Help CenterTable of Contents
How is the Default Deny Policy Created? | What is the Default Deny Policy? | Prevention of Disabling the Default Deny Policy
The Default Deny policy is a key component of ThreatLocker Allowlisting. This article discusses the importance and function of the Default Deny policy and why ThreatLocker automatically creates it for you on machines in your organization.
How is the Default Deny Policy Created?
Upon creating an Organization in your ThreatLocker Portal, ThreatLocker automatically creates policies for the three default groups that will populate in your Portal: Workstations, Servers, and MAC. Default policies will also be created for any additional computer groups made outside these initial three groups. For a list of all automatically created policies, please navigate to the following article:
Default Computer Group Policies | ThreatLocker Help Center
Each group contains a Default Deny policy labeled Default - (Group Name). This policy sits at the bottom of the policy list and will be added whenever a new computer group is created.
What is the Default Deny Policy?
The Default Deny policy is the core of ThreatLocker Allowlisting. Any application not already permitted or denied by an existing policy while a machine is in Secured mode will be blocked by the Default Deny policy. This is how ThreatLocker prevents the execution of applications not permitted to run within your environment.
The Default Deny policy is set automatically at the bottom of the list of policies. This allows ThreatLocker to review all other policies before reaching the Default Deny. If the Default Deny is set above any other policies, it will automatically deny anything that occurs below it.
Prevention of Disabling the Default Deny Policy
ThreatLocker does not recommend that the Default Deny policy be disabled. To ensure that this is only ever done with your explicit permission, multiple safeguards have been implemented within our portal to prevent this from occurring. There are four scenarios in which you will be prompted to provide permission to change the Default Deny policy:
- Switching the policy from 'Deny' to 'Permit'
- The Default Deny policy should remain denied. If the Policy Action is switched to 'Permit', the policy will be permitted, and users in that group can access any application unless there are other deny policies within the organization. Selecting the 'Save' button will require you to input 'I UNDERSTAND' after reading and acknowledging the warning popup.
- Switching the policy from 'Deny' to 'Permit with Ringfence'
- The Default Deny policy should remain denied. If the Policy Action is switched to 'Permit with Ringfencing', the policy will be permitted with the Ringfencing configuration, and users in that group can access any application unless there are other deny policies within the organization. Selecting the 'Save' button will require you to input 'I UNDERSTAND' after reading and acknowledging the warning popup.
- Switching the policy from 'Active' to 'Inactive'
- Policies within your organization can be switched from 'Active' to 'Inactive', which is helpful if you have a policy that briefly needs to be turned off but does not need to be deleted. If you try to switch the Default Deny policy to inactive, you will have to acknowledge the warning pop-up, as rendering this policy inactive will allow users access to all applications that do not have an existing deny policy.
- Deleting the Default Deny Policy
- Attempting to delete the Default Deny policy will require you to acknowledge the warning pop-up, as deleting the policy will allow users to access all applications that do not have an existing deny policy.
