Don’t Forget that Some People Can’t See Colors

Did you know that estimates say that up to 8 percent of males (and .5 percent of females) have issues seeing some colors?  Nobody is sure why, but many of us are affected by this problem. I was almost thirty before I realized that when people said something like “he’s turning red with embarrassment,” they were being literal. I had always thought it was just an odd saying. It’s surprising how many minor, day-to-day, things are based on colors.
  • What color hair does she have?
  • What color was that car?
  • Is the grass green or turning brown?
  • Is that steak rare or medium?
And then there are some larger issues to deal with.
When I first learned to drive I had to teach myself that the middle light meant slow down, top meant stop, and bottom meant go. While the colors of the lights don’t all look quite the same to me (which allows me to compare them to each other) none of them look like the colors people tell me they are. To me, the bottom light is an off white, and the other two are different shades of red. When it comes to those single, flashing lights, I have nothing to compare to so have no idea what they are. I always assume they are red, just to be safe.

When I was nineteen I joined the Navy and was interested in the nuclear program. During my physical they did a vision test which included some color testing.
Can you see anything here? I can’t.
After miserably failing that, they informed me that they didn’t want me anywhere near something nuclear if I might connect (or cut) the wrong wires.

A few years after that I started a PC repair shop and consulting company to help home users and small business owners. One of my reasons for doing this was because I could build custom PCs and sell them for quite a bit less than the big brands of the time. While building a PC is pretty straight forward, back then there were many wires that weren’t labelled so I frequently ran into color coded diagrams.

I never caused a fire, but I did wire things incorrectly more than once.
When DSL started to appear in my town I was able to get a contract with one of the larger ISPs to install and configure DSL modems. They aren’t hard to set up, but they caused me some embarrassment. Once connected, they check for DSL signal on the phone line and a light blinks to let you know the status.
Error codes were not a pattern of blinks (which would have been great) but were color coded. Consider how awkward it is to call your client over, point to the little blinking light, and ask what color it is. I eventually learned to say that I needed another pair of eyes and would intently stare at the monitor while having them tell me the LED color.

In today’s tech world the issues are different, but still there. My cell phone has an LED that flashes for alerts. It can flash different colors for different things, but they all look pretty much the same to me. I’ve run into many games over the years where the character colors all look the same. Some web sites use link colors that (to me) look identical to the regular text so I have no idea there’s a link to click on. If you are in IT and design anything for others to use, please keep us color disadvantaged folks in mind. Make your error codes show a number or blink in a pattern, not just depend on a changing color. If you have to use color-coded wires, please label them too. Making a web site or game? Offer a black and white or ‘color blind friendly’ version, too. We may be a minority, but there are millions of us. Making millions of people happy with your product certainly can’t hurt.

How to Whitelist Programs using Software Restriction Policies

If you have end users (and who doesn’t?) you should be worried about what they might try to run or install on their computer. Some people just don’t pay attention, clicking on any box that may appear.

Others simply think they can do whatever they want on their work machine.

But, for the most part, people simply don’t understand that an innocent appearing pop up may actually be something that they don’t want.

Antivirus software can help, but we all know it’s far from foolproof.  Another great idea is to make sure your users are not local administrators.  Unfortunately, that doesn’t stop them from installing all programs, just those that go into protected areas like the Program Files folder.  Anything that installs under a profile, like most browsers (and most crypto infections) can install with only user-level access. So what’s an admin to do? Whitelist!

Whitelisting is a process where you select a list of programs and allow only those programs to run.  If a user tries to run (or install) anything not on the list, it will fail with an error similar to this:

 

There are many third party programs out there that can implement whitelisting, but Windows Server already has this ability built in.  If you are using Pro versions of Windows on your Desktops you can use Software Restriction Policies (SRP).  If you are using Enterprise versions you can use the more full-featured Applocker, but most small businesses will find SRP is more than enough.

Software Restriction Policies are configured via Group Policy, and work just like any other GPO.  You can configure it as a User or a Computer GPO and then apply it however you like.  You can even set up SRP via Local Policy on machines that are not on a domain.

SRP offers several ways to add programs to the whitelist.

  • By path.  This is the broadest method, allowing you to add entire folders. This is the method used to add the default items, like the Windows folder.  This should only be done with paths that you trust and that cannot be written to by your Users.  If your user has write access, the path isn’t safe because the User could put anything in there.
  • Programs by filename. This allows you to specify a particular location (like c:\MyProgram) and only allow a certain filename to run from it.  This is a little more restrictive than allowing an entire folder, but if the User can write to this location there is the chance that they might delete the real program and replace it with something of their own.  For less tech-savvy users, though, this isn’t very likely to happen.
  • Network Zones. This allows programs if they come from a trusted site, like your local Intranet. While this option exists, it seems unlikely that any SMBs would ever use it.
  • Hash rules. With this option, SRP will create a hash of the file you want to allow and then it will be allowed to run no matter what folder it happens to be in.  This is considerably more secure than a path rule because only this exact file will be allowed.  If you ever need to update the file, you’ll need a new rule to create a new hash.
  • Certificate rules. These are probably the most secure type, because they are based on a certificate from the manufacturer.  Because of this, they require more work from the PC and can slow down processing.  Each time you run a program with a Certificate Rule applied it has to check in with the Server to see if the Certificate is valid and if it’s expired or not.  When the certificate does expire, you’ll need to create a new rule.

While it sounds somewhat intimidating, getting SRP up and running really isn’t that bad.  I’ve created a snip on the basic setup here:

https://techsnips.io/snips/how-to-create-a-basic-software-restriction-policy-srp-via-gpo/

And the NSA has a handy (somewhat outdated) PDF here:

https://apps.nsa.gov/iaarchive/library/reports/application-whitelisting-using-srp.cfm

As long as you remember to test your settings on a small group before deploying to the entire network, you’ll find SRP to be fairly painless.  Whether you decide to use SRP, Applocker, or another option, with whitelisting your network will be safer than ever before.