Using best practices with policies

Anti-malware policies

In order for Anti-malware policies to be enforced correctly, you must enable Managed Definitions to deploy Microsoft anti-malware definitions through Tanium. If your endpoints have Windows 7 or older, enable SCEP. (Settings > Anti-Malware)

AppLocker policies

See Microsoft Technet: AppLocker for more information about creating AppLocker rules.

By default, block list rules allow all executables to run. Allow list rules allow only administrators to run applications unless otherwise specified.

You should deploy a policy in audit mode with reporting enabled in your test environment before deploying the policy in your production environment. Review any warning events in the reports and modify the policy as needed.

Follow this example workflow to better understand how the default Protect Allow List Rule Template works.

Example workflow using default Allow List Rule Template

This workflow can help you confirm you are achieving the results you want with your allow list policy.

  1. Enforce the default Allow List Rules Template in Audit Only mode on a representative computer group.
  2. Create the AppLocker Warnings report to run for the appropriate number of days. You must enforce the policy for approximately 7 to 30 days in order to collect an accurate representation of user activity on the endpoint.
  3. Based on the aggregated data of blocked applications in the AppLocker Warnings report, click the Interact icon next to the application to go to Interact to view detailed event information about that specific application.
  4. Select the AUDIT row(s) in the resulting Question Results and click Drill Down.
  5. On the Create Question tab of the Select Drilldown Question window, begin typing applocker threat details and click on the resulting query Get AppLocker Threat Details Last X Days from all machines.
  6. In the Number of days to display results for field, enter the same number of days for which you created the report (in this example, 7) and click Go.
  7. The Question Results page shows the paths for the application. To allow the application to run, edit the policy and add the path in the Allow section of the policy.
  8. Click Enforce Changes and Confirm Save of Enforced Policy.

Firewall rules

With Enforce, do not manage Windows Firewall with Group Policy Management Editor. In order for firewall policies created under Enforce to take effect, the Group Policy Firewall setting must be set to Not configured.

SRP management rules

Windows SRP is capable of blocking applications launched by the user. Windows SRP does not prevent Windows services from starting. SRP does not prevent SYSTEM privileges from launching applications. For more information, see Microsoft TechNet Software Restriction Policies.

Policy limitations

Table 1:   Maximum number of policies and rules allowed
Item Limit
Maximum number of policies 100
Maximum number of AppLocker rules per policy 100
Maximum number of firewall rules per policy 1000
Maximum number of SRP management rules per policy 100