In this section:
Application Control configuration files (AAMP) contain the rule settings for securing your system. The configuration files are installed on managed devices and serve as a policy checklist for the Application Control agent to assess how to handle file execution requests. When a file is executed, Application Control intercepts the request and performs a check with the configuration to find the appropriate matching rule and the required action to take. Other default policies specified in a configuration are also applied, for example, event filtering or handling for specific file extension types as well as general policies such as default rules, auditing rules, how message notifications are displayed, and archiving options.
Configurations are stored locally in different locations depending on your operating system and are protected by NTFS security: Windows 7 and above: C:\ProgramData\AppSense\Application Manager\Configuration.
In Standalone mode, configuration changes are written directly to the local AAMP file from the Application Control console. In Enterprise mode, configurations can be created and stored centrally in the Management Center database, and distributed to endpoints in MSI format via the Management Server. Configurations can also be exported and imported to and from MSI file format, which is useful for creating templates or distributing configurations using third-party deployment systems.
After creating or modifying a configuration, you must save the configuration with the latest settings to ensure that they are implemented.
Application manager Library node allows you to create groups of items that can be used in configuration rules. Use the library to create a group of similar items to manage. Once your libraries have been created they can be assigned to rules and used to govern a group of users. Library nodes provide the following:
Group Management - The Group Management node allows you to group a number of items such as Files, Folders, Drives, Signature Files, Windows Store Apps, and Network Connections for one particular application. You can then add this group to the Allowed and Denied Items lists in a rule.
- User Privilege Policies - The User node allows you to add User Privilege Policies to selectively promote or demote administrative rights for individual applications.
Rule nodes provide default settings for handling file executions and specific settings that apply to particular users, groups, or devices. Group, User, Device, Custom, Scripted, and Process Rules allow you to specify Security Level settings that specify restrictions that apply to users, groups, or devices matching the rule. Custom rules target combinations of particular users or groups operating on specific collections of devices. Scripted rules allow administrators to apply Allowed Items and Denied Items to users based on the outcome of a Windows PowerShell or VBScript script. Scripts can be run for each individual user session or run once per computer. Process rules allow you to manage access for the application to run child processes that might otherwise be managed differently in other rules. You can add Allowed Items, Denied Items, Trusted Vendors, User Privileges, and Browser Control to a rule.
- Allowed/ Denied Items — A sub-node list in each rule that you can populate and maintain with specific files, folders, drives, and digital signatures to provide an additional level of granularity for controlling file execution requests. For example, items that Trusted Ownership checking normally denies can be allowed for the users or devices targeted in the rule. Likewise, files that would normally be allowed can be denied.
- Trusted Vendors — A sub-node list in each rule that you can populate with digital certificates issued by trusted sources. Files that fail Trusted Ownership checking are checked for the presence of digital certificates and allowed to run when a match is made with the Trusted Vendors list. For example, a highly restricted user might be prohibited under normal rule conditions from introducing executable files on the system, but may be required to download and run software updates from a particular source from time to time. If the downloaded file includes a digital certificate that matches a certificate in the Trusted Vendors list, the file is allowed to run.
- User Privileges - A sub-node list in each rule that you can populate with applications, components, and web installations for you to apply User Privilege Policies to. User Privilege Policies allow you to selectively promote or demote administrative rights for individual applications, components, and web installations.
- Browser Control - A sub-node list in each rule that you can populate with URLs to which you can apply URL redirection. You can also specify URLs that open an elevated instance of Internet Explorer, and allow the elevation to administrative privileges for ActiveX installers from particular domains.
Application Control is ready to manage your security as soon as you install the agent and a configuration on client computers. A default configuration loads when you run the console and can be used for immediate protection on all client computers to which the configuration is deployed. This configuration blocks any file with an untrusted owner and prevents non-administrative users accessing executables on non-secure locations, including network locations and removable media.
The default configuration can be saved directly in Standalone mode to the client computer via the console or saved to the database of the deployment mechanism when operating in Enterprise mode ready for deployment.
- All application and process execution requests are checked against the Application Control rules before access is granted.
- All application and process network access requests are prohibited unless allowed by Application Control rules.
- Members of the Local Administrators group are granted unrestricted access to applications.
- Members of non-administrative user groups are granted restricted access to applications.
- CMD.exe is blocked except when run by batch files.
- MSI, WSH and Registry Files are validated against the Application Control rules.
- Windows Installer (msiexec.exe) is allowed to run all child processes with the DLL and EXE extensions.
Default Configuration Settings
|System process validation can affect performance and is disabled by default.
|Settings for closing and terminating applications.
Set triggers, warning message behavior to users, and warning message notifications.
|Disabled by default.
|Group Management Node
|For creating reusable groups of applications for assigning to Rules.
|No default settings.
|User Privilege Policies
|Reusable User Privilege Policies that elevate or restrict user privileges.
For assigning to files, folders, signatures, drives and application groups in Rules.
|No default settings.
|Local Administrator Group rule for managing access to applications for local administrators.
|Group rule for all system users unless a user matches other rules with higher priority settings.
|Windows Installer (msiexec.exe)