 Global Policy Options |
 Process Access Controls |
 Full Access Process Access Controls |
Allow full access to these processes |
List of processes to give full access to |
TargetProgram="%systemroot%\System32\ctfmon.exe" |
 Limited Access Process Access Controls |
Block and log modifications to these processes as trivial |
List of processes that should not be modified |
TargetProgram="%systemroot%\System32\csrss.exe" |
TargetProgram="%systemroot%\System32\winlogon.exe" |
TargetProgram="%systemroot%\System32\wininit.exe" |
TargetProgram="%systemroot%\System32\smss.exe" |
TargetProgram="*", Program="%systemroot%\system32\conhost.exe" |
TargetProgram="%systemroot%\explorer.exe", Program="*" |
TargetProgram="%systemroot%\System32\lsass.exe", Program="%%-6432:HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\InstallPath%%vmtoolsd.exe" |
 No-Access Process Access Controls |
Block and log all access to these processes as trivial |
List of processes that should not be accessed |
TargetProgram="%systemroot%\System32\lsass.exe" |
 Resource Lists |
 Read-only Resource Lists |
Block modifications to these files |
List of files that should not be modified |
Value="%%-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\MOF Self-Install Directory%%" |
Value="%%-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\MOF Self-Install Directory%%\*" |
 Network Controls |
 Inbound |
Globally set the default inbound rules to deny. |
 Process Logging Options |
Log process assignment messages |
Log process assignment command line arguments |
 Remote File Access Options [remote_file_ps] |
 Alternate Privilege Level (choose only one) |
Block execution of files with non-executable extensions |
Block modifications to windows services |
 Kernel Driver Options [kernel_ps] |
 Advanced Options |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
kernel inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
Any (0-65535) |
Inbound udp port list |
List of Inbound udp ports |
Any (0-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="%iis_accept_tcp_list%", RemoteIP="%iis_netaccept_addr_list%", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="%termsrv_accept_tcp_list%", RemoteIP="%termsrv_netaccept_addr_list%", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="netbios-datagram (138)", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="netbios-ns (137)", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="high (1024-65535)", RemoteIP="pset specific outbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Allow |
Default inbound rule log setting |
Log when denied |
 Outbound |
 Components |
Outbound hosts list |
kernel outbound address list |
Local IPs (v4 and v6) |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
high (1024-65535) |
Outbound udp port list |
List of outbound udp ports |
high (1024-65535) |
Outbound network rules |
List of rules to control outbound network connections |
LocalPort="netbios-datagram (138)", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="netbios-ns (137)", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific inbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Allow |
Default outbound rule log setting |
Do not log |
 Host Security Programs [hsecurity_ps] |
 Basic Options |
Host Security programs installed |
List of Host Security programs |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\Navw32.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\Navwnt.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\SAVScan.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\ccIMScn.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\navapsvc.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\NAVAPW32.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\OPScan.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\NAV%%\IWP\NPFMntor.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedUsage\LiveUpdate%%\LuComServer*.EXE |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedUsage\LiveUpdate%%\NDETECT.EXE |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%ccApp.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%LiveReg\IRALRSHL.EXE |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%Script Blocking\SBServ.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%SNDSrvc.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SAVCE%%Rtvscan.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SAVCE%%SavRoam.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Agent\Install Dir%%\mcagent.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Agent\Install Dir%%\mcregwiz.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Agent\Install Dir%%\mcupdate.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Agent\Install Dir%%\mcupdmgr.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Virusscan Online\Install Dir%%\McShield.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Virusscan Online\Install Dir%%\McVSEscn.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Virusscan Online\Install Dir%%\mcvsftsn.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Virusscan Online\Install Dir%%\mcvsmap.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Virusscan Online\Install Dir%%\mcvsrte.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\szInstallDir%%csscan.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\szInstallDir%%Mcshield.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\szInstallDir%%mcupdate.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\szInstallDir%%scan32.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\VirusScan Engine\4.0.XX\szInstallDir%%Scan.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\Framework\Installed Path%%\FrameworkService.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\Application Path%%Tmntsrv.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin\Application Path%%TSC.EXE |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Application Path%%TSC.EXE |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Application Path%%PccNTMon.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Application Path%%TmListen.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%ccEvtMgr.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%ccSetMgr.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%ccProxy.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Symantec Shared Directory%%\CfgWiz.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Savrt%%\DoScan.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SSCADMIN%%Deployment\Server Rollout\SETUP.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SSCADMIN%%Deployment\ClientRemote Installation\clientremote.exe |
