Creating policies

You can create the following policies in Enforce.

Machine Administrative Templates

Machine administrative template policies target machine-based Active Directory administrative template (ADMX) group policy objects on Windows systems. Use machine administrative policies to apply consistent rules to Windows devices regardless of the logged in user. See Create a Machine administrative template policy

The following Microsoft packages are used in Windows administrative template policies: Windows 10 baseline, Google Chrome, MS Office, and Windows Security Baseline ADMX files (MSS-legacy and SecGuide).

Anti-Malware policy

Anti-malware policies use the Microsoft Anti-malware engine to protect your endpoints from viruses. Configured using Machine administrative templates- Windows Defender Antivirus Active Directory administrative group policy objects on Windows systems. See Create an Anti-malware policy.

Windows Firewall

Firewall management policies consist of rules that block or allow network traffic using the built-in Windows Firewall. See Create a Windows firewall management policy.

Create a Machine administrative template policy

  1. From the Enforce menu, go to Policies and click the Create Policy button.
  2. In the Summary section, do the following:
    •  Enter a Name and Description for the policy.
    • From the Policy Type drop-down, select Machine administrative template. Machine administrative template policies target machine-based ADMX (Active Directory administrative templates) group policy objects.
  3. In the Configure Policy Settings section, select a category on the left side, and the available settings for that category appear on the right side.
    • Search Categories and Settings— There is a search field at the top of the categories column on the left side. Type the name of the category or setting you are looking for and an asterisk appears to the right of all items that contain the search criteria.
    • Some high-level categories for Machine administrative template policies are listed in the Machine Administrative Templates Policy Categories Example table below.
  4. Table 1:   Machine Administrative Templates Policy Categories Example
    Category (top level) Overview
    Control Panel Includes display, personalization, regional and language options, and printers.
    Google Chrome Includes cookies, Javascript, and image settings.
    MS Security Guide Includes UAC restrictions and SMB server and client.
    MSS (Legacy) Includes legacy Windows registry values that predate group policy.
    Microsoft Office Included Window security restrictions and storage of user passwords.
    Network Includes network connections.
    Printers Includes prevention of security issues with print driver installation.
    Start Menu and Task Bar Includes notifications.
    System Includes driver installation, display, locale services, group policy, mitigation options, logon, power management, removable storage access, and user profiles.
    Windows Components Includes app runtime, attachment manager, autoplay policies, cloud content, credential user interface, edge UI, and Windows Defender antivirus.

    For the full list of policy settings included in Windows administrative template files, see Microsoft: Group Policy Settings Reference for Windows and Windows Server and Microsoft Security Compliance Toolkit 1.0.

  5. When you configure a policy, the following settings are available: Not Configured, Enabled, and Disabled. Both Not Configured and Disabled use default Microsoft settings. When you change the state to Enabled, you can enter your own settings. Refer to Microsoft for a detailed explanation of each state.
  6. There is help text from Microsoft for each Policy Setting in the Enforce UI page for that setting.

  7. Click the Add to Policy button after you configure a policy setting.
  8. Click the Create button at the bottom of the page once all settings for the policy are complete. The policy now appears in the Policies list.

You can enforce a policy from three different places in the UI.

  • The Enforcements page
  • The Policy list page
  • The Policy details page

See Enforcing policies for details.

Create an Anti-malware policy

Anti-malware policies consist of groups of settings. You can only have one Anti-malware rule per policy; however, a single Anti-malware rule within one policy can have multiple settings.

Make sure you have completed the steps detailed in the Upload Anti-malware section before configuring anti-malware policies.

Default Windows Defender Policy

Enforce provides a default Windows Defender policy. View this policy in the Enforce menu > Policies page. The default policy contains settings for client interface, anti-virus quarantining, scanning, and exclusions. Expand each policy to view the pre-configured settings. You can edit or delete this policy. Create an enforcement to deploy it to endpoints.

Configure a new anti-malware policy

  1. From the Enforce menu, go to Policies and click the Create Policy button.
  2. In the Summary section, do the following:
    • Enter a Name and Description for the policy.
    • Select Machine Administrative Templates from the Policy Type drop-down menu.
  3. In the Anti-malware Specific Settings section, click the Create exclusions for Tanium processes button. The required Tanium exclusions are automatically added to the policy. Refer to Exclusions.
  4. Determine if you should keep Deploy definition update using Tanium for Managed Definitions enabled.
  5. Complete the fields for Definition Grace Period to specify how often endpoints use Tanium to check for Anti-malware definition updates. This value represents how old an Anti-malware definition can be before the policy is considered unenforced. The default grace period is 1 day.
  6. By default, Anti-malware rules are configured to use Tanium to deploy Anti-malware definition updates. If an endpoint has not received an update within the specified grace period, it is considered unenforced. When this option is unchecked, endpoints retrieve definitions directly from Microsoft.

