Security Controls

Group Rules

In this section:

About Group Rules

The Group rules node allows you to match security control rules with specific user groups within the enterprise.

The Group summary displays the group name and the Textual Security Identifier (SID). A SID is a data structure of variable length that identifies user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an accounts SID rather than the accounts user or group name. Likewise, Application Control also refers to a user or group SID unless the SID could not be found when added to the configuration.

There are two predefined Group rules:

  • BUILTIN\Administrators - The BUILTIN\Administrators group is for managing access to the applications for local administrators. Users in BUILTIN\Administrators are assigned the Unrestricted security level.

  • Everyone - All users, including administrators are part of the Everyone group. The Everyone group rule and all additional group rules have a security level of Restricted, unless a user matches other group or user rules with higher priority settings. This means administrators are part of two group rules: the BUILTIN\Administrators group, which is unrestricted, and the Everyone group, which is restricted. Application Control uses the least restrictive rules; therefore, all administrator requests are unrestricted.

    Typically, you specify all the files, folders, drives, file hashes, and groups to prohibit for Everyone. You can then create a new group or user and specify the items you want to be accessible for that group or user. This enables you to control what users have access to.

Manage Group Rules

  • To add a group rule set, right-click Group and select Add Group Rule Set.

    The Add Group Rule Set dialog displays. Enter or browse to select an account.

  • To remove a group rule set, right-click the rule set and select Remove Rule Set.

    A confirmation message displays. Click Yes to confirm the removal.

You can add Executable Control, Privilege Management, and Browser Control items to each group rule set. For information see the Related Topics.

Related Topics

Rule Set Executable Control

Rule Set Privileges Management

About Browser Control

Rule Sets


Was this article useful?