%programfiles%\NAV\rtvscan.exe |
%programfiles%\CA\etrust EZ Armor\etrust EZ Antivirus\autodown.exe |
%programfiles%\CA\etrust EZ Armor\etrust EZ Antivirus\vet32.exe |
%programfiles%\NavNT\rtvscan.exe |
%programfiles%\McAfee.com\shared\mghtml.exe |
%programfiles%\Symantec\LiveUpdate\*.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Sygate Technologies, Inc.\Sygate Personal Firewall\smc_install_path%%smc.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Internet Security%%\SymSPort.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Internet Security%%\fio.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\LiveState Recovery\3.0\InstallDir%%Agent\VProSvc.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\LiveState Recovery\6.0\InstallDir%%Agent\VProSvc.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SEPM\TargetDir%%*.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path%%*.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SAV Install Directory%%smc.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent\InstallDir%%\AeXNSAgent.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%Reporting Agents\Win32\ReporterSvc.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%SPBBC\SPBBCSvc.exe |
%programfiles%\Symantec\Symantec Endpoint Protection\*.exe |
%%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Backup Exec System Recovery\ImagePath%% |
%%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BackupExecRPCService\ImagePath%% |
%%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BackupExecAgentAccelerator\ImagePath%% |
%%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BackupExecJobEngine\ImagePath%% |
%%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DLOMaintenanceSvc\ImagePath%% |
%%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DLOAdminSvcu\ImagePath%% |
%%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BackupExecDeviceMediaService\ImagePath%% |
%%-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BackupExecAgentBrowser\ImagePath%% |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Internet Security%%SymSPort.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Internet Security%%fio.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Savrt%%vpdn_lu.exe |
%programfiles%\Symantec Client Security\Symantec AntiVirus\vpdn_lu.exe |
%programfiles%\Windows Defender\msascui.exe |
%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\Common Client%%ccSvcHst.exe |
%systemroot%\system32\sisnat-*.exe |
%%-HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\mfevtp\ImagePath%%\* |
%programfiles%\ActivIdentity\ActivClient\accrdsub.exe |
%%-6432:HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection\szInstallDir%%\* |
 Advanced Options |
Block execution of files with non-executable extensions |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Exceptions for unusual memory allocations |
List of program exceptions for unusual memory allocations |
Action="Allow", Log="Do not log", Program="%programfiles%\Symantec\Symantec Endpoint Protection\*.exe" |
Action="Allow", Log="Do not log", Program="%programfiles%\Symantec AntiVirus\*.exe" |
Action="Allow", Log="Do not log", Program="%commonprogramfiles%\Symantec Shared\*.exe" |
Action="Allow", Log="Do not log", Program="%programfiles%\Symantec\LiveUpdate\*.exe" |
Block unusual memory permission changes |
Exceptions for unusual memory permission changes |
List of program exceptions for unusual memory permission changes |
Action="Allow", Log="Do not log", Program="%programfiles%\Symantec\Symantec Endpoint Protection\*.exe" |
Action="Allow", Log="Do not log", Program="%programfiles%\Symantec AntiVirus\*.exe" |
Action="Allow", Log="Do not log", Program="%commonprogramfiles%\Symantec Shared\*.exe" |
Action="Allow", Log="Do not log", Program="%programfiles%\Symantec\LiveUpdate\*.exe" |
Block turning off Data Execution Prevention (DEP) |
Exceptions for turning off Data Execution Prevention (DEP) |
List of program exceptions for turning off DEP |
Action="Deny", Log="Log as trivial", Program="%programfiles%\Symantec\Symantec Endpoint Protection\*.exe" |
Action="Deny", Log="Log as trivial", Program="%programfiles%\Symantec AntiVirus\*.exe" |
Action="Deny", Log="Log as trivial", Program="%commonprogramfiles%\Symantec Shared\*.exe" |
Action="Deny", Log="Log as trivial", Program="%programfiles%\Symantec\LiveUpdate\*.exe" |
 Process Access Controls |
 Full Access Process Access Controls |
Allow full access to these processes |
List of processes to give full access to |
TargetProgram="%systemroot%\System32\winlogon.exe", Program="%%-6432:HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path%%smc.exe" |
 Limited Access Process Access Controls |
Block and log modifications to these processes as trivial |
List of processes that should not be modified |
TargetProgram="%systemroot%\System32\lsass.exe" |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
av inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
sav tcp-fixed (2967) |
sav tcp-dynamic |
sep server default port (8443) |
sep database default port (2638) |
sep admin port (9090) |
altiris tcp port |
Inbound udp port list |
List of Inbound udp ports |
altiris udp port1 |