  7. Search for Windows Defender in the Configure Policy Settings section. Enable Windows Defender policies and enter settings as needed.
  8. Anti-malware policies require that endpoints have either SCEP or Windows Defender installed. When SCEP Installation is enabled, enforcing an Anti-malware policy automatically installs SCEP on endpoints that do not support Windows Defender. See Enable Microsoft System Center Endpoint Protection (SCEP) Installation to understand how to correctly enable SCEP installation.

  9. Click the Add to Policy button after you configure a policy setting.
  10. Click the Create button at the bottom of the page once all settings for the policy are complete. The policy now appears in the Policies list in the Machines tab. When you create an Anti-Malware policy, you can add settings to control the user experience. See Reference: Anti-malware settings.
  11. You can enforce a policy from three different places in the UI.

    • The Enforcements page
    • The Policy list page
    • The Policy details page

    See Enforcing policies for details.

Create a Windows firewall management policy

When a Windows firewall management policy is enforced on an endpoint, Enforce starts the MpsSvc (Windows Firewall) service on that endpoint.

The maximum number of firewall rules per policy is 1000.

  1. From the Enforce menu, go to Policies and click the Create Policy button.
  2. In the Summary section, do the following:
    • Enter a Name and Description for the policy.
    • From the Policy Type drop-down, select Windows Firewall.
  3. For Rule Management, choose Replace or Merge
  4. The Replace option removes all existing firewall rules on the endpoint and replaces them with the rules in this policy. The Merge option leaves the existing firewall policies on the endpoint in place and adds the rules in this policy.
  5. Configure the following settings in the Firewall Profiles section:
    • For Network Selection, choose Default, Enabled, or Disabled.

Create a new Windows firewall rule

  1. In the Firewall Rules section, click Add Rule.
  2. Complete the following fields for your firewall rule:
  3. Field Description
    Name This is a required field. Enter a brief name for the rule.
    Direction This is a required field. Select Outbound, Inbound, or Bi-directional for the direction of the connection.
    Action This is a required field. Select either Block or Allow depending on the type of rule you are creating.
    Network Protocol

    This is a required field. Select a protocol. If you specify UDP or TCP for the protocol, then you must specify at least one value in the following fields: Application Path, Local Address(es), Local Port(s), Remote Address(es), Remote Port(s), or Service Name.

    For more information about protocols, see Microsoft Technet: Firewall Rule Properties.

    Group This is an optional field. You can specify a group name here or choose one that already exists that can help organize your firewall rules.
    Profiles Select the applicable profiles. If you do not select one or more profiles, the rule is created as if all profiles were selected.
    Application Path An example of an application path is C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.
    Local Address(es) Use this field to target the rule to specific local IP addresses. Separate IP addresses with commas.
    Local Port(s) This field is most likely populated for Inbound connections. You can specify port ranges, for example: 80, 443, 5000-5010.
    Remote Address(es) This field can be used to target the rule to a specific remote IP address. Separate IP addresses with commas.
    Remote Port(s) This field is most likely populated for Outbound connections. You can specify port ranges, for example: 80, 443, 5000-5010.
    Service Name This field can be used for a Windows Service Display name.
  4. Click Create to create your policy. Click Add Rule again to add another rule to the policy.
  5. Edit a policy once you have created it by selecting the policy on the Policies page and then clicking Edit, making any necessary changes, and clicking Enforce Changes if enforcements exist or Update (if no enforcements are in place).

Import firewall rules from a Windows TSV file

Before you can import a firewall policy into Enforce from a Windows TSV file, you must export it from Windows.

  1. In Windows, go to Windows Firewall Advanced Security.
  2. In the left pane, right-click on Inbound Rules and click Export List. Save the file as a Text (Tab Delimited) .txt file.
  3. In the Firewall Rules section, click the Import button.
  4. Click the Select TSV File button to locate the files that contains the exported firewall rules and click Open. The Import window shows the file name and how many rules are being imported.
  5. Select the Direction.
  6. Click Proceed.
  7. Repeat these steps for Outbound Rules to export them from Windows and import them into Protect.

If the file you are importing does not include a Service column, a warning displays. If your firewall rules depend on the Service field, add the Service column and re-export the firewall rules from Windows.

To add a Service column

  1. In Windows, go to Windows Firewall with Advanced Security.
  2. Select Add/Remove Columns from the View menu.
  3. Select Service from Available columns and click Add.
  4. Click OK.
  5. Select Export List from the Action menu and save it to a file.

Import firewall rules from Tanium Endpoints

  1. In the Firewall Rules section, select Import Rules from Tanium Endpoints from the Import drop-down button.
  2. In the Import Rules from Tanium Endpoints window, select the rules already existing on Tanium endpoints that you want to import
  3. Click Add Rules.
  4. You can enforce a policy from three different places in the UI.

    • The Enforcements page
    • The Policy list page
    • The Policy details page

See Enforcing policies for details.