Application Control Configuration Settings

You configure the Application Control functionality within the Application Control Configuration Editor. This can be accessed from one of a few places within the Security Controls console.

  • New >Application Control Configuration
  • Application Control configurations right-click New Application Control Configuration
  • New > Agent Policy > Application Control > New.

Note this will assign the configuration to the policy once saved.

The top level node Configuration Settings has three tabs:

Features

Select to enable the following Application Control functionality for this configuration:

Executable Control

Executable Control covers the following functionality throughout the configuration:

  • Trusted Ownership - during the rule process trusted ownership checking is performed on files and folders to ensure that ownership of the items is matched with the list of specified trusted owners specified in the configuration.
  • Security levels - specify the levels of restrictions to execute unauthorized files.
  • Allowed and Denied Items - grant or deny access to specific items applicable to a rule set.

Privilege Management

Privilege Management allows you to create reusable privilege management policies which can be associated with any rule sets and can elevate or restrict access to files, folders, drives, file hashes, and Control Panel components. A more granular level of control allows you to assign specific privileges for debugging or installing software, or to set integrity levels for managing interoperability between different products, such as Microsoft Outlook and Microsoft Word.

Privilege Management contains four primary functions:

  • Elevating privilege management for applications.
  • Elevating privilege management for Control Panel components and Management Snapins.
  • Reducing privilege management for applications.
  • Reducing privilege management for Control Panel components and Management Snapins.

Browser Control

Use this feature to automatically redirect users when they attempt to access a specified URL. By defining a list of prohibited URLs, you redirect any user attempting to access a listed URL to a default warning page or a custom web page. You can also select to allow certain URLs which, when used in conjunction with redirects, gives you further flexibility and control and lets you create an allows list of websites.

Before you configure this feature for Internet Explorer, you must enable third-party browser extensions using Internet Options for each of your endpoints. Alternatively, this can be applied via Group Policy.

URL Redirection is compatible with Internet Explorer 8, 9, 10, and 11. When using Chrome, all managed endpoints must be part of a domain.

Hash Algorithm

File Hash provides a means to accurately identify a file according to the actual contents of the file itself. Each file is examined and according to its contents, a digital hash, which may be likened to a fingerprint, is produced. Application Control makes use of the industry standard SHA-1, SHA-256 and Adler-32 hashes. If the file is altered in any way, then the hash is also altered.

Digital hashing is seen as the ultimate security method because it is accurate. It identifies each file independently of all other factors other than the file itself. For example, an administrator takes a digital hash of all executables on a computer system and records them. A user then tries to execute an application. The digital hash of the application is calculated and then compared to the recorded values. If there is a match the application is granted execution, otherwise it is denied. This methodology also provides zero-day protection because not only does it stop new applications from being introduced, it also blocks any applications that have been infected with malware.

Although file hashing provides a similar protection to Trusted Ownership, you must also consider the time and management involved with respect to maintaining the security systems in place. Applications are constantly being updated with product levels, bug fixes, and vulnerability patches. This means that all associated files are also constantly being updated. So if, for example, a product level is applied to Microsoft Office then for the updated parts to work new digital hashes of the updated files must now be taken. Take care to ensure that these are available when the update is available to eliminate downtime. Additionally, it is recommended that you remove the old hash.

Advanced Settings

Advanced Settings allow you to configure additional settings which will be applied on managed endpoints when an Application Control configuration is deployed. If a new configuration is deployed that contains new advanced settings, any pre-existing advanced settings in place on the end point will be deleted.

On the Advanced Setting tab, right-click in the work area and select Add to display the list of available Advanced Settings. The settings are applied when the configuration is deployed to your managed endpoints.

Related Topics

About Executable Control

Privilege Management

About Browser Control

Configuration Settings Executable Control

Configuration Settings Privilege Management