altiris udp port2 |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="Any (0-65535)", RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="Any (0-65535)", RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Allow |
Default inbound rule log setting |
Log when denied |
 Outbound |
 Components |
Outbound hosts list |
av outbound address list |
Local IPs (v4 and v6) |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
sav tcp-fixed (2967) |
sav tcp-dynamic |
sep server default port (8443) |
sep database default port (2638) |
Any (0-65535) |
Outbound udp port list |
List of outbound udp ports |
high (1024-65535) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Allow |
Default outbound rule log setting |
Log when denied |
 Additional Parameter Settings |
Enable control of modifications to executable files |
List of executable file extensions |
*.exe |
*.bat |
*.com |
*.dll |
*.cpl |
*.pif |
*.vbe |
*.vbs |
*.shs |
*.shb |
*.scr |
*.cmd |
*.js |
*.jse |
*.wsh |
*.wsf |
*.reg |
*.hta |
*.ocx |
*.msc |
*.msi |
*.sys |
*.ps1 |
*.plg |
*.ime |
*.Manifest |
*.drv |
*.tsp |
 Service Options |
 General Service Options |
 Alternate Privilege Lists |
Specify Services with Safe privileges |
List of Services with Safe privilege |
Program="%systemroot%\System32\mapisp32.exe" |
Program="%systemroot%\System32\msiexec.exe" |
Program="%commonprogramfiles%\InstallShield\engine\*\iKernel.exe" |
Program="%programfiles%\NAV\rtvscan.exe" |
Program="%programfiles%\VERITAS\Backup Exec\NT\bengine.exe" |
Program="%systemroot%\System32\CPQMGMT\CPQWMGMT.EXE" |
Program="%systemroot%\System32\CPQMGMT\CqMgHost\CQMGHOST.EXE" |
Program="%programfiles%\NavNT\rtvscan.exe" |
Program="%systemroot%\MS\SMS\CORE\BIN\*" |
Program="%systemroot%\MS\SMS\CLICOMP\*" |
Program="%systemroot%\System32\spupdsvc.exe" |
Program="%systemroot%\system32\tphdexlg.exe" |
Program="%systemroot%\system32\CCM\CcmExec.exe" |
Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k secsvcs *" |
Program="%systemroot%\winsxs\*\tiworker.exe" |
Program="%systemroot%\System32\taskhost.exe" |
Program="%systemroot%\System32\taskhostex.exe" |
Specify Services with Standard privileges |
List of Services with Standard privilege |
Program="%systemroot%\system32\regfltuser.exe" |
 Additional Parameter Settings |
Disable service execution of specific programs |
List of programs services should not execute |
Program="%systemroot%\system32\cmd.exe" |
Program="%systemroot%\system32\rundll32.exe" |
Program="%systemroot%\system32\cscript.exe" |
Program="%systemroot%\system32\java.exe" |
Program="%systemroot%\system32\javaw.exe" |
Program="%systemroot%\system32\wscript.exe " |
Program="%systemroot%\system32\net.exe " |
Program="%systemroot%\system32\net1.exe" |
Program="%systemroot%\system32\wbem\mofcomp.exe" |
Program="%systemroot%\system32\ftp.exe" |
Program="%systemroot%\system32\tftp.exe" |
Program="%systemroot%\system32\rcp.exe" |
Program="%systemroot%\system32\telnet.exe" |
Program="%systemroot%\system32\rexec.exe" |
Program="%systemroot%\system32\rsh.exe " |
Program="%systemroot%\system32\mstsc.exe" |
Program="%systemroot%\system32\shutdown.exe" |
Program="%systemroot%\system32\taskkill.exe" |
Program="%systemroot%\system32\netsh.exe" |
Program="%systemroot%\system32\arp.exe" |
Program="%systemroot%\system32\nbtstat.exe" |
Program="*\osql.exe" |
Program="*\sqlcmd.exe" |
Program="*\command.com" |
Program="*\powershell.exe" |
Allow services to run these programs if using specific arguments |
Exception List |
Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; %systemroot%\system32\rundll32.exe %systemroot%\system32\pla.dll* *" |
Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; * newdev.dll* *" |
Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; * //d sdengin2.dll,ExecuteScheduledBackup *" |
Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; * //d srrstr.dll,ExecuteScheduledSPPCreation *" |
Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; * aepdu.dll,AePduRunUpdate *" |
Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; * //d acproxy.dll,PerformAutochkOperations *" |
Program="%systemroot%\syswow64\rundll32.exe", Arguments="&ci; %systemroot%\syswow64\rundll32.exe %systemroot%\syswow64\schedsvc.dll* *" |
Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; %systemroot%\system32\rundll32.exe %systemroot%\system32\schedsvc.dll* *" |
Program="%systemroot%\syswow64\rundll32.exe", Arguments="&ci; %systemroot%\syswow64\rundll32.exe "%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Content\VirusDefs%%\*\cceraser.dll"* *" |
Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; %systemroot%\system32\rundll32.exe "%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Content\VirusDefs%%\*\cceraser.dll"* *" |
 Application Service Options |
 Microsoft Exchange Server [exchange_ps] |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Block unusual memory permission changes |
Block turning off Data Execution Prevention (DEP) |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
exchange inbound address list |
Local IPs (v4 and v6) |
Any |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
high (1024-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="high (1024-65535)", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Deny |
Default inbound rule log setting |
Log |
 Outbound |
 Components |
Outbound hosts list |
exchange outbound address list |
Any |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
domain (53) |
http (80) |
https (443) |
imap (143) |
imaps (993) |
irc (194) |
ircs (994) |
ldap (389) |
ldaps (636) |
nntp (119) |
nntps (563) |
pop3 (110) |
pop3s (995) |
epmap (135) |
smtp (25) |
ssmtp (465) |
msft-gc |
msft-gc-ssl |
msexch-routing (691) |
netbios-session (139) |
high (1024-65535) |
Outbound udp port list |
List of outbound udp ports |
domain (53) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Deny |
Default outbound rule log setting |
Log |
 Internet Information Services [iis_ps] |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Block unusual memory permission changes |
