Best practices for choosing which condition to use for a rule

You add custom application control rules and conditions to prevent users from opening applications, writing to files, or sharing files. You can look at the default rule sets to help determine how to set up your rules. For example, you can edit the
Block applications from running
rule set to view how you might use a
Launch Process Attempts
condition. See:
Typical conditions to use for a rule
Rule
Condition
Prevent users from opening an application
You can block an application when it meets either of these conditions:
  • Launch Process Attempts
    For example, to prevent users from transferring FTP files, you can add a rule that blocks a user from launching an FTP client from the command prompt.
  • Load DLL Attempts
    For example, if you add a rule that blocks Msvcrt.dll on the client computer, users cannot open Microsoft WordPad. The rule also blocks any other application that uses the DLL.
Prevent users from writing to a particular file
You may want to let users open a file but not modify the file. For example, a file may include the financial data that employees should view but not edit.
You can create a rule to give users read-only access to a file. For example, you can add a rule that lets you open a text file in Notepad but does not let you edit it.
Use the
File and Folder Access Attempts
condition for this type of rule.
Block file shares on Windows computers
You can disable local file and print sharing on Windows computers.
Include the following conditions:
  • Registry Access Attempts
    Add all the relevant Windows security and sharing registry keys.
  • Launch Process Attempts
    Specify the server service process (svchost.exe).
  • Load DLL Attempts
    Specify the DLLs for the Security and Sharing tabs (rshx32.dll, ntshrui.dll).
  • Load DLL Attempts
    Specify the server service DLL (srvsvc.dll).
You set the action for each condition to
Block access
.
You can also use firewall rules to prevent or allow client computers to share files. See:
Prevent users from running peer-to-peer applications
You can prevent users from running peer-to-peer applications on their computers.
You can create a custom rule with a
Launch Process Attempts
condition. In the condition, you must specify all peer-to-peer applications that you want to block, such as LimeWire.exe or *.torrent. You can set the action for the condition to
Block access
.
Use an Intrusion Prevention policy to block network traffic from peer-to-peer applications. Use a Firewall policy to block the ports that send and receive peer-to-peer application traffic. See:
Block write attempts to DVD drives
Currently, application control does not have a default rule that blocks CD/DVD writing directly. Instead, you create a rule that blocks the specific DLLs that write to CD or DVD drives using the
Add Condition
and
File and Folder Access Attempts
conditions.
You should also create a Host Integrity policy that sets the Windows registry key to block write attempts to DVD drives. See: