Whitelisting explained: How it works and where it fits in a security program (2024)

Whitelisting locks down computers so only approved applications can run. Is the security worth the administrative hassle?

Credit: Olivier Le Moal / Shutterstock

What is whitelisting?

Whitelisting is a cybersecurity strategy under which only pre-approved or trusted users, entities, or actions are allowed to operate on a system or network. Instead of trying to keep one step ahead of cyber attackers to identify and block malicious code, with a whitelist approach, IT security teams instead identify trustworthy agents, applications, and sources that are then pre-approved for access to a given system. Via whitelisting, trusted entities — such as software applications, email addresses, or IP addresses — are granted special access and privileges that other entities are denied by default.

Benefits of whitelisting

Because whitelisting is a denial-by-default approach to security, if implemented properly, it can keep many cybersecurity problems at bay. By preventing unauthorized access, whitelisting can greatly reduce the risk of malware infection and cyber intrusion, giving IT security teams strict control over what can run on or access systems within the enterprise.

Whitelisting can also be set up to provide security admins fine-grain control over access, and the approach simplifies security by enabling security admins to focus solely on monitoring approved entities, while reducing the amount of false positives that can come from traditional blacklist approaches.

Cons of whitelisting

Whitelisting is a fairly extreme lockdown measure that can be quite inconvenient and frustrating for end-users. It also requires careful implementation and proper ongoing administration, and isn’t a foolproof barrier to attacks. Among the cons of whitelisting are:

• Management complexity: Depending on the implementation, maintaining whitelists can be resource-intensive, as the approach requires admins to provide accurate, up-to-date access lists, even as the various underlying factors for those entities and systems — identification markers, software updates, etc. —inevitably change.
• False negatives: Operational disruptions can occur when an entity is inadvertently omitted from a whitelist, blocking access to a necessary system.
• User frustration: Users can find whitelisting frustrating when it is used to restrict certain actions, such as what software can be downloaded, that get in the way of them completing work expediently and autonomously without having to go through IT approval channels.

Whitelist vs. blacklist

Blacklistingis a slightly more familiar security concept, as it involves listing elements that are deemed dangerous and need to be blocked from the systems IT is trying to protect. Many antivirus and anti-malwareprograms are, essentially, blacklists: They include a list of known malicious code, and automatically leap into action when those programs are detected on the protected computer. Blacklists have a fairly obvious disadvantage in that they need to be constantly updated to stay ahead of the latest attacks. Moreover, by definition, antivirus software, for example, can’t protect you against azero-dayattack.

A whitelist is the inversion of a blacklist. If you’ve implemented a whitelist, you’ve essentially blacklisted everything exceptwhat’s on your list.

Types of whitelisting

Whitelisting is used in a variety of contexts, each with their own subtleties of implementation, including the following:

• Application whitelisting: This security technique attempts to prevent malicious code from running on systems and networks by allowing only approved software applications to run on them.
• Email whitelisting: To reduce the risk of phishing attacks, email whitelisting limits the domains from which email will be accepted to those pre-approved and trusted by the organization.
• IP address whitelisting: With this technique, only approved IP addresses are allowed access to a given system, with all other traffic blocked by default.
• URL whitelisting: When attempting to reduce web-based attacks or to enforce company policies, some organizations will use URL whitelisting, limiting web access to pre-approved sites.
• Device whitelisting: This technique restricts which devices may be admitted onto a company network, thereby reducing the risk of untrusted users or entities accessing company systems and data.

How to implement application whitelisting

The National Institute of Standards and Technology (NIST) has aguide to application whitelisting, and while it’s a few years old at this point, it’s still a great introduction to the topic. It goes in great depth on the topic, which we’ll touch on here.

Application whitelisting is a great defender against two kinds of security threats. The most obvious is malware: malicious software payloads such as keyloggersorransomwarewon’t be able to execute if they’re not on the whitelist. But whitelisting can also be a tool to fight “shadow IT.” End users or individual departments may try to install programs on their computers that are insecure or aren’t properly licensed. If those apps aren’t whitelisted, the attempts are blocked and IT will be informed about them.

There are two different approaches to creating an application whitelist. One is to use a standard list, supplied by your whitelist software vendor, of applications typical for your type of environment, which can then be customized to fit. The other is to scan a system that you know is clear of malware and other unwanted software and use it as a model for other machines. The second method is a good for kiosks or other public-facing devices, which run a limited set of applications and don’t require much customization.

