Setting up an IIS Ringfencing Policy

7 min. readlast update: 01.13.2024
Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article.  

ThreatLocker can stop the execution of remote web shells through the Ringfencing of IIS, limiting the damage an attacker can do post-exploitation.

Navigate to Modules > Application Control > Policies. Then select 'Import Policies' from the hamburger menu in the top row.

undefined

This will open a window with two tabs, ThreatLocker Suggested Policies and existing policies which can be imported from other levels in your organization. From the ThreatLocker Suggested list, select the 'IIS World Wide Web Publishing (Ringfenced)' Policy by clicking the checkbox, and then click the 'Add Suggested Policies' button at the top.

undefined

When you add this Policy, by default, it will be placed at the top of the Policy list for whichever computer group you applied it to. It is important that this Policy is always above your Windows Core Policies. 

When you first set this Policy up, you need to set the Policy to be in a Monitor Only status so you can evaluate what is being Ringfenced and make changes accordingly. Every environment is different and what other Applications this could affect will vary from situation to situation.  

Failure to set this policy to Monitor Only status when first setting it up will cause other Applications to be blocked, and could interfere with normal business operations. 

To place a policy into Monitor Only Mode, click the 'Status' dropdown next to the Policy name. Select 'Monitor Only' from the list.

undefined

Adding Exceptions for Exchange Server Policies

You will also need to add your Exchange Server Policy or Policies to the IIS World Wide Web Publishing Ringfenced Policy's 'Application Interaction' list to allow IIS to interact with Exchange Server.

On the Policies page, click the IIS Policy to edit it.

undefined

Within the Policy, navigate to the 'Application Interaction' area. Select the Policy you have for Exchange Server and add it to the IIS Ringfenced Policy by clicking the checkbox. If you have multiple policies for Exchange Server, you can add multiple Exchange Server versions as needed. This will allow IIS to interact with Exchange Server.  

undefined

Checking for Additional Necessary Exceptions

Once you have set up the IIS World Wide Web Publishing Ringfenced Policy, adding in your exceptions for Exchange Server and placing it into a Monitor Only status, wait a few days and then look through your Unified Audit to check for other exceptions that may need to be added before changing this Policy to 'Inherit' or 'Secured'.

In the Unified Audit, narrow your search by entering the 'Hostname', 'Policy Name', and in the 'Action' dropdown, select 'Ringfenced'.

undefined

From here you can see any items that would have been blocked by this Policy. You can add any exceptions you need to add to this Ringfencing Policy so you can change the status of this Policy to secured and your work environment will continue to function.

To investigate any Ringfenced items in the Unified Audit, click the arrow on the left of the Ringfenced item. Check the 'Policy' name. If it is your IIS World Wide Web Publishing (Ringfenced) Policy and you want to add this address as an Exclusion, click the 'Add to Policy' button at the top of the side panel.  

undefined

The Policy will open up, and the IP address will be prepopulated in the 'Exclusions' textbox. You can click the 'Add' button, and this IP address will now be added as an Exclusion to the Policy.

undefined

You can also utilize the 'Tags' feature to serve as a container for domains/IP addresses. This can be applied to the 'Internet' tab included in the Ringfence options.

For more information on Tags, please visit:

ThreatLocker: Creating Tags 

Ringfencing IIS in the Legacy Portal

ThreatLocker can stop the execution of remote web shells through the Ringfencing of IIS, limiting the damage an attacker can do post-exploitation.

Navigate to Application Control > Policies. Then select 'Add Suggested Policies' at the top middle of the page.

undefined

This will populate a list of ThreatLocker recommended Policies. From this list, select the 'IIS World Wide Web Publishing (Ringfenced)' Policy by clicking the checkbox, and then click the 'Add Suggested Policies' button at the top.

undefined

When you add this Policy, by default, it will be placed at the top of the Policy list for whichever computer group you applied it to. It is important that this Policy is always above your Windows Core Policies. 

When you first set this Policy up, you need to set the Policy to be in a Monitor Only status so you can evaluate what is being Ringfenced and make changes accordingly. Every environment is different and what other Applications this could affect will vary from situation to situation.  

Failure to set this policy to Monitor Only status when first setting it up will cause other Applications to be blocked, and could interfere with normal business operations. 

To place a policy into Monitor Only Mode, click the 'Status' dropdown next to the Policy name. Select 'Monitor Only' from the list.

undefined

undefined

Adding Exceptions for Exchange Server Policies

You will also need to add your Exchange Server Policy or Policies to the IIS World Wide Web Publishing Ringfenced Policy's 'Application Interaction' list to allow IIS to interact with Exchange Server.

On the Policies page, click the pencil icon next to your IIS Policy to edit it.

undefined

Within the Policy, navigate to the 'Application Interaction' area. Select the Policy you have for Exchange Server and add it to the IIS Ringfenced Policy by clicking the 'Add' button. If you have multiple policies for Exchange Server, you can add them all by clicking the 'Add' between each one. This will allow IIS to interact with Exchange Server.  

undefined

Checking for Additional Necessary Exceptions

Once you have set up the IIS World Wide Web Publishing Ringfenced Policy, adding in your exceptions for Exchange Server and placing it into a Monitor Only status, wait a few days and then look through your Unified Audit to check for other exceptions that may need to be added before changing this Policy to 'Inherit' or 'Secured'.

In the Unified Audit, narrow your search by entering the 'Hostname', 'Policy Name', and in the 'Action' dropdown, select 'Ringfenced'.

undefined

From here you can see any items that would have been blocked by this Policy. You can add any exceptions you need to add to this Ringfencing Policy so you can change the status of this Policy to secured and your work environment will continue to function.

To investigate any Ringfenced items in the Unified Audit, click the arrow on the left of the Ringfenced item. Check the 'Policy' name. If it is your IIS World Wide Web Publishing (Ringfenced) Policy and you want to add this address as an Exclusion, click the 'Add to Policy' button on the right.  

undefined

The Policy will open up, and the IP address will be prepopulated in the 'Server' textbox. You can click the 'Add' button, and this IP address will now be added as an Exclusion to the Policy.

undefined

You can also utilize the 'Tags' feature to serve as a container for domains/IP addresses. This can be applied to the 'Internet' tab included in the Ringfence options.

For more information on Tags, please visit:

ThreatLocker: Creating Tags

Was this article helpful?