Creating the Ringfencing Policy
ThreatLocker can block the Print Spooler's interaction with high-risk applications and internet access to avoid breaches via Print Spooler exploits, which are becoming commonplace. The recommended Ringfencing policy is a default computer group policy and is included in the Application Policy list upon creating your computer group.
On initial deployment, your machines will be placed in Application Control Learning Mode for 21 days. One function of Application Control Learning Mode is to catalog necessary exclusions if they are accessed during the learning period. If you delete and re-create this policy manually, you need to set the policy to a Monitor Only status so you can evaluate what is being Ringfenced and make changes accordingly. Every environment is different, and what other applications this could affect will vary from situation to situation.
Failure to set this policy to Monitor Only status when first setting it up will cause printing issues and could interfere with normal business operations.
To put a policy into Monitor Only mode, select the 'Status' dropdown next to the policy name and choose 'Monitor' from the list.
After deploying policies, the Print Spooler service must be restarted to apply the new Ringfencing policy. To restart the Print Spooler, open a command prompt as an administrator and enter the following:
net stop spooler && net start spooler
Checking for Network Exceptions
Once you have set up the 'SpoolSv.exe (Ringfenced)' policy and placed it into a Monitor Only status, wait a few days and then look through your Unified Audit to check for other exceptions that may need to be added before changing this policy to 'Inherit' or 'Secured'.
In the Unified Audit, narrow your search by entering the 'Policy Name' using 'Advanced Search' and selecting 'Ringfenced' from the 'Action' dropdown.
From here, you can see any items that would have been blocked by this policy. You can add any exceptions you need to add to this Ringfencing policy, so you can change the status of this policy to ‘Secured', and your work environment will continue to function.
To investigate any Ringfenced items in the Unified Audit, select the log to open a side panel of the Audit Details, and check the 'Policy' name. If it is your 'SpoolSv.exe (Ringfenced)' policy and you want to add this IP address as an Exclusion, select the 'Add to Policy' button at the top of the page.
Note: A Network Action Type is the most common occurrence for Ringfencing logs associated with the Print Spooler.
The 'Edit Application Policy’ page will open, and you can scroll to the bottom of the page to locate the ‘Actions’ section. Here, under ‘Restrict this application from accessing the internet?’, there will be a field to enter ‘Exclusions’ and ‘Tags’. To add the IPv4 address associated with the selection you made from the Unified Audit, select the dropdown, then select IPv4. Select the ‘add’ button to add it to the list of excluded IP addresses, then select ‘Save’.
You can also utilize the 'Tags' feature to serve as a container for domains/IP addresses.
For more information on Tags, please visit the following article: