Configuration

Application Control configuration files (AAMP) contain the rule settings for securing your system. The configuration files are installed on managed devices and serve as a policy checklist for the Application Control agent to assess how to handle file execution requests. When a file is executed, Application Control intercepts the request and performs a check with the configuration to find the appropriate matching rule and the required action to take. Other default policies specified in a configuration are also applied, for example, event filtering or handling for specific file extension types as well as general policies such as default rules, auditing rules, how message notifications are displayed, and archiving options.

Configurations are stored locally in different locations depending on your operating system and are protected by NTFS security: Windows 7 and above: C:\ProgramData\AppSense\Application Manager\Configuration.

In Standalone mode, configuration changes are written directly to the local AAMP file from the Application Control console. In Enterprise mode, configurations can be created and stored centrally in the Management Center database, and distributed to endpoints in MSI format via the Management Server. Configurations can also be exported and imported to and from MSI file format, which is useful for creating templates or distributing configurations using third-party deployment systems.

After creating or modifying a configuration, you must save the configuration with the latest settings to ensure that they are implemented.

Configuration Elements

Libraries

Application manager Library node allows you to create groups of items that can be used in configuration rules. Use the library to create a group of similar items to manage. Once your libraries have been created they can be assigned to rules and used to govern a group of users. Library nodes provide the following:

• Group Management - The Group Management node allows you to group a number of items such as Files, Folders, Drives, Signature Files, Windows Store Apps, and Network Connections for one particular application. You can then add this group to the Allowed and Denied Items lists in a rule.
• User Privilege Policies - The User node allows you to add User Privilege Policies to selectively promote or demote administrative rights for individual applications.

Rules

Rule nodes provide default settings for handling file executions and specific settings that apply to particular users, groups, or devices. Group, User, Device, Custom, Scripted, and Process Rules allow you to specify Security Level settings that specify restrictions that apply to users, groups, or devices matching the rule. Custom rules target combinations of particular users or groups operating on specific collections of devices. Scripted rules allow administrators to apply Allowed Items and Denied Items to users based on the outcome of a Windows PowerShell or VBScript script. Scripts can be run for each individual user session or run once per computer. Process rules allow you to manage access for the application to run child processes that might otherwise be managed differently in other rules. You can add Allowed Items, Denied Items, Trusted Vendors, User Privileges, and Browser Control to a rule.

• Allowed/ Denied Items — A sub-node list in each rule that you can populate and maintain with specific files, folders, drives, and digital signatures to provide an additional level of granularity for controlling file execution requests. For example, items that Trusted Ownership checking normally denies can be allowed for the users or devices targeted in the rule. Likewise, files that would normally be allowed can be denied.
• Trusted Vendors — A sub-node list in each rule that you can populate with digital certificates issued by trusted sources. Files that fail Trusted Ownership checking are checked for the presence of digital certificates and allowed to run when a match is made with the Trusted Vendors list. For example, a highly restricted user might be prohibited under normal rule conditions from introducing executable files on the system, but may be required to download and run software updates from a particular source from time to time. If the downloaded file includes a digital certificate that matches a certificate in the Trusted Vendors list, the file is allowed to run.
• User Privileges - A sub-node list in each rule that you can populate with applications, components, and web installations for you to apply User Privilege Policies to. User Privilege Policies allow you to selectively promote or demote administrative rights for individual applications, components, and web installations.
• Browser Control - A sub-node list in each rule that you can populate with URLs to which you can apply URL redirection. You can also specify URLs that open an elevated instance of Internet Explorer, and allow the elevation to administrative privileges for ActiveX installers from particular domains.

Default Configurations

Application Control is ready to manage your security as soon as you install the agent and a configuration on client computers. A default configuration loads when you run the console and can be used for immediate protection on all client computers to which the configuration is deployed. This configuration blocks any file with an untrusted owner and prevents non-administrative users accessing executables on non-secure locations, including network locations and removable media.

The default configuration can be saved directly in Standalone mode to the client computer via the console or saved to the database of the deployment mechanism when operating in Enterprise mode ready for deployment.

Protection

• All application and process execution requests are checked against the Application Control rules before access is granted.
• All application and process network access requests are prohibited unless allowed by Application Control rules.
• Members of the Local Administrators group are granted unrestricted access to applications.
• Members of non-administrative user groups are granted restricted access to applications.
• CMD.exe is blocked except when run by batch files.
• MSI, WSH and Registry Files are validated against the Application Control rules.
• Windows Installer (msiexec.exe) is allowed to run all child processes with the DLL and EXE extensions.

Default Configuration Settings

• Make local drives allowed by default
• Ignore restrictions at logon
• Allow cmd.exe for batch files
• Extract self-extracting ZIP files
• Ignore restrictions during Active Setup
• Deny files on removable media
• Deny files on network shares

• Ignore restrictions at logon delays the implementation of the Application Control rules until logon is complete to avoid disrupting or preventing the logon process. This option allows logon scripts to run.
• While cmd.exe and self-extracting ZIP files are usually blocked as potential loopholes for attempts to breach security, this option allows CMD and ZIP files to run for legitimate files Application Control rules.

• Validate MSI (Windows Installer) Packages
• Validate WSH (Windows Script Hosts)
• Validate registry files

• Application Control validates MSIs, Registry files, and WSH files against the rules by default. Otherwise, they are ignored unless they are specified in the rules themselves.
• Turn these options off only if you trust these types of files running or you have adequate protections in place in the Application Control rules or by some other method.

• Enable Application Access Control
• Enable Application Network Access Control
• Enable Privilege Management

• All Application Control functionality is enabled by default but you can disable any of these as part of any troubleshooting process.
• We recommend disabling any functionality which you do not want to use.

Set triggers, warning message behavior to users, and warning message notifications.

For assigning to files, folders, signatures, drives and application groups in Rules.

• Security level set to Unrestricted.
• No other default settings are applied.

• Security level set to Restricted.
• AppSense Program Files directories are added to Allowed Items.
• No other default settings are applied.

• *.EXE
• *.DLL

• All EXE and DLL files are allowed to run when spawned by msiexec.
• This rule does not manage access to msiexec. You must manage access to msiexec in another rule.

Was this article useful?