Help CenterThreatLocker has introduced a new feature called Defense Against Configuration (DAC). This feature helps identify potential vulnerabilities within your organization by detecting misconfigurations and highlighting which machines are affected. The DAC dashboard summarizes how many systems fail each configuration check, enabling you to address risks quickly. By resolving these issues, you can strengthen your security posture and reduce the likelihood of threats impacting your organization's integrity and data security.
Prerequisites:
- Windows Agent 10.3.2 (contains 23 checks)
- Windows Agent 10.5.1 (contains 64 checks)
Enabling the DAC Dashboard
During the beta testing phase, you will need to contact your account manager to get this feature turned on for your organization. Once the feature has been turned on, you will also need to enter an Option called 'EnableDAC' for the desired organizations.
To add the Option to your organization, from the ThreatLocker Portal, select 'Organizations' using the left-hand side of the page.
Navigate to the organization to which you will be adding DAC, then select the 'gear' icon under the 'actions' section of the page.
Selecting the 'gear' icon will open the 'Edit Organization Settings' side panel. Select 'Options' using the tab at the top of the page.
Within the 'Options' field, enter the following:
EnableDAC
Note: This Option is case sensitive and must be typed in exactly as shown above.
Once enabled, the DAC dashboard will be the default landing page when first logging into the ThreatLocker portal.
To locate the DAC dashboard, navigate to the 'Health Center' on the left-hand side of the portal.
Selecting the health center will immediately open the DAC dashboard.
On this page, you can use the buttons in the portal's top right corner to switch between the 'Health Center' and 'DAC' menus.
How to Use the DAC Dashboard
The DAC dashboard has several areas that allow you to see the details of your organization and how its machines are targeted. The top of the DAC dashboard provides key features, including an area where you can filter out your results.
- Run DAC Check Now - This option allows you to run a DAC check on the machines in your organization. If new information is found, it will be displayed in the tables below. (By default, DAC checks automatically run every 24 hours)
- Applies To - This dropdown menu allows you to select which computer or group you are viewing in the DAC dashboard.
- Search Bar - Allows you to search for names and keywords of DAC Checks.
- Sort By - Chooses how the DAC checks are sorted. The following options can be selected:
- Category - Each DAC check is sorted into a category based on what it is checking. When 'Category' is selected, another dropdown menu titled 'Category' populates. The options are as follows:
- Account and Authentication
- Advanced Audit Configuration
- Group Policy
- Local Security
- Network Policy
- Patch Management
- Process Policy
- Registry Policy
- Remote Desktop and Access Control
- Ringfence Policy
- Storage Policy
- ThreatLocker Detect
- User Rights Assignment
- Combined Impact
- Criticality
- Category - Each DAC check is sorted into a category based on what it is checking. When 'Category' is selected, another dropdown menu titled 'Category' populates. The options are as follows:
- Include Child Organizations Checkbox - Selecting this box will show data from the parent and child organizations. Without selecting this box, the DAC Dashboard will only display data from the organization you are currently in.
After you enter your desired filters, you can begin evaluating the graphs and list of DAC checks for information about computers in your organization.
Potential Compliance Violations
The Potential Compliance Violations Chart provides you with a wheel displaying the Compliance Frameworks that have potentially been violated based on failed DAC checks in your organization.
Hovering over each color with your cursor will display what each color means and the number of times the compliance violation was detected within your organization. For example, hovering over this section of the chart will show us that this organization lists a potential of 13 Compliance Violations related to HIPAA.
Criticality Summary
The Criticality Summary table shows the number of machines affected per criticality level. The criticality level depends on which DAC check the machine was flagged for non-compliance.
By hovering over each criticality level, you can see the exact number of affected machines per criticality.
Criticality Trends
The Criticality Trends table shows your organization's criticalities and affected machines over 13 days. It allows you to view how the environment changed during that time and provides a visual for criticality levels' increases, decreases, or stagnation.
The x-axis of the chart signifies the date, whereas the y-axis shows the number of affected computers. Each dotted point on the chart can be hovered over to view the number of affected computers.
You can also select each criticality level under the chart to remove it. Selecting it again will add it back to the chart. This allows you to single out specific trends for further evaluation.
DAC Checks List
The DAC Dashboard's central portion comprises a list of DAC Checks. These checks have been made by ThreatLocker and are designed to keep you informed about your environment. As DAC continues, ThreatLocker will be adding more checks to your environment. The DAC Dashboard has four different columns provided for users:
- Name - This provides the name of the DAC Check. The names give information on what the check is looking for in your environment.
- Criticality - This shows the criticality level designated per check. Checks can be identified as Critical, High Risk, Moderate Risk, Low Risk, Passed, or Not Applicable.
- Related Frameworks - This is a list of all Compliance Frameworks related to this DAC Check. If computers in your organization are impacted by a DAC Check, it may indicate that your organization is not fully compliant with the framework(s) listed.
- Results - Hovering over the results bar will show you the number of computers impacted by this DAC Check.
Note: Red indicates that there are impacted computers, green indicates that there are computers that passed this check, and grey indicates that there are machines where this check is not applicable.
Selecting the DAC Check
Selecting an individual DAC check will open an Information View window. This window provides additional information about the DAC Check, including a brief introduction, the risks of not passing it, and how you can resolve this.
The top of this page shows the 'Impacted Computers', which gives information on how many computers in the organization are affected by this check. Hovering over the chart displays how many machines 'Failed' or 'Passed' this check.
The 'Applicable Compliance Standards' section provides a list of Compliance Frameworks that would be affected by this.
Selecting one of the compliance standards listed will open a window about that compliance standard. ThreatLocker has reasoned why each compliance standard may apply to this DAC Check. This includes a related control from the Compliance Framework and details explaining the relevance to the DAC Check.
Below these sections are the 'Associated Risks' and 'Suggested Resolutions' tabs. The 'Associated Risks' tab shows the introduction, briefly describing the DAC check and its significance to keeping your environment safe. Under this is the 'Risks' section, which lists potential risks that could arise from computers in your organization failing this DAC Check.
Switching to the 'Suggested Resolutions' tab will give you suggestions for resolving the potential risks associated with the DAC check.
Impacted/Passed Computers Page
The DAC Check List also provides an area to view the machines associated with each check. By selecting the Results Bar, a window will give you a list of computers that fit in this category.
This window provides you with information, such as the date/time that it was initially noticed that this machine fit into this category, the organization it is in, the computer group it is in, and its hostname. By selecting the links in the window, you can also be brought to the Organizations page, open the 'Edit Computer Group' side panel, or open the 'Computer Details' side panel.