Setting up an IIS Ringfencing Policy
ThreatLocker can stop the execution of remote web shells through the Ringfencing of IIS, limiting the damage an attacker can do post-exploitation.
Navigate to Application Control > Policies. Then select 'Add Suggested Policies' at the top middle of the page.
This will populate a list of ThreatLocker recommended Policies. From this list, select the 'IIS World Wide Web Publishing (Ringfenced)' Policy by clicking the checkbox, and then click the 'Add Suggested Policies' button at the top.
When you add this Policy, by default, it will be placed at the top of the Policy list for whichever computer group you applied it to. It is important that this Policy is always above your Windows Core Policies.
When you first set this Policy up, you need to set the Policy to be in a Monitor Only status so you can evaluate what is being Ringfenced and make changes accordingly. Every environment is different and what other Applications this could affect will vary from situation to situation.
Failure to set this policy to Monitor Only status when first setting it up will cause other Applications to be blocked, and could interfere with normal business operations.
To place a policy into Monitor Only Mode, click the 'Status' dropdown next to the Policy name. Select 'Monitor Only' from the list.
Adding Exceptions for Exchange Server Policies
You will also need to add your Exchange Server Policy or Policies to the IIS World Wide Web Publishing Ringfenced Policy's 'Application Interaction' list to allow IIS to interact with Exchange Server.
On the Policies page, click the pencil icon next to your IIS Policy to edit it.
Within the Policy, navigate to the 'Application Interaction' area. Select the Policy you have for Exchange Server and add it to the IIS Ringfenced Policy by clicking the 'Add' button. If you have multiple policies for Exchange Server, you can add them all by clicking the 'Add' between each one. This will allow IIS to interact with Exchange Server.
Checking for Additional Necessary Exceptions
Once you have set up the IIS World Wide Web Publishing Ringfenced Policy, adding in your exceptions for Exchange Server and placing it into a Monitor Only status, wait a few days and then look through your Unified Audit to check for other exceptions that may need to be added before changing this Policy to 'Inherit' or 'Secured'.
In the Unified Audit, narrow your search by entering the 'Hostname', 'Policy Name', and in the 'Action' dropdown, select 'Ringfenced'.
From here you can see any items that would have been blocked by this Policy. You can add any exceptions you need to add to this Ringfencing Policy so you can change the status of this Policy to secured and your work environment will continue to function.
To investigate any Ringfenced items in the Unified Audit, click the arrow on the left of the Ringfenced item. Check the 'Policy' name. If it is your IIS World Wide Web Publishing (Ringfenced) Policy and you want to add this address as an Exclusion, click the 'Add to Policy' button on the right.
The Policy will open up, and the IP address will be prepopulated in the 'Server' textbox. You can click the 'Add' button, and this IP address will now be added as an Exclusion to the Policy.
You can also utilize the 'Tags' feature to serve as a container for domains/IP addresses. This can be applied to the 'Internet' tab included in the Ringfence options.
For more information on Tags, please visit: