Creating and Managing Trusted Policies
Creating and Managing Trusted Policies
This document outlines the process of creating and managing trusted policies within an IT environment. By following these steps, you can efficiently manage publisher trust, handle unsigned files, and utilize hash-based, path-based, and process-based trust methods to ensure secure application execution.
Step 1
Identify Publisher Trust Needs
To begin building a policy, start by identifying the publisher trust needs. For instance, VideoLAN is responsible for 372 untrusted executions. Including it in the policy will significantly reduce untrusted executions.
Step 2
Review Files Signed by the Publisher
After selecting VideoLAN, review all files signed by this organization that have been executed in your environment to confirm there are no unexpected items. Verify that it aligns with expectations, such as recognizing it as VLC Media Player. You can add this to a policy from this stage or include multiple publishers simultaneously.
Step 3
Add Multiple Publishers to a Policy
If desired, you can add multiple publishers, such as VideoLAN, Brave, Zoom, Mozilla, Spotify, and Microsoft, to a single policy or multiple policies at once.
Step 4
Assign Policy to Groups
In this scenario, allow developers, IT, and workstations to run any applications signed by the selected publishers.
Step 5
Verify Reduction in Untrusted Executions
Upon adding the publishers to the policy, observe a reduction in untrusted execution numbers. This change ensures that all files and applications run as trusted going forward, streamlining future processes. Note that unsigned files cannot utilize publisher trust.
Step 6
Implement Hash-Based Trust for Unsigned Files
For applications like ShareX, establish trust by SHA-256 hash for each file. If files update or change, the trust is broken, and Airlock will block them again.
Step 7
Use Hash-Based Trust Appropriately
Hash-based trust is ideal for applications that rarely update or those field-tested by a security team before deployment.
Step 8
Trust Execution Path
Trust can also be assigned based on the path where files run. Utilize wildcarding to specify which files can execute in certain directories.
Step 9
Apply Process-Based Trust
For instance, you might restrict a directory to only allow DLLs, or you might apply process-based trust by analyzing an individual file's parent process.
Step 10
Establish Process-Based Trust
In the case of ShareX.exe as a consistent parent process, allow the IT workstations group to run anything where ShareX is the parent process. Additionally, create a path exclusion to trust items in the ShareX directory.
Step 11
Implement Path-Specific Wildcarding
Use wildcarding to specify conditions such as allowing only DLLs in a directory.
Step 12
Review Wildcarding and Metadata Rules
Review wildcarding rules and note that metadata rules will be addressed in a separate module.