Block turning off Data Execution Prevention (DEP) |
 Resource Lists |
 Writable Resource Lists |
Allow modifications to these files |
List of files that can be modified |
Value="%systemdrive%\inetpub\temp" |
Value="%systemdrive%\inetpub\temp\*" |
 Network Controls |
 Inbound |
 Components |
Enable access to mail-related resources |
Mail ports used by iis |
pop3 (110) |
pop3s (995) |
imap (143) |
imaps (993) |
smtp (25) |
ssmtp (465) |
msexch-routing (691) |
Enable access to news-related resources |
IIS news ports |
nntp (119) |
nntps (563) |
Enable access to FTP-related resources |
IIS news ports |
ftp (21) |
ftp-data (20) |
Inbound hosts list |
iis inbound address list |
Local IPs (v4 and v6) |
Inbound tcp port list |
List of Inbound tcp ports |
http (80) |
https (443) |
high (1024-65535) |
ldap (389) |
ldaps (636) |
msft-gc (3268) |
msft-gc-ssl (3269) |
smtp (25) |
Inbound udp port list |
List of Inbound udp ports |
high (1024-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Deny |
Default inbound rule log setting |
Log |
 Outbound |
 Components |
Outbound hosts list |
iis outbound address list |
Any |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
ldap (389) |
ldaps (636) |
msft-gc |
msft-gc-ssl |
epmap (135) |
domain (53) |
msexch-routing (691) |
smtp (25) |
ssmtp (465) |
high (1024-65535) |
Outbound udp port list |
List of outbound udp ports |
domain (53) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Deny |
Default outbound rule log setting |
Log |
 Microsoft SQL Server [mssqlsrv_ps] |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Exceptions for unusual memory allocations |
List of program exceptions for unusual memory allocations |
Action="Allow", Log="Do not log", Program="*\sqlservr.exe" |
Action="Allow", Log="Do not log", Program="*\90\DTS\Binn\MsDtsSrvr.exe" |
Action="Allow", Log="Do not log", Program="*\OLAP\bin\msmdsrv.exe" |
Action="Allow", Log="Do not log", Program="*\mssql\binn\sqlagent90.exe" |
Block unusual memory permission changes |
Block turning off Data Execution Prevention (DEP) |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
mssqlsrv inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
ms-sql-s (1433) |
ms-sql-s1 (dynamic) |
ms-sql-s2 (dynamic) |
ms-sql-s3 (dynamic) |
Inbound udp port list |
List of Inbound udp ports |
ms-sql-m (1434) |
ms-sql-m1 (dynamic) |
Inbound network rules |
List of rules to control connections into this system |
RemoteIP="Local IPs (v4 and v6)", RemotePort="ms-sql-m (1434)", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="Local IPs (v4 and v6)", RemotePort="ms-sql-m1 (dynamic)", Protocol="UDP", Action="Disabled", Log="Do not log" |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Deny |
Default inbound rule log setting |
Log |
 Outbound |
 Components |
Outbound hosts list |
mssqlsrv outbound address list |
Local IPs (v4 and v6) |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
epmap (135) |
high (1024-65535) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="Local IPs (v4 and v6)", RemotePort="ms-sql-m (1434)", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="Local IPs (v4 and v6)", RemotePort="ms-sql-m1 (dynamic)", Protocol="UDP", Action="Disabled", Log="Do not log" |
RemotePort="ms-sql-m (1434)", Protocol="UDP", Action="Deny", Log="Log as trivial" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Deny |
Default outbound rule log setting |
Log |
 Core OS Service Options |
 Symantec Data Center Security Server Agent Service [sdcssagent_ps] |
 Advanced Options |
Block modifications to executable files |
Block registration of COM and ActiveX controls |
 Process Access Controls |
 No-Access Process Access Controls |
Block and log all access to these processes as trivial |
List of processes that should not be accessed |
TargetProgram="%systemroot%\System32\lsass.exe" |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
afagent inbound address list |
SDCSS Server IP |
Inbound tcp port list |
List of Inbound tcp ports |
sdcssagent |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemotePort="domain (53)", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Deny |
Default inbound rule log setting |
Log as trivial |
 Outbound |
 Components |
Outbound hosts list |
afagent outbound address list |
SDCSS Server IP |
Outbound tcp port list |
List of outbound tcp ports |
sdcssserver |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemotePort="domain (53)", Protocol="Both TCP and UDP", Action="Allow", Log="Do not log" |
RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Deny |
Default outbound rule log setting |
Log as trivial |
 Symantec Data Center Security Server Management Service [sdcssserver_ps] |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Network Controls |
 Inbound |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="Any (0-65535)", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="Any (0-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Allow |
Default inbound rule log setting |
Log when denied |
 Outbound |
Outbound network rules |
List of rules to control outbound network connections |
RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
RemotePort="Any (0-65535)", Protocol="TCP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Allow |
Default outbound rule log setting |
Log when denied |
 Distributed File System [dfssvc_ps] |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Block unusual memory permission changes |
Block turning off Data Execution Prevention (DEP) |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
dfssvc inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
high (1024-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Deny |
Default inbound rule log setting |
Log |
 Outbound |
 Components |
Outbound hosts list |
dfssvc outbound address list |
Any |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
epmap (135) |
ldap (389) |
ldaps (636) |
high (1024-65535) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Deny |
