Company logoHelp Center
Visit www.threatlocker.com

Web Control Module

8 min. readlast update: 02.21.2025

Current Status of Feature (2/21/25):

  • This is in Beta until further notice
  • Requires Windows agent version 10 and Mac agent version 4.3
  • DNS forwarding configurations are not supported at this time
  • The ThreatLocker Web Control browser extension for requesting access is currently under review for publishing in the extension stores and will be available soon
    • This extension is also designed to be automatically installed if an option to request is enabled on a Web Control policy to the agents it is applied to
    • Google Chrome, Microsoft Edge, and Safari are supported on release with Firefox and other browser support coming soon
  • Options to schedule and expire policies coming soon
  • Computer maintenenace setting for Web Control Monitor Mode coming soon

Web Control gives administrators the controls needed to restrict specific content accessed over the web through a policy driven system. Policies can be applied to computers using the ThreatLocker agent for granular configurations as a recommended approach.

As an added level of control, policies can also be applied to your network by routing your DNS traffic to ThreatLocker to resolve whether web content can be accessed, not requiring our agent to enforce your controls. This gives the ability to manage all devices connected to your network.

Web Control agent based policies are currently supported on Windows and Mac and requires the minimum version of 10.0 for Windows and 4.3 for Mac. Support for Linux is coming soon.

In order to use the Web Control solution, you will need to make sure the module is enabled for the organization you wish to create policies for.
Understanding and Changing the Module Options on the Organizations Page | ThreatLocker Help Center

Administrator access to this module can be configured by using the 'View Web Control Policies' and 'Edit Web Control Policies' permissions.

Creating Policies for Managed Computers

ThreatLocker recommends using our agent to enforce Web Control policies as this route gives more granular control and the ability to request access to blocked content.

Navigate to the Modules -> Web Control on the left navigation pane.

Click the '+ New Policy' button in the top left corner of the page.

Once the side pane opens, give a desired Policy Name for the new policy.

Then select the hierarchy level where this new policy will be effective using the 'Applies To' dropdown. By default, this will automatically select the current 'Applies To' section selected on the Web Control page when the '+ New Policy' button is selected.

With the 'Applies To' set to the desired level, you may configure the users and groups that this policy would apply to as an additional level of control as needed.

Under 'Conditions', configure the 'Web Sites' or 'Categories' that would be matched against this policy.

  • Websites allow individual entries of domains, IPv4 addresses, and IPv6 addresses. Select the type of website using the dropdown, enter the value associated with the type, then use the + button to add the entry.
  • Categories allows the use of your custom made tags and ThreatLocker Built-In categories and tags. Use the dropdown to find the ThreatLocker category or your custom tag of choice, then use the + button to add the network collection to your policy.

Once the content has been configured in the Conditions section of the policy, select the Policy Action as either 'Permit' or 'Deny'.

When selecting 'Deny', you will be given a final option that allows the user to request on being blocked.

Enable the slider for 'Allow User to Request' if you would like to receieve Web Control approval requests from users blocked by this policy. If this is not enabled, users will not be directed to the ThreatLocker block page and will instead see the generic browser error page.

Important Note: 

Requesting access requires the ThreatLocker Web Control browser extension installed. Currently, we support Google Chrome and Microsoft Edge with support for more browser support coming soon. The extension is in it's final stages for publishing and will be available very soon.

Creating Policies for Non-Managed Devices

COMING SOON!

Web Control allows administrators to create policies controlling content that can be accessed on the web by resolving your network DNS requests and returning valid IP addresses for allowed content. This can be effective for any device connected to your network, managed and non-managed. It is still recommended and preferred to use the agent based policies as controls are far more effective in how they can be applied, along with giving the option to request on blocked content.

Creating DNS Server objects to apply your Web Control policies is the first step. Begin doing this by using the 'DNS Setup' button in the top right corner.

From the sidebar that opens, you can view the ThreatLocker DNS server configuration details, indicating the IP address you would need to forward your network's traffic to for resolving DNS requests.

ThreatLocker Recommendation:

Before applying network changes to your entire environment, it is suggested you test with a single device to make sure DNS connections are being handled and resolved properly.

Additionally, it is recommended to point your network traffic for managed devices to a different DNS server as to prevent an overlap of policies processed by ThreatLocker's DNS server and agent policies.

In the sidebar, add your server objects by providing a server name and the public IP address that will be coming from that server/gateway being sent to the ThreatLocker DNS server.

Server name can be used more than once, however, public IP address has to be unique across all objects saved in your organization's instance. This needs to be unique in order for your traffic to be correctly matched to your policies that get assigned to your server objects.

Once the object has been added using 'Add Server', this can now be used in the 'Applies To' dropdown for creating policies. These objects will be in a section called 'DNS Servers' in the dropdown, listed by the name setup.

All configurations given in the agent/managed devices based policies can also be set in your policies applied to your DNS server objects. Categories, Web Sites, and all other options will apply to your traffic being sent from the IP address established in your server object setup when being resolved by the ThreatLocker DNS server.

Approving Web Control Requests

Web Control requests will come from policies assigned to managed computers that are using the ThreatLocker Web Control browser extension. The request access feature is optional and needs to be enabled in your deny Web Control policies that get matched.

When a user experiences a block in a browser caused by a deny policy with the option to request enabled, the browser extension will automatically redirect the user to a block page that displays basic information on what was blocked. This page gives the ability to supply a requestor reason for their request to access the blocked content which can be reviewed in the Response Center as a Network request type. Without the browser extension installed, the user will experience a tradtional browser page with an error stating the web site could not be reached.

Important Note:

The Policy Name matched is displayed to the end user, make sure this is appropriately configured for giving proper information when a user is blocked.

Upon request of blocked content, submitted by using the 'Request Review' button, you can approve or ignore the request in the response center within the ThreatLocker portal or the ThreatLocker mobile application.

Navigate to Response Center -> Approval tab

Web Control requests will be a Network action type

Once the approval is selected, you are given an option to permit or ignore the request. If permitted, you have two options: Create a new Web Control policy, or add details to an existing Web Control policy

  1. Show Network Details gives you an option to expand and view additional details around the request, including the domain requested, IP address of web site, process or browser that was being used, the policy that was matched, and more.
  2. Two options are given: Create New Policy (default), and Use Existing Policy. Selecting to Use Existing Policy will load a dropdown list of permit policies that are found in the organization from which the request belongs to, giving the ability to prevent creating excessive policies, while adding details around the request quickly, as needed.
  3. This is where you can make a policy name for creating a new policy, or this shows the dropdown for choosing an already made policy if Use Existing Policy is selected. On new policy creation, a name is auto-populated based on the domain (or IP address if no domain is found) of the request. This can be changed as needed.
  4. On new policy creation, you will have options on where to apply the new, permit Web Control policy
  5. On new policy creation, you can add specific users and groups as needed. By default, this is set to all users
  6. The conditions section is where you can add or remove web sites, categories, or both as needed. The web site in the request will already be populated in the Web Sites tab on creating a new policy, or using an existing policy. When using an existing policy, all the details for that Web Control policy selected will be contained here as well.

Once all details have been filled out, you may now approve the request to permit the blocked web site.

Was this article helpful?