Web Control Module

9 min. readlast update: 04.01.2025

Current Status of Feature (3/26/25):

  • Requires Windows agent version 10 and Mac agent version 4.3
  • ThreatLocker DNS Servers will be available soon
  • The ThreatLocker Web Control browser extension for requesting access is published in the Google Chrome and Microsoft Edge extension store through a direct-access link only
    • This extension is designed to automatically be installed to computers if the option to request is applied with a Web Control policy on the endpoint
    • Google Chrome, Microsoft Edge, and Safari are currently supported. Mozilla Firefox and other browser support coming soon
  • Options to schedule and expire policies coming soon
  • Computer maintenance setting for Web Control Monitor Mode coming soon
  • Support for Linux is coming soon

Web Control gives administrators the controls needed to restrict specific content accessed over the web through a policy driven system. Policies can be applied to computers using the ThreatLocker agent for granular configurations as a recommended approach.

As an added level of control, policies can also be applied to your network by routing your DNS traffic to ThreatLocker to resolve whether web content can be accessed, not requiring our agent to enforce your controls. This gives the ability to manage all devices connected to your network.

Web Control agent-based policies are currently supported on Windows and Mac and requires the minimum version of 10.0 for Windows and 4.3 for Mac.

In order to use the Web Control solution, you will need to make sure the module is enabled for the organization you wish to create policies for.
Understanding and Changing the Module Options on the Organizations Page | ThreatLocker Help Center

After enabling the module, please give your endpoints two agent restarts about 5 minutes apart. Restarting the ThreatLocker Agent | ThreatLocker Help Center 

Administrator access to this module can be configured by using the 'View Web Control Policies' and 'Edit Web Control Policies' permissions.

Creating Policies for Managed Computers

ThreatLocker recommends using our agent to enforce Web Control policies as this route gives more granular control and the ability to request access to blocked content.

Navigate to the Modules -> Web Control on the left navigation pane.

Click the '+ New Policy' button in the top left corner of the page.

Once the side pane opens, give a desired Policy Name for the new policy.

Important Note:

The Policy Name matched is displayed to the end user on the request access page. Make sure this is appropriately configured for giving proper information when a user is redirected to the request page.

Policy order is important to note when creating Web Control policies as this will not follow the typical hierarchy seen in other ThreatLocker modules. The order will be respected when processing policies, despite where it is applied to, going from the top policy down to the lowest ordered policy. The lower the policy order number, the higher it will be placed in processing.

For example, you may place a policy on the Entire organization level, but then place a computer specific policy on a lower order number to have this policy processed above the Entire organization policy. This would allow the single machine to have access to a site that would otherwise be blocked on all other computers in that organization.

Using the 'All Policies' selection in the Applies To dropdown is the best way to see your policy order for an organization.

Then select the hierarchy level where this new policy will be effective using the 'Applies To' dropdown. By default, this will automatically select the current 'Applies To' section selected on the Web Control page when the '+ New Policy' button is selected.

With the 'Applies To' set to the desired level, you may configure the users and groups that this policy would apply to as an additional level of control as needed.

Under 'Conditions', configure the 'Web Sites' or 'Categories' that would be matched against this policy.

  • Websites allow individual entries of domains, IPv4 addresses, and IPv6 addresses. Select the type of website using the dropdown, enter the value associated with the type, then use the + button to add the entry.
  • Categories allow the use of your custom-made tags and ThreatLocker Built-In categories and tags. Use the dropdown to find the ThreatLocker category or your custom tag of choice, then use the + button to add the network collection to your policy.

Once the content has been configured in the Conditions section of the policy, select the Policy Action as either 'Permit' or 'Deny'.

When selecting 'Deny', you will be given a final option that allows the user to request on being blocked.

Enable the slider for 'Allow User to Request' if you would like to receive Web Control approval requests from users blocked by this policy. If this is not enabled, users will not be directed to the ThreatLocker request page and will instead see the generic browser error page.

Important Note:

Requesting access requires the ThreatLocker Web Control browser extension installed. Currently we support Google Chrome and Microsoft Edge browsers with more support coming soon.

Direct Link to Browser Extensions:
ThreatLocker Web Control Extension - Chrome Web Store
ThreatLocker Web Control Extension - Microsoft Edge Addons

Creating Policies for Non-Managed Devices

COMING SOON!