Default outbound rule log setting |
Log |
 Distributed Transaction Coordinator [msdtc_ps] |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Block turning off Data Execution Prevention (DEP) |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
msdtc inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
high (1024-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Deny |
Default inbound rule log setting |
Log |
 Outbound |
 Components |
Outbound hosts list |
msdtc outbound address list |
Global outbound hosts component |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Deny |
Default outbound rule log setting |
Log |
 DNS Server [dns_ps] |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Block unusual memory permission changes |
Block turning off Data Execution Prevention (DEP) |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
dns inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
domain (53) |
Inbound udp port list |
List of Inbound udp ports |
domain (53) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="high (1024-65535)", RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="high (1024-65535)", RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Deny |
Default inbound rule log setting |
Log |
 Outbound |
 Components |
Outbound hosts list |
dns outbound address list |
Local IPs (v4 and v6) |
Any |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
domain (53) |
ldap (389) |
high (1024-65535) |
Outbound udp port list |
List of outbound udp ports |
domain (53) |
high (1024-65535) |
Outbound network rules |
List of rules to control outbound network connections |
LocalPort="high (1024-65535)", RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Deny |
Default outbound rule log setting |
Log |
 File Replication Service [ntfrs_ps] |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Block unusual memory permission changes |
Block turning off Data Execution Prevention (DEP) |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
ntfrs inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
high (1024-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Deny |
Default inbound rule log setting |
Log |
 Outbound |
 Components |
Outbound hosts list |
ntfrs outbound address list |
Any |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
ldap (389) |
epmap (135) |
high (1024-65535) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Deny |
Default outbound rule log setting |
Log |
 License Logging Service [llssrv_ps] |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Block unusual memory permission changes |
Block turning off Data Execution Prevention (DEP) |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
llssrv inbound address list |
Local IPs (v4 and v6) |
Any |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
high (1024-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Deny |
Default inbound rule log setting |
Log |
 Outbound |
 Components |
Outbound hosts list |
llssrv outbound address list |
Local IPs (v4 and v6) |
Any |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
ldap (389) |
ldaps (636) |
epmap (135) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="Local IPs (v4 and v6)", RemotePort="high (1024-65535)", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Deny |
Default outbound rule log setting |
Log |
 Print Spooler [spoolsv_ps, spoolsv_child_ps] |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Block unusual memory permission changes |
Block turning off Data Execution Prevention (DEP) |
 Process Access Controls |
 Full Access Process Access Controls |
Allow full access to these processes |
List of processes to give full access to |
TargetProgram="%systemroot%\System32\winlogon.exe", Program="%systemroot%\System32\spoolsv.exe" |
TargetProgram="%systemroot%\explorer.exe", Program="%systemroot%\System32\spoolsv.exe" |
 Limited Access Process Access Controls |
Block and log modifications to these processes as trivial |
List of processes that should not be modified |
TargetProgram="%programfiles%\Microsoft Office\Office*\*.exe", Program="%systemroot%\System32\spoolsv.exe" |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
spoolsv inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
high (1024-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Deny |
Default inbound rule log setting |
Log |
 Outbound |
 Components |
Outbound hosts list |
spoolsv outbound address list |
Any |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
epmap (135) |
ldap (389) |
ldaps (636) |
high (1024-65535) |
domain (53) |
printer (515) |
Outbound udp port list |
List of outbound udp ports |
snmp (161) |
slp (427) |
domain (53) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Deny |
Default outbound rule log setting |
Log |
 Remote Procedure Call (RPC) [rpcss_ps] |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Exceptions for unusual memory allocations |
List of program exceptions for unusual memory allocations |
Action="Allow", Log="Do not log", Program="%systemroot%\system32\svchost.exe" |
Block unusual memory permission changes |
Block turning off Data Execution Prevention (DEP) |
 Process Access Controls |
 Full Access Process Access Controls |
Allow full access to these processes |
List of processes to give full access to |
TargetProgram="%systemroot%\System32\dllhost.exe", Program="%systemroot%\System32\svchost.exe" |
TargetProgram="%systemroot%\System32\svchost.exe", TargetArguments="&ci; * -k rpcss *", Program="%systemroot%\System32\svchost.exe" |
TargetProgram="%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path%%SescLU.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k rpcss *" |
TargetProgram="%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SAVCE%%SavUI.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k rpcss *" |
TargetProgram="%systemroot%\winsxs\*\tiworker.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k rpcss *" |
TargetProgram="%systemroot%\system32\wbem\wmiprvse.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k rpcss *" |
