Issue
...
If you configure Application Control Solution (ACS) policies incorrectly they could prevent services or programs from starting or running with the proper rights
...
.
Solution
You can avoid conflicts resulting from incorrectly configured ACS policies by using the following best practices:
- Always test policies on machines which mirror the production
...
- environment before
...
- rolling out to production.
...
- Deny policies should always exclude the Filter "LocalSystem and Service" applications as well as the "Signed Security Catalog".
...
- Assign policies that allow processes a lower policy priority number than policies that deny processes.
- Make sure your other policy enforcement settings check boxes are selected or cleared, depending on the aims of your policy.
- Policies that deny processes always exclude the following Application filters:
- LocalSystem and Service
- Signed Security Catalog
- You should (almost) never use wildcards in deny policies–they should be considered only after performing extensive testing.