ThreatLocker® implements Zero Trust principles by blocking all unapproved applications by default and securing approved applications through application containment (Ringfencing™).

ThreatLocker operates on the premise that it's impossible to react to every threat out there before it becomes an issue. Therefore, it denies by default: if software is not on the approved list, it cannot run in your environment. This approach significantly reduces the attack surface, with threat intelligence serving as a backup to this core Zero Trust focus.

The first step in securing your environment is to get visibility into what is happening in your environment. This includes all file read/writes, application executions, and network activity. Once you know what is running in your environment, you can start locking it down and securing yourself.

Note: ThreatLocker Learning Mode makes this easy by learning what applications you are running, even custom applications, and automatically creating policies to ensure business continuity.  

Application allowlisting and containment  

While application allowlisting is important, even approved applications can pose risks. ThreatLocker secures approved applications with Ringfencing, which can limit applications from accessing other applications, your files, the registry, or the internet.

Browser extensions  

• Browser extensions are blocked by default using Application Allowlisting.

• For any that you are considering approving, it's crucial to review the country of influence and the permissions that it requires, such as access to applications, files, passwords, etc.

Storage Control

• Storage Control policies can be used to block access to locally stored passwords in browsers (e.g., Chrome and Edge).

• Browser cookie files can also be restricted so that it can only be accessed by that specific browser.

Risky applications  

• Applications can be filtered by category (e.g., remote management software like TeamViewer or AnyDesk) or country of influence (e.g., Russia) to identify high-risk software.

• The Health Report provides a risk score for applications and highlights important applications running in your environment for review.

• Some applications are risky but have a real business need. These need application containment.

Application containment

• Ringfencing can block lateral application movement, including other applications, file read/write, internet, registry, and network access.

• Exceptions can be made, ensuring that the least amount of access is given.

Simulated deny and monitor mode  

• When policies are initially created, they should be set to monitor-only mode to test their impact before full enforcement, allowing you to identify any unintended blocks. You can view simulated denies in the Unified Audit.

Administrative privileges

• Elevation Control can automatically elevate specific approved applications, even allowing for temporary approval for installation purposes.

Reduce friction with an approved application store

When users are denied access to an application they need for their work, without being offered any alternatives, it can lead to significant frustration. The ThreatLocker User Store fixes this issue by providing the user with a list of alternative approved applications. It even automatically handles license management.

Organizations can configure their User Store to direct the user to the application’s download page or allow the user to directly download it from the User Store, streamlining the installation process.

Like what you see?

Dive into 100 days to secure your environment, a ThreatLocker webinar series. This tactical series will walk you through fully securing your environment, step by step.

‍