Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Issue

Incorrectly configured ACS policies could prevent services or programs from starting or running with the proper rights

Resolution

  • Always test policies on machines which mirror the production environment before rolling out to production.
  • Create ACS policies which are first in evaluation (number 1 is first) and which allow services and other critical applications.
  • Allow policies should be before deny policies (lower policy priority number).  They apply their actions and then exit rule processing (by not having either of the options for "Continue enforcing ...." checked) except in special cases which should be confirmed with Arellia support.
    • Deny policies should always exclude the Filter "LocalSystem and Service" applications as well as the "Signed Security Catalog".
  • Wildcards should almost never be used in deny policies.  Only with extensive testing should they be considered.
  • No labels