ThreatLocker Application Control Policies give you the power to control what software can execute, and what that software can do on your endpoints.
When you first deploy ThreatLocker, Policies may automatically be created under a specific computer group or individual computers. You can configure how Policies are automatically created under the Computer Group settings page.
You can edit, create, or modify Policies to suit your needs.
Policies run like firewall policies in order from top to bottom. Once a Policy is matched, the action for that Policy is taken, and no further Policies are processed. Policies are applied to the Entire Organization, Individual Computers, or Computer Groups. If you are a parent of other organizations, policies that are applied to the "Global" group automatically apply to all of your child organizations.
Policies are applied in the following order:
- Global (If you have child organizations)
- Global-Group (If you have child organizations)
- Entire Organization
- Computer
- Computer Group
Example: If you have a policy that denies access to PowerShell at the Entire Organization level, and a second policy that allows PowerShell at the Computer level, PowerShell will be blocked from executing. This is because Organizational Level Policies are always applied first.
At the end of the Computer Group policy, there is a default Policy. This Policy applies to all Applications. This Policy is set to deny by default.
Creating a New Policy
Click the New Application Policy button from the Policies page.
- Enter a name and a description for the Policy.
- Under "What Applications should this Policy apply to?" section, add the Applications that you want to permit or deny. Applications are lists of file hashes, signatures or other patterns. You can use pre-defined Applications that are created by ThreatLocker, or you can create your own Applications. (See Managing Application Definitions)
- Select either Permit, Permit with Ringfence, or Deny from the "Should this Policy permit or deny execution" dropdown list.
- If you are permitting the Application to run, you will have an extra option to Ringfence the Application after it has opened. Ringfencing allows you to control how an Application can interact with other Applications after it has opened, and what other functions it can permit. For more information see threatlocker.kb.help/ringfencing.
- If you are setting a policy to deny, the option to 'Kill Running Processes' will populate. Checking the box will force stop the designated application from running on any device with this policy, including a force stop of everything that is referenced within the application definitions. It is designed to be aggressive.
- Under "Which computers should this Policy apply to section", select either "The Entire Organization", or "Select a Computer Group or Individual Computer".
- Normally Application Policies should apply to all interface types. If you have preferred to only permit or deny this Application for a certain media or interface type, you can select the Interface or Media type from the "What type of interface should this apply to?" section.
- While Application Policies are applied to a computer, computer group, or organization. It is also possible to only apply the Policy to certain logged-in users. (e.g. you may want to permit iTunes for the C.E.O only). If you are using the Active Directory Sync tool, you can select Active Directory groups from this dropdown list. For more information about applying Policies to users or groups see Applying Policies to Users or Active Directory Groups.
- You can schedule a policy to remain active during a specified time period or configure Policies to automatically expire at a certain date or time. If you'd like to schedule a policy, for example to only permit an application between a certain time frame, edit the "Policy Schedule" and select you state date, time, and duration. If you want the Policy to expire at a fixed time, select "Let me set the expiration date and time" under the Policy expiration section.
- By default, all Application executions are logged in the Unified Audit. If you do not wish to log when an Application is executed. Select "No" under the "Do you want to record this Policy in the audit when it is matched?" section.
- You can configure the system to automatically send an email when the Policy is matched. If you wish to automatically send an email, select "Yes" from the "Do you want to send an email when this Policy is matched?" section.
- By default, new Policies are added to the top of the list. This means they run before other Policies. Policies can be reordered up or down the list after creation by changing their number. If you wish the Policy to be created at the bottom of the list, select "After" under the "Do you want this Policy to run before or after existing Policies?" section.
- Select Save to create your new Policy.
Policies are not automatically deployed to clients after they are created. After you have created a Policy, select the red "Deploy Policies" button from the top left corner of the page.