Manually create a reference system whitelist policy
What's covered
Create a File Parameter Selection
This document shows you how to create a whitelist policy for your reference system that targets a collection of computers, searches for Windows executables, and then adds any Windows executables to a whitelist.
Create a resource target
First you will need to create a resource target that contains the desired reference system(s). To create a resource target, do the following steps:
- In the Thycotic Security Manager, click the Resources tab.
- In the left pane, click Resource Filters.
- Right-click the Resource Target folder.
- Click New > Resource Target.
- Enter a name and description.
- Click OK.
- In the right pane under Filtering Rules, click the Add rule button.
- In the Then menu, "excludes computers not in" will be the default.
- In the menu just to the right of the Then menu, choose Computer List.
- Then click Select.
- In the Select Item window that opens, click the computer resources that represent your reference system(s).
- Click OK.
Create a file scan policy
Now that you have your targeting established you can create a file scan policy to add files to your whitelist.
- In the Thycotic Security Manager, click the Policies tab.
- In the left pane, navigate to the Thycotic Solutions > File Inventory > Policies folder.
- Right-click the Policies folder and click New > General Scheduled Client Task.
- In the Create Item dialog box, give the task a name and description.
- Under Client Command, click the Select link.
- In the Client Command dialog box, click File Scan Command.
- Click OK.
- Under Resource Targets, click the All Managed Computers (Target) link.
- In the Resource Targets dialog box, choose the endpoints you want to include in the policy.
- In the Create Item dialog box, click OK.
- Configure the new policy settings as follows:
- Turn on the new policy.
- Under File Specifications choose Executables in Windows Directories.
- Under Reporting Specifications choose Executions in Windows Directories not present in Security Catalogs.
- Configure the schedule interval for how often the file scan will execute.
Note: During the initial testing phase the file scan can be started manually using Windows Task Scheduler on the reference system.
- Click Save.
Create a file parameter collection
Once the file scan has run on the reference system(s) you will have a list of all executables in the Windows directories that are not contained in a security catalog.
You can create a file parameter collection that contains this list of files which can then be used in a whitelist policy.
Create a file parameter collection by doing the following steps:
- In the Thycotic Security Manager, click the Policies tab.
- In the left pane, navigate to the Thycotic Solutions > Application Control > Filters > Inventory Filters.
- Right-click the Inventory Filters folder.
- Click New > File Scan Results Filter (Policy).
- Give the filter a name and optional description.
- Click OK.
- In the Right pane, set the Data Source to the new policy.
- Next to Reporting Filter click the Select link and choose the reporting filter you configured in the previous steps.
- Under Results click Included.
- Click Save.
Create a whitelist policy
When you have completed the previous steps, put them all into a reference system whitelist policy by doing the following steps:
- In the Thycotic Security Manager, click the Policies tab.
- In the left pane, navigate to Thycotic Solutions > Application Control > Policies > Whitelisting.
- Right-click the Whitelisting folder.
- Click New > Blank Application Control Policy.
- Give the policy a name and optional description.
- Click OK.
- In the Applications to Control tab, click the Select Applications to control... link.
- In the Select Items dialog box that opens, select the file parameter collection you created previously.
- In the Policy Enforcement tab, set the Policy priority at a number lower than your orangelist or deny policy priorities.
- Ensure that Continue enforcing policies after enforcing this policy is unchecked.
- Click Save.
You now have a working reference system whitelist policy configured.