ThreatLocker Application Control Policies give you the power to control what software can execute, and what that software can do on your endpoints.
When you first deploy ThreatLocker, Policies may automatically be created under a specific computer group or individual computers. You can configure how Policies are automatically created under the Computer Group settings page.
You can edit, create, or modify Policies to suit your needs.
Policies run like firewall policies in order from top to bottom. Once a Policy is matched, the action for that Policy is taken, and no further Policies are processed. Policies are applied to the Entire Organization, Individual Computers, or Computer Groups. If you are a parent of other organizations, policies that are applied to the "Global" group automatically apply to all of your child organizations.
Policies are applied in the following order:
- Global (If you have child organizations)
- Global-Group (If you have child organizations)
- Entire Organization
- Computer
- Computer Group
Example: If you have a policy that denies access to PowerShell at the Entire Organization level, and a second policy that allows PowerShell at the Computer level, PowerShell will be blocked from executing. This is because Organizational Level Policies are always applied first.
At the end of the Computer Group policy, there is a default Policy. This Policy applies to all Applications. This Policy is set to deny by default.
Creating a New Policy
Select the New Application Policy button from the Policies page.
- Enter a name and a description for the Policy.
- Under the "Conditions" section, add the Applications that you want to permit or deny under "Selected Applications." Applications are lists of file hashes, signatures, or other patterns. You can use pre-defined Applications that are created by ThreatLocker, or you can create your own Applications. (See Managing Application Definitions)
- Select either Permit, Permit with Ringfence, or Deny from the "Actions" section towards the bottom.
- If you select "Permit with Ringfence," you will have extra options to add an Application, File, Registry, or Internet Ringfencing™. Ringfencing™ allows you to control how an Application can interact with other Applications after it has opened and what other functions it can permit. For more information, see threatlocker.kb.help/ringfencing.
- If you are setting a policy to deny, the option to 'Kill Running Processes' will populate. Turning on that option will force stop the designated application from running on any device with this policy, including a force stop of everything that is referenced within the application definitions. It is designed to be aggressive.
- Under the "Applies To" section, you can specify whether you would like to apply a policy to an "Entire Organization", a Computer Group, or an Individual machine.
- Normally, Application Policies should apply to all interface types. If you have preferred to only permit or deny this Application for a certain media or interface type, you can select the Interface or Media type from the "Conditions" section and select the "Selected Interface" option, which will populate a dropdown to select the interface you want to specify.
- While Application Policies are applied to a computer, computer group, or organization. It is also possible to only apply the Policy to certain logged-in users. (e.g. you may want to permit iTunes for the C.E.O only). If you are using the Active Directory Sync tool, you can select Active Directory groups from this dropdown list. For more information about applying Policies to users or groups, see Applying Policies to Users or Active Directory Groups.
- You can schedule a policy to remain active during a specified time period or configure Policies to automatically expire at a certain date or time. If you'd like to schedule a policy, for example, to only permit an application between a certain time frame, select "Policy Schedule" and select your start date, time, and duration. If you want the Policy to expire at a fixed time, select "Set Policy Expiration" under the "Conditions" section.
- By default, all Application executions are logged in the Unified Audit. For permit policies, if you do not wish to log when an Application is executed, you can de-select the "Log in the Unified Audit" button in the "Details" section at the top of the policy creation page.
- By default, new policies are added to the top of the list. This means they run before other Policies. Policies can be reordered up or down the list after creation by changing their number. If you wish the Policy to be created at the bottom of the list, select "Add Policy to Bottom" under the "Details" section where it says "Policy Order."
- By default, new policies are added to the top of the list. This means they run before other Policies. Policies can be reordered up or down the list after creation by changing their number. If you wish the Policy to be created at the bottom of the list, select "After" under the "Do you want this Policy to run before or after existing Policies?" section.
- Select Save to create your new policy.
Policies are not automatically deployed to clients after they are created. After you have created a Policy, select the red "Deploy Policies" button from the top left corner of the page.