Application Control Policies

ThreatLocker® application control policies offer granular control of what applications can run in your environment. Unlike traditional a simple yes or no approach of traditional white-listing. ThreatLocker Application Control allows you to set policies in order of what can and cannot run.

Policies run in order until one is hit. When a policy is matched, processing is stopped. Policies run the order is:

  1. Organization policies;
  2. Computer policies; and
  3. Group policies.

How to Add an Application Policies

Application policies are normally automatically created when installing new computers, or when installing an application using installation mode. If you need bespoke configuration, or would like to configure a more granular approach, you can manually add policies.

  1. Select Application Control > Policies from the left navigation menu;
  2. Select the New Application Policy button;
  3. From the New Application Policy page, enter a name for your policy;
  4. Should this policy permit or deny execution?
    • Permit - Any matching applications will be permitted.
    • Deny - When matching applications will be blocked from executing.
  5. Allow the user to request permission when blocked. - If the policy has been set to deny, you will be presented with an option to allow a user to request permission. If you want the user to get a dialog box with a request option, select this option. If you do not check this box, the user will be presented with the standard operating system “Access is Denied” message;
  6. Do you want this policy to apply to the entire organization or a selected computer group?
    1. Apply to the Entire Organization - The policy will apply to the entire organization.
    2. Select a computer or group - The policy will only apply to the selected computer or group.
  7. What applications does this policy apply to?
    • All Applications - When selecting all applications, this policy will apply to everything. This is normally reserved for default allow or default deny policies. But it could be used for example to permit *\administrator to run all applications.
    • Only the following applications - When selected you will be presented with a list of applications that the policy applies to. You an add multiple applications by selecting the application and selecting add;
  8. What type of interface should this apply to (e.g. USB or SATA)?
    • All Interfaces - When selected the policy will be applied regardless to whether the application is opened from a local hard drive, or USB drive.
    • Select an interface - You can limit the policy to only apply to certain drive types. For example, you could deny programs from running on USB drives;
  9. Which users and groups should this policy apply to?
    • Apply to all users and groups - this policy will apply to all usernames;
    • Let me select users and groups - you can enter specific usernames in the list below. When entering usernames you can use wildcards (e.g. *\administrator).
  10. Should the policy expire at a certain date and time - When creating a policy you can configure it to expire at a certain date and time. This could be useful in circumstances where you need to permit temporary access to an application.
    • Do not expire - Select this if you wish the policy to never expire;
    • Let me set the expiration date and time.
  11. Do you want to record this policy in the audit when it is matched?
    • Yes - Each time the application is opened, it will be recorded in the Application Audit;
    • No - No entry will be logged.
  12. Do you want this policy to run before or after existing policies?
    • Before - The new policy will be created at the top of the list;
    • After - The new policy will be created at the very end. This is useful when creating a default deny policy.
  13. To save your policy, select the Save button.

You new policy will be added to the list for the Entire Organization, Group or Computer you created it for. You can drag the policy up or down the list if you wish it to run after existing policies. Once you are ready to deploy, you can select the Deploy Policies button.