IG2 IG3

Allowlist Authorized Libraries

Control Group: 2. Inventory and Control of Software Assets

Asset Type: Applications

Security Function: Protect

Description

Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Draft policy/procedure document

7

Obtain stakeholder review and approval

8

Communicate to affected personnel

9

Schedule periodic review and updates

10

Establish software authorization review process

11

Deploy application allowlisting technology

12

Maintain and update authorized software list

Tool Recommendations

Microsoft Intune Gartner MQ Leader, UEM 2024

Unified endpoint management platform for device enrollment, software deployment, configuration, and compliance across Windows, macOS, iOS, and Android

Microsoft · Per-user/per-device subscription

VMware Workspace ONE Gartner MQ Leader, UEM 2024

Digital workspace platform combining UEM with virtual app delivery and zero-trust access for endpoint management

Broadcom (VMware) · Per-device subscription

Flexera One Gartner MQ Leader, SAM 2024

IT asset management and software asset management platform with license optimization and SaaS management

Flexera · Enterprise subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

DLL Hijacking and Side-Loading Attacks

Integrity

Attackers place malicious DLLs in application directories or system paths to be loaded by legitimate processes, achieving code execution within trusted process contexts.

Supply Chain Library Poisoning

Confidentiality

Compromised shared libraries from third-party vendors or open-source repositories are loaded into system processes, providing attackers with code execution through trusted channels.

Vulnerabilities (When Safeguard Absent)

No Restriction on Library Loading

Without library allowlisting, any DLL, SO, or OCX file can be loaded into a system process, allowing attackers to inject malicious code through library manipulation.

Unvalidated Shared Library Integrity

The absence of controls verifying library authenticity before loading means modified or replaced libraries execute with the same privileges as the host process.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Software Asset Management Policy

Control 2

Related Safeguards in Control 2

2.1 Establish and Maintain a Software Inventory

2.2 Ensure Authorized Software is Currently Supported

2.3 Address Unauthorized Software

2.4 Utilize Automated Software Inventory Tools

2.5 Allowlist Authorized Software

2.7 Allowlist Authorized Scripts