Help CenterThreatLocker can stop the execution of remote web shells through the Ringfencing of IIS, limiting the damage an attacker can do post-exploitation.
Navigate to the Modules dropdown on the left-hand side of the page, then select ‘Application Control’.
Select the ‘Policies’ tab in the top-right corner of the page.
In the 'Policies' page, select the hamburger menu to the right of the ‘New Tag’ button. This will open a pop-up window titled ‘Application Control Policy Management’. From here, select the button labeled ‘ThreatLocker Suggested Policies’.
A window that gives you a list of all ThreatLocker Suggested Policies will open.
From here, select what level you would like to permit this policy at. You can choose to permit this at the entire organization, global group, or computer group using the dropdown menu. To permit a policy for an individual machine, you must input the machine name into the search bar provided.
Once the level to permit the policy at is selected, navigate to the search bar on the right-hand side of the page and enter ‘IIS’. You can also manually scroll to find the policy named ‘IIS World Wide Web Publishing (Ringfenced)’. Once located, select the policy and then select the button labeled ‘Add 1 Suggested Policy’.
When you add this policy, it will be placed at the top of the policy list for whichever group or individual machine you applied it to by default. It is important that this policy is always above your Windows Core policies.
When you first set this policy up, you need to set it to a 'Monitor Only' status so you can evaluate what is being Ringfenced and make changes accordingly. Every environment is different, and what other applications this could affect will vary from situation to situation.
Failure to set this policy to 'Monitor Only' status when first setting it up could cause other applications to be blocked and interfere with normal business operations.
To place a policy into 'Monitor Only' mode, navigate to the ‘Policies’ page within the ‘Application Control’ module and select the 'Status' dropdown to the right of the policy name. Select 'Monitor’ from the list.
Adding Exceptions for Exchange Server Policies
You must also add your Exchange Server policy or policies to the 'IIS World Wide Web Publishing (Ringfenced)' policy's 'Application Interaction' list to allow IIS to interact with Exchange Server.
Within the ‘Policies’ page, select the application's name to edit it.
A side panel titled 'Edit Application Policy' will open to the right of the page. Here, navigate to the ‘Actions’ section towards the bottom of the page. Input the names of the policies you have for Exchange Server and add them to the IIS Ringfenced policy by selecting the name(s) once searched. If you have multiple policies for Exchange Server, you can add multiple Exchange Server versions as needed. This will allow IIS to interact with Exchange Server. Make sure the box is set to ‘Allow Only the Below’.
Checking for Additional Necessary Exceptions
Once you have set up the 'IIS World Wide Web Publishing (Ringfenced)' Policy, adding in your exceptions for Exchange Server and placing it into a 'Monitor Only' status, wait a few days and then look through your Unified Audit to check for other exceptions that may need to be added before changing this policy to 'Inherit' or 'Secured'. For further information regarding these maintenance modes, please navigate to the following article:
In the Unified Audit, narrow your search by entering the Asset Name and Policy Name, and in the 'Action' dropdown, select 'Ringfenced'.
From here, you can see any items that would have been blocked by this policy. You can add any exceptions you need to add to this Ringfencing policy, so you can change the status of this policy to 'Secured', and your work environment will continue to function.
To investigate any Ringfenced items in the Unified Audit, select the arrow on the left of the Ringfenced item. Check the 'Policy' name. If it is your 'IIS World Wide Web Publishing (Ringfenced)' policy and you want to add this address as an Exclusion, select the 'Add to Policy' button at the top of the side panel.
The ‘Edit Application Policy’ side panel will open. By selecting the dropdown menu under ‘Exclusions’ at the bottom of the page, you can change the exclusion from ‘Domain’ to ‘IPv4’.
Once selected, the IPv4 address will be populated into the textbox. You can select the 'Add' button, and this IP address will now be added as an exclusion to the policy.
You can also use the 'Tags' feature to serve as a container for domains/IP addresses. This can be applied to the 'Internet' tab in the Ringfence options.
For more information on Tags, please navigate to the following article: