How to Use the New Policies Page on ThreatLocker Version 6.0
Log into the ThreatLocker Portal and navigate to ‘Application Control’ and then to ‘Policies’. You can select who the policy applies to in the upper right-hand corner of the portal.
Policy Group Hierarchy
- Global Workstations or Global Servers
- Entire Organization
- Computer Groups
Global policies run first, then the global workstations or servers, then the entire organization, followed by computers and computer groups are last.
There is a default policy at the end of the computer groups ‘Workstations’ that is set to deny but allow the user to request permission. This is denoted by the red ‘Deny’ icon and the yellow ‘Request’ icon.
Within a group, policies are run in order from the lowest number to the highest. A negative number will be run before a positive number. Regardless of the policy number, the group hierarchy runs in order. For example, a policy with the number 100 in the ‘Global Policy Group’ will run before a policy with the number 1 in the ‘Computers’ Group.
Policies can be reordered by changing the number. To move a policy up in the list, change the number of the policy you want to move to be a number lower than the policy you want it placed above. To move a policy lower in the list, change the number to be higher than the policy you want it to follow. For example, if you wanted to move Snagit 2020(Built-In) to run before the Spotify (Built-In) policy, change the number beside Snagit 2020 (Built-In) to be lower than Spotify (Built-In).
There is no longer an ‘Applications’ column. Instead, you will see a list of applications that a policy applies to. If the policy is a built-in policy or a parent application, the customer can not click on it unless they are logged in as the parent. You can click on the name of a custom application and open up a window showing all the files and the rules inside that application. The following screenshot shows the window that opens when the Firefox name is clicked on.
A ‘Status’ column has been added to the page. You can easily switch the status of Deny or Ringfencing policies.
By default, a policy will ‘Inherit’ its ‘Status’ from the computer. If the computer is in any mode that disables blocking, it will apply to the policy. Once the computer goes out of that mode, it will also apply to the policy and it will be blocked.
Selecting ‘Secured’ in the ‘Status’ column will block the policy all the time. If the computer goes into a mode that disables blocking, the policy will continue to be blocked.
- Monitor Only
A policy with the ‘Monitor Only’ status will not be blocked. It will be logged in the ‘Unified Audit’ as a deny, but it will be a green ‘Deny’ instead of a red ‘Deny’ because it will have been permitted. When locking down or Ringfencing an application for the first time this is a good way to monitor it to be sure it isn’t going to cause a problem.
Policy Action Icons
New Application Policy Button
Navigate to ‘Applications’, ’Policies’ and click the ‘New Application Policy’ button in the upper left-hand corner.
Enter a name for your policy.
Ticketing information can be inserted here. It is not required unless your company configuration is set to require it.
Next you can choose what applications you want to apply the policy to.
Then you can choose if you want to ‘Permit’, ‘Deny’, or ‘Permit with Ringfence’. You can click the box beside ‘Allow Elevation’ if you want to allow Elevation. If you ‘Permit with Ringfence’, you can then change the ‘Status’ in the dropdown menu and choose how the application interacts with other applications, your files, registry, and the internet.
Next you set the schedule for your policy. You can choose ‘Always On’, ‘Expire’ or ‘Schedule’.
Expire allows you to choose an expiration date or time for the policy. Schedule allows you to set the policy to only run certain days or times.
Next you select who the policy will apply to. By default it will select what you have selected on the ‘Policy’ page.
Then you can choose what type of interface the policy will apply to. For example, if you wanted a specific file to run from DVD, you can click ‘Select an interface’ and choose DVD from the dropdown menu.
Next you choose which users and groups the policy will apply to.
If you want to select specific users, you can type in domain\loginname and click ‘Add’.
If you are unsure of the domain name, you can use a wildcard and type in *\loginname and then click ‘Add’.
The next box asks if you want to record the policy in the audit when it is matched. There are very few reasons that you would not want to log a policy when it is matched so the answer should always be yes.
