How to lock a system down to only specified applications
Caution
You must thoroughly test any policies you create based on this document before you implement them in your production environment, and you must enable or disable all three policies together.
Scenario
In some cases you might need to lock the operating system of a computer down to a restricted set of programs – which you can easily do using Application Control Solution (ACS).
Procedure
Using the Interactive Users filter makes the achievement possible with a few easy steps. (doesn't get used until third policy under Applications)
Be sure to enable or disable all of the policies. If one or two are enabled and the rest are disabled, you will see undesired behavior.
- Use one policy to allow the logon processes to run.
- Use a second policy to allow the restricted set of programs to run.
- Use a third policy to deny all other processes invoked by the Interactive user
- The Interactive Users filter is used in the policy to identify what programs/processes to stop (as below in screen shot).
- If this were the first policy evaluated it would prevent any processes from running as the logged on user and so would prevent logon.
- But it is the third policy evaluated. The two proceeding policies use the Policy Enforcement options to stop additional rules from being processed when the process is identified to be handled by one of those two policies.
- In other words, when a process starts the program/process is evaluated to see if it fits the rules for the first policy. If the conditions of the rules are met then the actions contained in that policy will be applied to the program/process. ACS can then continue processing additional policies in order or stop processing. Generally processing is stopped because the desired state has been achieved by the actions applied by the first applicable policy.
Import the attached policies to demonstrate this functionality.