Web Control allows administrators to create policies controlling content that can be accessed on the web by resolving your network DNS requests and returning valid IP addresses for allowed content. This can be effective for any device connected to your network, managed and non-managed. It is still recommended and preferred to use the agent-based policies as controls are far more effective in how they can be applied, along with giving the option to request on blocked content.

ThreatLocker Recommendation:

Before applying network changes to your entire environment, it is suggested you test with a single device to make sure DNS connections are being handled and resolved properly.

Additionally, it is recommended to point your network traffic for managed devices to a different DNS server as to prevent an overlap of policies processed by ThreatLocker's DNS server and agent policies.

Creating DNS Server objects to apply your Web Control policies is the first step. Begin doing this by using the 'DNS Servers (Beta)' button in the top right corner of the Web Control module page.

From the sidebar that opens, you are given a link to this knowledge base article in which ThreatLocker DNS Servers details are contained, indicating the IP address you would need to forward your network's traffic to for resolving DNS requests.

In the sidebar, add your server objects by providing a server name and the public IP address that will be coming from that server/gateway being sent to the ThreatLocker DNS server.

Server names can be used more than once; however, the public IP address has to be unique across all ThreatLocker customers. This needs to be unique in order for your traffic to be correctly matched to your policies that get assigned to your server objects.

Once the object has been added using 'Add Server', this can now be used in the 'Applies To' dropdown for creating policies. These objects will be in a section called 'DNS Servers' in the dropdown, listed by the name setup.

Policies can now be applied to your configured DNS Server objects in the same manner as agent-based policies. The only exception will be allowing users to request access as that is not supported through this route and cannot be added to the policy when set to 'Deny'.

Important Note:

Web Control policies applied to DNS Server objects are automatically deployed at a maximum interval of 15 minutes after creation and saving.

ThreatLocker DNS Servers

When utilizing Web Control policies for non-managed devices, you will need to configure your network to forward DNS requests to ThreatLocker DNS servers in order for policies to be processed properly. Find the appropriate ThreatLocker DNS server below:

COMING SOON!

Approving Web Control Requests

Web Control requests will come from policies assigned to managed computers that are using the ThreatLocker Web Control browser extension. The request access feature is optional and needs to be enabled in your deny Web Control policies that get matched.

When a user experiences a block in a browser caused by a deny policy with the option to request enabled, the browser extension will automatically redirect the user to a block page that displays basic information on what was blocked. This page gives the ability to supply a requestor reason for their request to access the blocked content which can be reviewed in the Response Center as a Network request type. Without the browser extension installed, the user will experience a traditional browser page with an error stating the web site could not be reached.

Upon request of blocked content, submitted by using the 'Request Review' button, you can approve or ignore the request in the response center within the ThreatLocker portal or the ThreatLocker mobile application.

Navigate to Response Center -> Approval tab

Web Control requests will be a Network action type

Once the approval is selected, you are given an option to permit or ignore the request. If permitted, you have two options: Create a new Web Control policy, or add details to an existing Web Control policy

  1. Show Network Details gives you an option to expand and view additional details around the request, including the domain requested, IP address of web site, process or browser that was being used, the policy that was matched, and more.
  2. Two options are given: Create New Policy (default), and Use Existing Policy. Selecting to Use Existing Policy will load a dropdown list of permit policies that are found in the organization from which the request belongs to, giving the ability to prevent creating excessive policies, while adding details around the request quickly, as needed.
  3. This is where you can make a policy name for creating a new policy, or this shows the dropdown for choosing an already made policy if Use Existing Policy is selected. On new policy creation, a name is auto-populated based on the domain (or IP address if no domain is found) of the request. This can be changed as needed.
  4. On new policy creation, you will have options on where to apply the new, permit Web Control policy
  5. On new policy creation, you can add specific users and groups as needed. By default, this is set to all users
  6. The conditions section is where you can add or remove web sites, categories, or both as needed. The web site in the request will already be populated in the Web Sites tab on creating a new policy, or using an existing policy. When using an existing policy, all the details for that Web Control policy selected will be contained here as well.

Once all details have been filled out, you may now approve the request to permit the blocked web site.

Was this article helpful?