Issue
Incorrectly configured ACS policies could If you configure Application Control Solution (ACS) policies incorrectly they could prevent services or programs from starting or running with the proper rights
...
.
Solution
You can avoid conflicts resulting from incorrectly configured ACS policies by using the following best practices:
- Always test policies on machines which mirror your the production environment environment before rolling rolling out to production.
- Create ACS policies which are first in evaluation (number 1 is first) and which allow services and other critical applications.
- Allow policies should be before deny policies (lower number policy priority). They apply their actions and then exit rule processing (by not having the options for "Continue enforcing ...." checked) except in special cases which should be confirmed with Arellia support.
- Wildcards should almost never be used in deny policies. Only with extensive testing should they be considered
- Assign policies that allow processes a lower policy priority number than policies that deny processes.
- Make sure your other policy enforcement settings check boxes are selected or cleared, depending on the aims of your policy.
- Policies that deny processes always exclude the following Application filters:
- LocalSystem and Service
- Signed Security Catalog
- You should (almost) never use wildcards in deny policies–they should be considered only after performing extensive testing.