover the impact on the ability of the business to install applications manually and how these common scenarios are impacted.
Installations performed by Service Desk
The first scenario is where a user finds something they want installed, but don’t have the permissions to do it themselves – so they call the Service Desk for help.
In many organisations this is a common situation where a user could have bought a new keyboard and needs the software for that keyboard so all the capabilities and special buttons on the keyboard work. In most organisations the Service Desk or a Desktop support team would simply install the application on the user’s behalf using their elevated privileges.
With ACFB implemented in enforcement mode this business process will likely be disrupted, particularly if its not commonly used software, as ACFB policies apply to all users regardless of their level of permissions. In a worst case scenario the request may need to go to your Security team to approve the application, who would perform an analysis of the software to add it into the ACFB policy. Only once that has happened – and it could be days later – would it be possible for the Service Desk to install the software for the user.
Local administrators
The next scenario is a variation of the first – a user with local administrator access, such as developers or IT administrators. Local administrators typically can almost anything as they have full administrative access to their device.
This scenario is impacted in the same way and would likely require assistance from the IT Security team to update the ACFB policy.
Software installed into user profiles
The third scenario is often overlooked – many software applications can be installed into the user profile and do not require local admin permissions. Some examples include Teams, Visual Studio Code, Zoom and Slack – in fact https://portableapps.com has an entire library of such software.
This scenario is impacted in the same way as described earlier, and most of these installations would be blocked. This scenario however is less obvious as the users installing these applications do not require any assistance from IT so it is likely to be more widespread than you think.
What’s the answer?
Unfortunately there is no easy or one size fits all answer. There are however two strategies, with challenges of their own, that can be used to somewhat mitigate the challenge:
- As part of implementing ACFB perform an application rationalisation process – whereby an analysis is undertaken to consolidate the software used in the organisation. For example – there could be 6 or 7 PDF readers used across the organisation. Standardising to a common PDF reader can simplify the ongoing environment management in terms of user training, software patching and vulnerability management. However performing an application rationalisation can be very time consuming.
- Packaging all software in a solution such as Intune – by packaging software in Intune you can leverage the Managed Installer feature of ACFB trusting software installed by Intune (or other nominated trusted sources). Software in Intune can be made available to uses to install if they want it, or for core applications be installed for the user automatically. Software packaging however does require additional effort.
Implementing ACFB requires investment in organisational change management to ensure a successful outcome, it is not a technology solution that can be deployed in isolation.