New Jersey District Protects Computers with Application Whitelisting
- By Dian Schaffhauser
Phil Robinson, network administrator for Greater Egg Harbor Regional High School District in New Jersey, said he looks forward to the day when he can eliminate anti-virus software from the 1,300 computers in his district. That will save both money and staff support time, he said. The secret weapon that could get him there: an application whitelisting program from Bit9.
The idea of whitelisting is to control what can be installed on a PC by locking down the installation. Only those applications that have been approved will run on the computer, and anything else is blocked--including malicious code such as viruses and malware.
Choosing To Whitelist
The district, which consists of two high schools and an alternative school, with a third high school expected to open in the fall of 2010, uses ESET NOD32 anti-virus software on its Windows-based client machines. NOD32 is a lesser known product that's "a little lighter on percentage of memory used," Robinson said.
Although NOD32 has prevented major malware attacks, minor viruses and spyware have taken over the occasional PC, Robinson said. When a computer needed to be cleaned up, the technology team would simply re-image it, a process that would wipe data such as Internet Explorer favorites and printer drivers off of the machine. "We like to re-image a computer only if there's been a hardware failure," he explained.
The district first explored application whitelisting in the summer of 2007 after a member of the technical staff read about the approach in a trade magazine. "We needed something that was a) a little more proactive, instead of reactive like virus scan is, and b) something that would allow us to preserve user settings as they are," Robinson said.
Googling the topic generated a shortlist of three companies with whitelisting solutions to consider. After some comparison testing, Bit9 Parity came out as the winner.
Robinson said the company went easy with the district on pricing. "The [sales rep] pretty much turned around and said, 'What's your budget?' We told him where we were, and fortunately we caught him at a good time." According to a Bit9 spokeswoman, the standard pricing is $22.50 per node for the Bit9 Parity Suite for a quantity of 1,000 nodes.
The district is currently running Parity 4.3.1, but they anticipate upgrading to the latest release. Robison said the initial installation and rollout posed a few problems, in which the software conflicted with district software already in place. "To Bit9's credit anytime we called, they responded--mostly, but better than any other company we have previously dealt with--and actually had one of their engineers come on site to help us resolve our problems," he added.
How Whitelisting Works at Greater Egg Harbor
The reason Robinson likes Parity is simple: "We could give users local administrative rights to run an application--which some applications require--but also prevent those same users from installing software or devices that were not district-approved." If a user has local administrative rights, he explained, that person can install software after notifying the tech department to ensure the software or hardware "plays nicely" with its computer configuration. "Part of Bit9's functionality is to prevent installations not approved by authorized users, which aids us to make sure users don't install software that wasn't authorized by our department," he said.
Previously, the district used Group Policies in Windows to allow certain programs to run. The problem was that some programs called on other programs in order to run correctly. "With the Group Policy software restriction process we would enter an executable [into a policy] that needed to be run only to find out that executable needed another executable or DLL file in order to run correctly," he explained. "With Bit9, we can do away with the software restriction of Group Policy. We no longer have to keep editing a policy by adding in executable after executable."
Now, instead of forcing IT to control user access to directories and dealing with the fallout of that, whitelisting controls the machine. Everything on the computer is allowed; if somebody tries to install a program not already approved, Bit9 prevents the installation.
When a teacher wants a new application, he or she requests it through the department head. The IT department obtains the software and copies the contents of the program's CD or DVD onto the particular computers where it will run. Any and all executable files required are part of the installation.
Since Bit9 integrates with the district's Windows Active Directory environment, it can read the groups that certain people--such as members of the IT staff--are part of and grant those users the right to install software.
A Means To Loosen Software Restrictions
Bit9 Parity allows the district to loosen up software restrictions that were in place before, according to Robinson.
"We're dealing with 4,000 high school students," he said. "Mostly they're good students. Every now and then we get people who consider themselves to be hackers. They want to test the boundaries of what they should be doing in computer labs. Unfortunately, teachers can't watch every student and also teach, so kids get a shot at doing things. But so far, Bit9 has been there for that. It treats [that attempt] just like a virus. A virus can't access the hard drive because Bit9 is there. A student can't install anything because Bit9 is there."