Then you can choose if you want to receive an email when the policy is matched. You should use caution when choosing this option because your inbox can fill up quickly.
If you have Splunk integration enabled, you will see that here.
The last box will be ‘Do you want this policy to run before or after existing policies?’ If you choose ‘Before’ the policy will go to the top of the list. Choosing ‘After’ places the policy at the bottom of the list. By default, it will always go to the top of the list when you create it.
At the top of the window be sure to click ‘Save’ to save your policy. Your policy will appear at the top of the ‘Policies’ list once it is refreshed.
In the following example you can see that there is a policy named ‘Allows Firefox for Danny’. It shows the users it applies to in the ‘Users’ column. The status is ‘Inherit’. In the ‘Action’ column, you can see it is permitted with Ringfence. The date it was created is in the ‘Created’ column. And the final column, ‘Last Match’, shows the last time that policy was matched.
To delete a policy or policies, check the box next to the policy and then click the ‘Delete’ button.
The ‘Deny’ button changes a policy to deny and moves it to the bottom of the list. The reason for this is that policies apply to applications. Applications are essentially lists of files, some of which are shared with other applications. Placing a deny policy above a policy for an application you wish to allow will cause it to also be denied if they use any of the same files. In most cases, you don’t need to deny a policy. You can delete the policy and then the application will hit the default deny policy.
The ‘Permit’ button changes the deny action back to permit. It is useful if you accidentally deny multiple policies and you want to switch them back.
The ‘Export’ button exports a list of your policies to an Excel spreadsheet.
Add Suggested Policies Button
There are four options when you are viewing the ‘Add Suggested Policies’ window: ‘ThreatLocker Recommended’, ‘Microsoft Recommended’, ‘New Group Templates’ and ‘Ringfence Templates’. Once you add a suggested policy, it will not show up in the ‘Suggested Policies’ list because it is in use.
- ThreatLocker Recommended policies are common Ringfence policies, such as stopping Zoom from calling out to PowerShell. The newest policies are located at the top of the list.
- Microsoft Recommended policies are a bit more aggressive. There are many .dll files that are included with Windows that Microsoft recommends you block if your environment doesn’t call for them. You can see the related Knowledge Base articles in the description column.
- New Group Templates are policies that are created every time a new group is created.
- Recommended Ringfencing for Meeting Applications are pre-defined Ringfencing policies for some of the most popular meeting tools.
- Ringfence Templates are also created when you create a new group. If the policies are deleted and you want to add them back, you can do it from here.
Update Last Match Date Button
The ‘Update Last Match Date’ function has been greatly improved in ThreatLocker 6.0. It will check the ‘Unified Audit’ to see when a policy was last matched and update the ‘Last Match’ column with that information. This is a useful way to see which policies are being used and how often they are being used. This runs in a queue making it much faster than before.
You can also click on the magnifying glass icon to go straight to the ‘Unified Audit’ to see when the policy was last matched.
Remove Unused Policies Button
It is highly recommended that policies that are not being used are removed. These unused policies provide no benefit to your business and they could allow an application to be weaponized and used against you. The less applications you allow, the better your system will perform and the smaller your attack surface is. A good rule of thumb is to allow ThreatLocker to run for six weeks and then remove any unused policies.
When you select ‘Remove Unused Policies’ you will be prompted to enter a date. All policies that have not been matched since the date you enter will be removed. It will not remove any policies created in the last six weeks or any built-in policies.
When you click ‘Remove’ it will add a queue to the database to remove the policies meeting the date criteria. This process can take anywhere from a few minutes to a few hours depending on the number of policies you selected and how busy the backlog is. Because it is running in a queue, it will be substantially faster.
Filter Policies Dropdown
You can choose to view ‘Policies with No Last Match’, ‘Polices with a Last Match’, and policies ‘Not Matched in Over 6 Weeks’ to easily view policies meeting those criteria.