 Limited Access Process Access Controls |
Block and log modifications to these processes as trivial |
List of processes that should not be modified |
TargetProgram="%programfiles%\*\Microsoft Shared\Office*\Office Setup Controller\setup.exe", Program="%systemroot%\System32\svchost.exe", Arguments="&ci; * -k rpcss *" |
TargetProgram="%systemroot%\System32\wbem\wmiprvse.exe", Program="%systemroot%\System32\svchost.exe", Arguments="&ci; * -k rpcss *" |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
rpcss inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
epmap (135) |
http-rpc-epmap (593) |
Inbound udp port list |
List of Inbound udp ports |
epmap (135) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="high (1024-65535)", RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Deny |
Default inbound rule log setting |
Log |
 Outbound |
 Components |
Outbound hosts list |
rpcss outbound address list |
Any |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
epmap (135) |
http-rpc-epmap (593) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Deny |
Default outbound rule log setting |
Log |
 Remote Registry Service [regsvc_ps] |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Block unusual memory permission changes |
Block turning off Data Execution Prevention (DEP) |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
regsvc inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
high (1024-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Deny |
Default inbound rule log setting |
Log |
 Outbound |
 Components |
Outbound hosts list |
regsvc outbound address list |
Global outbound hosts component |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Deny |
Default outbound rule log setting |
Log |
 Service Control Manager [scm_ps] |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Block unusual memory permission changes |
Block turning off Data Execution Prevention (DEP) |
 Process Access Controls |
 Full Access Process Access Controls |
Allow full access to these processes |
List of processes to give full access to |
TargetProgram="%systemroot%\system32\userinit.exe", Program="%systemroot%\System32\services.exe" |
TargetProgram="%systemroot%\explorer.exe", Program="%systemroot%\System32\services.exe" |
 Limited Access Process Access Controls |
Block and log modifications to these processes as trivial |
List of processes that should not be modified |
TargetProgram="%systemroot%\System32\lsass.exe" |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
scm inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
Any (0-65535) |
Inbound udp port list |
List of Inbound udp ports |
Any (0-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="bootpc (68)", RemotePort="bootps (67)", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="ntp (123)", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Allow |
Default inbound rule log setting |
Log when denied |
 Outbound |
 Components |
Outbound hosts list |
scm outbound address list |
Local IPs (v4 and v6) |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
Any (0-65535) |
Outbound udp port list |
List of outbound udp ports |
Any (0-65535) |
Outbound network rules |
List of rules to control outbound network connections |
LocalPort="bootpc (68)", RemotePort="bootps (67)", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific inbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Allow |
Default outbound rule log setting |
Log when denied |
 Secondary Logon [runas_ps] |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Block unusual memory permission changes |
Block turning off Data Execution Prevention (DEP) |
 Process Access Controls |
 Full Access Process Access Controls |
Allow full access to these processes |
List of processes to give full access to |
TargetProgram="%systemroot%\system32\runas.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
runas inbound address list |
Global inbound hosts component |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Deny |
Default inbound rule log setting |
Log |
 Outbound |
 Components |
Outbound hosts list |
runas outbound address list |
Global outbound hosts component |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Deny |
Default outbound rule log setting |
Log |
 Simple TCP/IP Services [tcpsvcs_ps] |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Block unusual memory permission changes |
Block turning off Data Execution Prevention (DEP) |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
tcpsvcs inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
bootps (67) |
bootpc (68) |
high (1024-65535) |
printer (515) |
Inbound udp port list |
List of Inbound udp ports |
bootps (67) |
bootpc (68) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Deny |
Default inbound rule log setting |
Log |
 Outbound |
 Components |
Outbound hosts list |
tcpsvcs outbound address list |
Any |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
ldap (389) |
ldaps (636) |
domain (53) |
Outbound udp port list |
List of outbound udp ports |
bootps (67) |
bootpc (68) |
domain (53) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="Local IPs (v4 and v6)", RemotePort="high (1024-65535)", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Deny |
Default outbound rule log setting |
Log |
 SNMP Service [snmp_ps] |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Block unusual memory permission changes |
Block turning off Data Execution Prevention (DEP) |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
snmp inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
snmp (161) |
snmptrap (162) |
Inbound udp port list |
List of Inbound udp ports |
snmp (161) |
snmptrap (162) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Allow |
Default inbound rule log setting |
Log when denied |
 Outbound |
 Components |
Outbound hosts list |
snmp outbound address list |
Any |
Global outbound hosts component |
