Application Control Policies
ThreatLocker® application control policies offer granular control of what applications can run in your environment. Unlike traditional a simple yes or no approach of traditional white-listing. ThreatLocker Application Control allows you to set policies in order of what can and cannot run.
Policies run in order until one is hit. When a policy is matched, processing is stopped. Policies run the order is:
- Organization policies;
- Computer policies; and
- Group policies.
How to Add an Application Policies
Application policies are normally automatically created when installing new computers, or when installing an application using installation mode. If you need bespoke configuration, or would like to configure a more granular approach, you can manually add policies.
- Select Application Control > Policies from the left navigation menu;
- Select the New Application Policy button;
- From the New Application Policy page, enter a name for your policy;
- Should this policy permit or deny execution?
- Permit - Any matching applications will be permitted.
- Deny - When matching applications will be blocked from executing.
- Apply to the Entire Organization - The policy will apply to the entire organization.
- Select a computer or group - The policy will only apply to the selected computer or group.
- All Applications - When selecting all applications, this policy will apply to everything. This is normally reserved for default allow or default deny policies. But it could be used for example to permit *\administrator to run all applications.
- Only the following applications - When selected you will be presented with a list of applications that the policy applies to. You an add multiple applications by selecting the application and selecting add;
- All Interfaces - When selected the policy will be applied regardless to whether the application is opened from a local hard drive, or USB drive.
- Select an interface - You can limit the policy to only apply to certain drive types. For example, you could deny programs from running on USB drives;
- Apply to all users and groups - this policy will apply to all usernames;
- Let me select users and groups - you can enter specific usernames in the list below. When entering usernames you can use wildcards (e.g. *\administrator).
- Do not expire - Select this if you wish the policy to never expire;
- Let me set the expiration date and time.
- Yes - Each time the application is opened, it will be recorded in the Application Audit;
- No - No entry will be logged.
- Before - The new policy will be created at the top of the list;
- After - The new policy will be created at the very end. This is useful when creating a default deny policy.
You new policy will be added to the list for the Entire Organization, Group or Computer you created it for. You can drag the policy up or down the list if you wish it to run after existing policies. Once you are ready to deploy, you can select the Deploy Policies button.