Ringfencing the Print Spooler
Creating the Ringfencing policy
Threatlocker is able to block the interaction of the Print Spooler with high-risk applications along with internet access to avoid breaches via Print Spooler exploits, which are becoming commonplace.
Navigate to Application Control > Policies. Then select 'Add Suggested Policies' at the top middle of the page.
This will populate a list of ThreatLocker recommended policies. From this list, select the 'Print Spooler (Ringfenced)' policy by selecting the checkbox, and then selecting the 'Add Suggested Policies' button at the top.
When you add this policy, by default, it will be placed at the top of the policy list for whichever computer group you applied it to. It is important that this policy is always above your Windows Core policies.
When you first set this policy up, you need to set the policy to be in a monitor only status so you can evaluate what is being Ringfenced and make changes accordingly. Every environment is different and what other applications this could affect will vary from situation to situation.
Failure to set this policy to monitor only status when first setting it up will cause printing issues, and could interfere with normal business operations.
To place a policy into monitor only mode, click the 'Status' dropdown next to the policy name. Select 'Monitor Only' from the list.
After deploying policies, for the new Ringfencing policy to be applied, the Print Spooler service will need to be restarted. To restart the Print Spooler open command prompt as an administrator and enter: "net stop spooler && net start spooler"
Checking for Network Exceptions
Once you have set up the Print Spooler Ringfenced policy, and placed it into a monitor only status, wait a few days and then look through your Unified Audit to check for other exceptions that may need to be added before changing this policy to 'Inherit' or 'Secured'.
In the Unified Audit, narrow your search by entering the 'Policy Name', and in the 'Action' dropdown, selecting 'Ringfenced'.
From here you can see any items that would have been blocked by this policy. You can add any exceptions you need to add to this Ringfencing policy so you can change the status of this policy to secured and your work environment will continue to function.
To investigate any Ringfenced items in the Unified Audit, click the arrow on the left of the Ringfenced item. Check the 'Policy' name. If it is your SpoolSv.exe (RingFenced) policy and you want to add this address as an Exclusion, click the 'Add to Policy' button on the right.
The policy will open up, and the IP address will be prepopulated in the 'Value' textbox. You can click the 'Add' button, and this IP address will now be added as an Exclusion to the policy.
You can also utilize the 'Tags' feature to serve as a container for domains/IP addresses. This can be applied to the 'Internet' tab included in the Ringfence options.
For more information on Tags, please visit this: