The holy grail of computer security is to prevent all unauthorized software, scripts, and instructions from running. Also known as a software restriction policy, the strategy is similar to the deny-by-default rule of firewalls, but on a desktop/application level. If appropriately configured and implemented, it would prevent all malware from executing locally and defeat most malicious exploits. Unfortunately, most of today's computing environments are exactly the opposite, or worse. By default, all software is allowed to run. And this is why we have the continuing magnitude of malware and hackers today.
Software restriction policies are known by many different terms, including white-listing, application control, and opt-in execution. Most end users are only vaguely familiar with the concept, using host-based firewalls, such as ZoneAlarm, that block unauthorized connections to the Internet. Conceptually, the goal is the same on all of these implementations — to prevent unauthorized software. This chapter discusses the overall issues behind preventing unauthorized software execution and then details the many ways a Windows administrator can accomplish it.