Using Ringfencing to Prevent Lateral Movement with Elevation
Regardless of what type of elevation software you use, there is a risk of someone abusing their elevated privilege and moving from one Application they are running as an administrator to running another Application as an administrator. ThreatLocker can help you mitigate this risk through the use of Ringfencing.
With Ringfencing you can specify what the Application being run with elevated privileges can interact with (e.g. other applications and your powerful built-in Windows tools). For assistance setting up Elevevation, please see our Elevation Quick Start KB article.
To set up Ringfencing restrictions on your elevation policy, navigate to Application Control > Policies. Find the Policy you want to edit, and click the pencil icon beside it.
Scroll down to the 'Application Interaction' section of the Policy. From here you will select the high-risk Applications you want to block interaction with. You can type your selection in the text box, or you can click the down arrow and scroll through everything. Click the 'Add' button after every selection to move your choice to the box below the text box.
Because every Application functions differently, it is impossible to create a one-size-fits-all Ringfencing Policy. However, here is a list of Applications ThreatLocker deems to be high-risk. Try to add as many of these as possible, without interrupting the function of your program, to your 'Block interaction with the following Applications' list in your elevated policy.
- Windows Powershell
- Windows Command Prompt
- Windows Run DLL
- Windows RegSVR32
- Windows RegEdit
- Windows CScript
- Windows PSExec
- Windows Scheduled Tasks
ThreatLocker also recommends that if there is only an update file that needs to be run as an Administrator, you make a separate policy for that update file to be elevated instead of applying the Elevation product to the entire Application. That will ensure that the entire program isn't run as an administrator, just the update file.