To comply with a new security policy, an organization must guarantee that only explicitly approved software can execute on its high-value database servers. The security team configures the host operating systems so that every process is blocked by default unless the executable appears on a predefined list of trusted applications. Which type of control does this configuration implement?
The scenario describes an allow list (application allowlisting). With an allow list, the default action is to deny all code execution except for applications that have been explicitly approved, thereby enforcing a "deny-by-default, allow-by-exception" model. A deny list works in the opposite manner by allowing everything except items specifically blocked. Role-based and discretionary access controls govern user or role permissions, not which binaries may run, so they do not fit the scenario.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an allow list?
Open an interactive chat with Bash
How does a deny list work?
Open an interactive chat with Bash
Why are both allow lists and deny lists important in security?