Application allowlisting

Application allowlisting (otherwise known as whitelisting) is a method of strictly controlling what programs can be run in your environment.


A preventative file execution policy, allows certain programs to run and prevents others. This is usually carried out by policies and rules on the device’s operating system or by software installed on the device.

Drive-by downloads, or unintentional downloading of files from a website, and malicious email attachments are the most common causes of malware incidents. A well-developed and thoroughly tested application allowlisting policy will prevent these incidents.


Organisations only allow approved programs to run in their network. They understand which applications are necessary and used within their environment. You proactively monitor the logs to detect when programs are blocked and why.

Measuring success

A successful application allowlisting control has straightforward and measurable criteria. Differences in this control between organisations will be in the policies enforced and the operational processes followed.

Use the following criteria to measure your success in this control:

  • Your organisation enforces a preventative file execution policy on all clients and servers in the networ

  • Your policy allows a allowlist of files to execute in the policy because they are necessary for staff to perform their jobs. The default rule is to deny file execution. Blacklists (denied file execution) are used to support the allowlist.

  • Your organisation enforces access controls which allow the correct policies to be applied to the correct end users.

  • Your organisation enforces the principle of least privilege which limits an end user’s ability to bypass the policies.

  • You monitor known policy bypass techniques, and include this in your vulnerability management process.

  • Your standard build-hardening process includes deploying the policy to any new devices. You will need to consider your workstations, servers, laptops, mobile devices, and any other device that accesses organisation data. This could include organisation-owned and bring-you-own-devices (BYOD).

  • Policy logs are recorded and stored in a central location to capture attempted and blocked file executions. These logs are configured to trigger alerts that feed into operational processes, such as incident or change management. An emergency change management process is followed when critical programs are blocked.

Application allowlisting: key takeaways

  • A successful implementation is time-consuming as it requires the organisation to be ready for the change and have the resources (time, people, and cost) available. Your users may be using applications they shouldn’t and may try to bypass the new policies. Good communication or offering alternatives will help get them on board.  Start small with a small group of high risk devices, either end user computers or public-facing servers. Test out a deployment strategy before trying to tackle the entire network. There's little point in doing it if you don’t do it right. 

  • Other technical staff in your organisation may be used to choosing which applications they use. Introducing an application allowlisting policy can disrupt the way they work. Explaining what application allowlisting is trying to achieve could get them onside. This could prevent them from trying to bypass the controls themselves.

  • Use application allowlisting features that come with the operating system if you can. These policies and configurations can usually be controlled centrally. It can help reduce the cost of the control, instead of purchasing another piece of software.

  • If you are considering buying application allowlisting software, research the different options. Some software will have functions that suit your needs better than others.

  • Application allowlisting is only as effective as the policies you created. Broad rule conditions could allow a large number of applications to run. This would have minimal effect as a control.

  • Application allowlisting is a barrier and it must be paired with other CERT NZ critical controls to be most effective. An attacker can bypass even very strict rule conditions by hiding their malicious code in other trusted, allowlisted applications. Application allowlisting is also not effective if the applications are vulnerable and unpatched.

  • Enforcing a policy with file or folder-based rules will be difficult if there are users that have access to write and execute on a folder (for example, multiple local administrators). With this access the users could either modify a file or write a new file to the folder to execute an untrusted file.

Advice for implementation

Application allowlisting implementation advice