OSX 10.8 will block unsigned code. Windows can do this. Should it?
: @orinthomas AppLocker and Software Restriction Policies have been around a long time on computers running Windows. With these group policies, you can lock down a system so that it only runs authorized files. The drawback is that setting up SRPs or AppLocker requires some faffing about. It certainly isn't a one click solution. Unless an organization has a dire need for it, most don't go to the effort to implement it. The next version of OSX, 10.8, will include similar functionality to AppLocker through a new service called Gatekeeper. Out of the box Gatekeeper will disallow the execution of applications not digitally signed by recognized publishers. Apple will make this simple to turn off - allowing those people running stuff like FINK on their Macs to continue to run unsigned code - but requiring signed code in the first place will definitely raise the bar in terms the difficulty of exploiting computers running OSX 10.8. (although given the increasing number of CA's being rooted and the existence already of digitally signed malware, while it raises the bar, it doesn't close the drawbridge on malware) As mentioned earlier, Windows has been able to implement similar functionality for some time. The problem is that it's not something you can turn on in the control panel with a single dialog box. It's something that requires some faffing about. The faffing has the advantage of allowing administrators to be nano-granular in the application of policies. However, given the strong consumer focus of the Windows client operating system, perhaps allowing users to enable this functionality through the control panel (or even making it default on Windows on ARM) might be a workable strategy. Especially considering that the technorati don't seem to have choked to death on the idea of Apple doing it "first" in OSX 10.8 (if Microsoft had done it first, you'd hear the spluttering from Alpha-Centauri) -- My book Windows Server 2008 R2 Secrets is for experienced Windo
February 20, 2012
: @orinthomas
AppLocker and Software Restriction Policies have been around a long time on computers running Windows. With these group policies, you can lock down a system so that it only runs authorized files. The drawback is that setting up SRPs or AppLocker requires some faffing about. It certainly isn't a one click solution. Unless an organization has a dire need for it, most don't go to the effort to implement it.
The next version of OSX, 10.8, will include similar functionality to AppLocker through a new service called Gatekeeper. Out of the box Gatekeeper will disallow the execution of applications not digitally signed by recognized publishers. Apple will make this simple to turn off - allowing those people running stuff like FINK on their Macs to continue to run unsigned code - but requiring signed code in the first place will definitely raise the bar in terms the difficulty of exploiting computers running OSX 10.8.
(although given the increasing number of CA's being rooted and the existence already of digitally signed malware, while it raises the bar, it doesn't close the drawbridge on malware)
As mentioned earlier, Windows has been able to implement similar functionality for some time. The problem is that it's not something you can turn on in the control panel with a single dialog box. It's something that requires some faffing about. The faffing has the advantage of allowing administrators to be nano-granular in the application of policies. However, given the strong consumer focus of the Windows client operating system, perhaps allowing users to enable this functionality through the control panel (or even making it default on Windows on ARM) might be a workable strategy. Especially considering that the technorati don't seem to have choked to death on the idea of Apple doing it "first" in OSX 10.8 (if Microsoft had done it first, you'd hear the spluttering from Alpha-Centauri)
--
My book Windows Server 2008 R2 Secrets is for experienced Windows administrators who are new to Windows Server 2008 R2 and don't need a lot of basic introductory level material. If you are looking for a book on Windows Server 2008 R2 that will tell you stuff you don't know rather than reiterating stuff that you do, it might be right for you.
About the Author
You May Also Like