What is the most efficient way to manage black/white lists across user permission levels and account types?




Before answering the question, we must digress. There are two different issues related to black/white list management. One pertains to managing user permissions to access IT-provided services, such as web applications, specific application features, data, websites and network locations for both current and departing employees. The other has to do with application whitelisting (i.e. managing which applications are allowed to run on a network).

With regard to user permissions, of particular concern to most IT departments is the exploding use of web applications. These applications can lower costs, make users more productive and increase the flexibility of IT departments. But with every new web app application comes another, often weak, user password to manage, and another possible hacker entry point into the network.

Here are a few steps that will help you manage user access to all of the services that IT provides:

  1. Create a security and compliance group within your company. The group’s purpose will be to monitor who has access to which IT services and how they access them.
  2. Put place clear policies in place that describe what applications, sites, and services employees can use and how they can use them.  This step can be the most difficult because it is so easy for users to “go shopping” for web applications. But you will be well served to create and enforce a clear approval process for accessing all of the services, applications and hardware that employees want or need to use.
  3. Don't give users administrative rights to their computers. It won’t help with web applications, but you can require users to ask IT for access to download new software.
  4. We all know that shared accounts can save money, but they can also create security threats. If you must use them, use strong passwords and rotate them often. Using a Single Sign-on (SSO) software will help manage passwords.
  5. Audit all of your user accounts (LDAP, Active Directory®, and all applications) regularly and make sure you track all applications across all departments.

What about application whitelisting?

Application whitelisting has a lot in common with user-permissions management. In both cases, one of the main drivers is the need to protect networks from unwanted intrusion. Blacklisting is when you check every new file on a system to see if it’s malicious and, if it is, you need to prevent it from being executed. Whitelisting, which has been around for some time, uses the opposite approach.  Instead of examining every file and blocking those that appear malicious, whitelisting allows only for the execution of “good”. Essentially, this means flipping the antivirus model from a “default allow” to a “default deny” for all executable files. You can do this by creating a list of known or approved file hashes and allowing only those files to be executed.

The problem with this approach, of course, is that users generally believe they have the right to control their own devices and access whatever they feel will help them be more productive, work smarter and communicate better with customers and colleagues. “Default deny” flies in the face of that. But with the increased level of attacks that most IT departments see today, it is a strategy worth considering. On the downside, whitelisting can cause problems by inadvertently blocking non-malicious code. 

Are there any programs that can help me with either of these things?

Needless to say, doing all of the above can be cumbersome and time-consuming if you try to do it yourself and do it manually. User permission management services offered by third-party vendors can help you automate much of this so you’re free to focus on IT activities that add to the bottom line. These services can also help you unwind access and permissions when an employee leaves the organization.

There are also application whitelisting programs available, many of which are offered by the same vendors that produce anti-malware products. You can also go online to find instructions on how to whitelist applications in Windows® and through other specific network security products.


Windows and Active Directory are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.


More about Management