![]() , L=ATLANTA, S=GEORGIA, C=US,” you can’t really tell that the rule was created for software signed by Acme Software that is used by your Accounting department. If you have a Publisher rule named “Signed by O=Acme Software, Inc. The default names that are created aren’t necessarily helpful at letting you know why the rule was created. Use descriptive names for rules or use descriptions That could get time consuming very quickly. Every time an application update comes out, you’ll have to make sure you have the most current hash as well as the previous hash until you’ve patched all your machines. The biggest downside to Hash rules is that you have to constantly update them. Using hash rules can get dangerous really quick. This includes Sysvol! If you’re controlling scripts with AppLocker, they could be blocked from running in Group Policy if you haven’t created a rule to allow them to execute. If you have file shares that are read-only to users/computers that are controlled by IT that are used for network applications or software distribution, consider creating path rules to allow those paths if the applications residing there aren’t digitally signed. individually, you can use a publisher rule that allows anything digitally signed by Adobe.ĪppLocker - Adobe Publisher Rule Specify file paths IT controls Instead of allowing Adobe Reader, Acrobat, Illustrator, Photoshop, InDesign, etc. Several of these companies tend to have their installers end up in temporary folders inside of AppData that will be blocked if you don’t include a Publisher rule. do a relatively good job at digitally signing their executables. Most of the reputable software companies like Microsoft, Adobe, Citrix, Cisco, VMware, etc. You don’t need 100+ rules for executables in the Windows or Program Files folder if you’re already allowing everything in those folders to execute. If you’re going to use the default rules, you should be able to pare down some of the rules that were automatically generated. ![]()
0 Comments
Leave a Reply. |