View in Browser When you are applying Ringfencing to an Application that has previously not had Ringfencing applied, it is very important to place that specific Policy into a Monitor Only Status for about a week.   Failure to place a new Ringfencing Policy into a Monitor Only Status for a week may possibly impact your day-to-day business operations. To place a Policy into Monitor Only Status, you can select 'Monitor Only' from the dropdown menu adjacent to the policy name on the Application Control > Policies Page.

ThreatLocker can stop the execution of remote web shells through the Ringfencing of IIS, limiting the damage an attacker can do post-exploitation. Navigate to Application Control > Policies. Then select 'Add Suggested Policies' at the top middle of the page. This will populate a list of ThreatLocker recommended Policies. From this list, select the 'IIS World Wide Web Publishing (Ringfenced)' Policy by clicking the checkbox, and then click the 'Add Suggested Policies' button at the top.

Regardless of what type of elevation software you use, there is a risk of someone abusing their elevated privilege and moving from one Application they are running as an administrator to running another Application as an administrator. ThreatLocker can help you mitigate this risk through the use of Ringfencing. With Ringfencing you can specify what the Application being run with elevated privileges can interact with (e.g. other applications and your powerful built-in Windows tools).

Creating the Ringfencing policy Threatlocker is able to block the interaction of the Print Spooler with high-risk applications along with internet access to avoid breaches via Print Spooler exploits, which are becoming commonplace.   Navigate to Application Control > Policies. Then select 'Add Suggested Policies' at the top middle of the page.  This will populate a list of ThreatLocker recommended policies. From this list, select the 'Print Spooler (Ringfenced)' policy by selecting the checkbox, and then selecting the 'Add Suggested Policies' button at the top.

View in Browser Ringfencing enables you to block an application from accessing the internet altogether. Or you can specify only certain websites that you know this application needs to access.    Custom Rules Custom Rules are a legacy feature and when possible ThreatLocker recommends using Exclusions instead as they are more efficiently managed, do not require an application restart, and can be automatically learned. If you are applying Tags, they will need to be applied in the 'Custom Rules' tab.

View in Browser Ringfencing enables you to decide what Applications a program can or cannot interact with. This will help eliminate the possibility that a threat actor can use a good Application in a malicious way. It is a good idea to block interaction with the powerful built-in Windows tools that you know an Application doesn't need access to.    The following screenshot is from the ThreatLocker default Microsoft Office Policy.

View in Browser Ringfencing gives you the ability to restrict an Application's ability to access files. Under the 'Files' tab, once you select the checkbox next to 'Enable Advanced Ringfencing to protect access to files', you will be preventing that Application from accessing your protected files unless you specifically permit it by adding the file path you wish to allow access to.  By default, protected files are any network shares, any external storage such as USB drives, and on newer ThreatLocker deployments your Desktop and Documents folders.

View in Browser Malware often hides in the registry. Ringfencing gives you the ability to prevent an Application from making any changes to your registry, preventing the possibility that something malicious could be written to it. When you select 'Restrict these Applications from making registry changes except for the below rules', no registry access will be permitted unless you permit it.    Many legitimate programs require access to the registry, such as Notepad++.

View in Browser Troubleshooting Exclusions function like tags and are updated immediatly after the Add button is pressed. If the endpoint is still able to access the Excluded website, clear the endpoint browser cache and history and restart the ThreatLocker service.   Setup In ThreatLocker, under the 'Internet' tab on Ringfencing policies, there is an 'Exclusions' tab. This tab functions much like the ThreatLocker tags feature. Here you can create a whitelist of IPv4 addresses, IPv6 addresses, or domains that the Application whose Policy you are editing can interact with.