Using best practices with policies
In order for Anti-malware policies to be enforced correctly, you must enable Managed Definitions to deploy Microsoft anti-malware definitions through Tanium. If your endpoints have Windows 7 or older, enable SCEP. (Settings > Anti-Malware)
See Microsoft Technet: AppLocker for more information about creating AppLocker rules.
By default, block list rules allow all executables to run. Allow list rules allow only administrators to run applications unless otherwise specified.
You should deploy a policy in audit mode with reporting enabled in your test environment before deploying the policy in your production environment. Review any warning events in the reports and modify the policy as needed.
Follow this example workflow to better understand how the default Enforce Allow List Rule Template works.
Example workflow using default Allow List Rule Template
This workflow can help you confirm you are achieving the results you want with your allow list policy.
- Enforce the default Allow List Rules Template in Audit Only mode on a representative computer group.
- Create the AppLocker Warnings report to run for the appropriate number of days. You must enforce the policy for approximately 7 to 30 days in order to collect an accurate representation of user activity on the endpoint.
- Based on the aggregated data of blocked applications in the AppLocker Warnings report, click the Interact icon next to the application to go to Interact to view detailed event information about that specific application.
- Select the AUDIT row(s) in the resulting Question Results and click Drill Down.
- On the Create Question tab of the Select Drilldown Question window, begin typing applocker threat details and click on the resulting query Get AppLocker Threat Details Last X Days from all machines.
- In the Number of days to display results for field, enter the same number of days for which you created the report (in this example, 7) and click Go.
- The Question Results page shows the paths for the application. To allow the application to run, edit the policy and add the path in the Allow section of the policy.
- Click Enforce Changes and Confirm Save of Enforced Policy.
With Enforce, do not manage Windows Firewall with Group Policy Management Editor. In order for firewall policies created under Enforce to take effect, the Group Policy Firewall setting must be set to Not configured.
Windows SRP is capable of blocking applications launched by the user. Windows SRP does not prevent Windows services from starting. SRP does not prevent SYSTEM privileges from launching applications. For more information, see Microsoft TechNet Software Restriction Policies.
|Maximum number of policies||100|
|Maximum number of AppLocker rules per policy||100|
|Maximum number of firewall rules per policy||1000|
|Maximum number of SRP management rules per policy||100|
When policies are put in content sets by different users with different permissions, a user might have partial visibility into configuration items or lose visibility into items which that user originally had access. For example, if you create a policy and apply it to a group of endpoints, then another user applies that same policy to a different group of endpoints for which you do not have permissions, you lose the permission to edit that policy. See User role requirements for role definitions.
If you move a policy from one content set to another content set, it can take up to an hour for all configuration changes to take place. The policy is updated immediately, but packages and saved content can take up to an hour to align because they require a sync activity to take place.
Last updated: 2/23/2021 1:01 PM | Feedback