How does application whitelisting work?

At its core, whitelisting software distinguishes between unapproved and approved applications.The NIST guide breaks down the various attributes that can be used for this purpose:

• The file name
• The file path
• The file size
• A digital signature by the software’s publisher
• A cryptographic hash

Which attributes should be used and how much weight should be given to each is key to the art of whitelisting. For instance, if your whitelisting software allows any application with a specified file name or in a specified folder to execute, then all a hacker has to do to bypass that protection is to place malware with that file name in the permitted location. Specifying a precise file size or requiring a check against a cryptographic hash makes it harder to trick the whitelisting software, but this information would have to be updated in the whitelist every time the application file changes — whenever it’s patched, for instance. And if patching is deferred because it potentially interferes with the whitelisting software, that can itself open up security holes.

Granular whitelisting

As NIST points out, full-on applications aren’t the only potential threat to a computer. Whitelisting software needs to keep on top of various libraries, scripts, macros, browser plug-ins, configuration files, and, on Windows machines, application-related registry entries. Different vendors can deal with these with varying levels of granularity. Some whitelisting software can also whitelistspecific behavior from even approved applications, which can come in handy if hackers manage to hijack them. And whitelisting software should also integrate with the permissions structure of your operating system, whitelisting applications for some users (like administrators) but not others.

Whitelisting best practices

How can you make sure to get the most out of whitelisting? Follow these tips:

• NIST advises that you roll out whitelisting in phases in your organization to make sure you that you don’t disrupt enterprise-wise operations if something goes wrong.
• Spend time making sure you get your whitelist correct. A whitelisting program is only as good as the list itself. Think of it as an opportunity to audit what applications your organization has installed across your IT infrastructure — and which ones it really needs. To figure out what goes on the list, you’ll want to come up with awhitelisting policy.
• Don’t neglect the maintenance of your whitelist. IT isn’t static; some of your software will fall out of use, some will need to be updated in ways that could cause the whitelist to fail to recognize it, and new software will become necessary for your organization to fulfill its mission. This maintenance requires resources; you’ll either need to have staff for whom this is part of their duties, or you’ll need to pay your vendor for this service, or some combination of the two.

Where whitelisting fits into a security program

Whitelisting isn’t a one-size-fits-all tool, and it may not be an ideal endpoint solution for every computer under your purview. Calyptix Securitysuggests three scenarioswhere application whitelisting makes sense:

• On centrally managed hosts connected to other computers
• On computers in a high-risk environment
• On laptops or kiosks where users do not have administrative privileges

The truth is that whitelisting isn’t a security panacea, and it must fit into the larger security landscape within your organization. You’ll still need anti-malware, endpoint protection, and perimeter defense systems to protect computers for which whitelisting isn’t appropriate, or to catch what whitelisting misses.

Best application whitelisting software

Most commercial operating systems have some whitelisting functionality built in. App stores, of the sort used to install applications on iOS and Android devices, can be seen as a form of application whitelisting; they ostensibly allow only applications that are certified to be safe. Most mobile management software allows more granular controls.

But there are third-party vendors that offer more powerful or more granular application whitelisting software, which is often rolled into larger offerings or security suites. Popular examples include:

• AppLocker, a Microsoft offering for its enterprise OS editions
• BeyondTrust, which has offerings for Mac and Windows as well as Unix-like OSes
• PolicyPak, which works on on-prem and remote computers
• Centrify, which emphasizeszero-trustprinciples across its product suite
• Kasperksy Whitelist, a collaborative hosted service

Whitelisting e-mail and IP addresses: Variations on the concept

A last note here on subtle differences in two other prominent contexts for whitelisting: e-mail whitelisting and IP address whitelisting. In these areas, whitelisting doesn’t have quite the same meaning as it does with application whitelisting. If you allowed only a narrowly defined list of email addresses to contact you, or computers from a specific list of IP addresses to reach your website, you would lose most of the utility of using email or having a website.

In these contexts, “whitelisting” generally means taking manual steps to ensure that certain IP addresses aren’t blocked from accessing your site by some automated security process, for example, or ensuring that email from a particular recipient doesn’t go into your spam folder. The latter is of course an obsession of email marketers, who are keen to share instructions onhow to “safelist” email addressesto make sure that their own email doesn’t get deemed spam. The former is a product ofoverzealous firewalls, which can sometime result in people being unable to access their own websites.