Outbound udp port list |
List of outbound udp ports |
snmptrap |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Deny |
Default outbound rule log setting |
Log |
 Startup Processes [system_ps] |
 Advanced Options |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Exceptions for unusual memory allocations |
List of program exceptions for unusual memory allocations |
Action="Allow", Log="Do not log", Program="%systemroot%\system32\csrss.exe" |
Action="Allow", Log="Do not log", Program="%systemroot%\system32\wininit.exe" |
Action="Allow", Log="Do not log", Program="%systemroot%\system32\winlogon.exe" |
Action="Allow", Log="Do not log", Program="%systemroot%\System32\wbem\wmiprvse.exe" |
Block unusual memory permission changes |
Exceptions for unusual memory permission changes |
List of program exceptions for unusual memory permission changes |
Action="Allow", Log="Do not log", Program="%systemroot%\system32\lsass.exe" |
Action="Allow", Log="Do not log", Program="%systemroot%\system32\winlogon.exe" |
Action="Allow", Log="Do not log", Program="%systemroot%\System32\wbem\wmiprvse.exe" |
Block turning off Data Execution Prevention (DEP) |
 Process Access Controls |
 Full Access Process Access Controls |
Allow full access to these processes |
List of processes to give full access to |
TargetProgram="*", Program="%systemroot%\System32\lsass.exe" |
TargetProgram="*", Program="%systemroot%\System32\winlogon.exe" |
TargetProgram="*", Program="%systemroot%\System32\csrss.exe" |
TargetProgram="*", Program="%systemroot%\System32\smss.exe" |
TargetProgram="*", Program="\systemroot\System32\smss.exe" |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
system inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
Any (0-65535) |
Inbound udp port list |
List of Inbound udp ports |
Any (0-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="high (1024-65535)", RemoteIP="pset specific outbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Deny |
Default inbound rule log setting |
Log |
 Outbound |
 Components |
Outbound hosts list |
system outbound address list |
Local IPs (v4 and v6) |
Any |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
Any (0-65535) |
Outbound udp port list |
List of outbound udp ports |
Any (0-65535) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific inbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Allow |
Default outbound rule log setting |
Log when denied |
 Task Scheduler Service [mstask_ps] |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Block unusual memory permission changes |
Block turning off Data Execution Prevention (DEP) |
 Process Access Controls |
 Full Access Process Access Controls |
Allow full access to these processes |
List of processes to give full access to |
TargetProgram="%systemroot%\system32\svchost.exe", Program="%systemroot%\system32\svchost.exe" |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
mstask inbound address list |
Local IPs (v4 and v6) |
Any |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
high (1024-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Deny |
Default inbound rule log setting |
Log |
 Outbound |
 Components |
Outbound hosts list |
mstask outbound address list |
Local IPs (v4 and v6) |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
Any (0-65535) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Deny |
Default outbound rule log setting |
Log |
 Telephony [tapisrv_ps] |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Block unusual memory permission changes |
Block turning off Data Execution Prevention (DEP) |
 Process Access Controls |
 Full Access Process Access Controls |
Allow full access to these processes |
List of processes to give full access to |
TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k netsvcs *", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k tapisrv *" |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
tapisrv inbound address list |
Global inbound hosts component |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Deny |
Default inbound rule log setting |
Log |
 Outbound |
 Components |
Outbound hosts list |
tapisrv outbound address list |
Global outbound hosts component |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Deny |
Default outbound rule log setting |
Log |
 Terminal Services [termsrv_ps] |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Exceptions for unusual memory allocations |
List of program exceptions for unusual memory allocations |
Action="Allow", Log="Do not log", Program="%systemroot%\system32\lsm.exe" |
Block unusual memory permission changes |
Block turning off Data Execution Prevention (DEP) |
 Process Access Controls |
 Full Access Process Access Controls |
Allow full access to these processes |
List of processes to give full access to |
TargetProgram="%systemroot%\System32\winlogon.exe", Program="%systemroot%\System32\svchost.exe" |
TargetProgram="%systemroot%\System32\svchost.exe", Program="%systemroot%\System32\svchost.exe" |
TargetProgram="%systemroot%\System32\csrss.exe", Program="%systemroot%\System32\svchost.exe" |
TargetProgram="%systemroot%\System32\logon.scr", Program="%systemroot%\System32\svchost.exe" |
TargetProgram="%systemroot%\System32\rdpclip.exe", Program="%systemroot%\System32\svchost.exe" |
TargetProgram="*", Program="%systemroot%\system32\lsm.exe" |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
termsrv inbound address list |
Any |
Inbound tcp port list |
List of Inbound tcp ports |
ms-wbt-server (3389) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Deny |
Default inbound rule log setting |
Log |
 Outbound |
 Components |
Outbound hosts list |
termsrv outbound address list |
Any |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
epmap (135) |
ldap (389) |
high (1024-65535) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Deny |
Default outbound rule log setting |
Log |
 Windows Internet Name Service (WINS) [wins_ps] |
 Basic Options |
