...
- Always test policies on machines which mirror your production environment before rolling out to production.
- Create ACS policies which are first in evaluation (number 1 is first) and which allow services and other critical applications.
- Allow policies should be before deny policies (lower number policy priority). They apply their actions and then exit rule processing (by not having the options for "Continue enforcing ...." checked) except in special cases which should be confirmed with Arellia support.
- Deny policies should always exclude the Filter "LocalSystem an dService applications"
- Wildcards should almost never be used in deny policies. Only with extensive testing should they be considered.