Enable WINS management |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Block unusual memory permission changes |
Block turning off Data Execution Prevention (DEP) |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
wins inbound address list |
Local IPs (v4 and v6) |
Any |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
netbios-ns (137) |
high (1024-65535) |
nameserver (42) |
Inbound udp port list |
List of Inbound udp ports |
nameserver (42) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Deny |
Default inbound rule log setting |
Log |
 Outbound |
 Components |
Outbound hosts list |
wins outbound address list |
Local IPs (v4 and v6) |
Any |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
nameserver |
Outbound udp port list |
List of outbound udp ports |
nameserver |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Deny |
Default outbound rule log setting |
Log |
 Windows Management Instrumentation [winmgmt_ps] |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Block unusual memory permission changes |
Block turning off Data Execution Prevention (DEP) |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
winmgmt inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
high (1024-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Deny |
Default inbound rule log setting |
Log |
 Outbound |
 Components |
Outbound hosts list |
winmgmt outbound address list |
Any |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
ldap (389) |
epmap (135) |
msft-gc |
msft-gc-ssl |
msexch-routing (691) |
high (1024-65535) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Deny |
Default outbound rule log setting |
Log |
 Default Windows Services [def_winsvcs_ps, netsvcs_ps] |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
Block unusual memory allocations |
Exceptions for unusual memory allocations |
List of program exceptions for unusual memory allocations |
Action="Allow", Log="Do not log", Program="%systemroot%\system32\rundll32.exe" |
Action="Allow", Log="Do not log", Program="%systemroot%\system32\searchfilterhost.exe" |
Action="Allow", Log="Do not log", Program="%systemroot%\system32\slsvc.exe" |
Action="Allow", Log="Do not log", Program="%systemroot%\system32\svchost.exe" |
Action="Allow", Log="Do not log", Program="%systemroot%\system32\wermgr.exe" |
Block unusual memory permission changes |
Exceptions for unusual memory permission changes |
List of program exceptions for unusual memory permission changes |
Action="Allow", Log="Do not log", Program="%systemroot%\system32\svchost.exe" |
Block turning off Data Execution Prevention (DEP) |
 Process Access Controls |
 Full Access Process Access Controls |
Allow full access to these processes |
List of processes to give full access to |
TargetProgram="%systemroot%\System32\wbem\wmiprvse.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
TargetProgram="%systemroot%\System32\winlogon.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
TargetProgram="%systemroot%\explorer.exe", Program="%systemroot%\system32\svchost.exe" |
TargetProgram="%systemroot%\System32\csrss.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
TargetProgram="%systemroot%\System32\SearchIndexer.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
TargetProgram="%systemroot%\System32\RunDll32.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
TargetProgram="%systemroot%\System32\slui.exe", Program="%systemroot%\system32\sppsvc.exe" |
TargetProgram="%systemroot%\explorer.exe", Program="%systemroot%\system32\sppsvc.exe" |
TargetProgram="%systemroot%\System32\svchost.exe", Program="%systemroot%\system32\sppsvc.exe" |
TargetProgram="%systemroot%\System32\runas.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k RPCSS *", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k DcomLaunch *" |
TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k LocalService *", Program="%systemroot%\system32\SLsvc.exe" |
TargetProgram="%programfiles%\Outlook Express\msimn.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k RPCSS *", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k netsvcs *", Program="%systemroot%\system32\consent.exe" |
TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k netsvcs *", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k DcomLaunch *" |
TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k DcomLaunch *", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
TargetProgram="*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k DcomLaunch *" |
TargetProgram="%systemroot%\system32\svchost.exe", TargetArguments="&ci; * -k termsvcs *", Program="%systemroot%\system32\svchost.exe" |
TargetProgram="%systemroot%\system32\wininit.exe", Program="%systemroot%\system32\svchost.exe" |
TargetProgram="%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedUsage\LiveUpdate%%\LuComServer*.EXE", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
TargetProgram="%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps\SAVCE%%Rtvscan.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
TargetProgram="%%-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path%%*.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
TargetProgram="%systemroot%\system32\svchost.exe", Program="%systemroot%\system32\rundll32.exe", Arguments="&ci; * //d srrstr.dll,ExecuteScheduledSPPCreation *" |
TargetProgram="%systemroot%\system32\spoolsv.exe", Program="%systemroot%\system32\svchost.exe" |
TargetProgram="*", Program="%systemroot%\system32\audiodg.exe" |
TargetProgram="%programfiles%\Microsoft Office Communicator\communicator.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
TargetProgram="%programfiles%\Windows Media Player\wmpnetwk.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
TargetProgram="%systemroot%\System32\spoolsv.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
TargetProgram="%programfiles%\Adobe\Reader *\Reader\AcroRd32.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
TargetProgram="%ProgramFiles%\Symantec\Symantec Endpoint Protection\*\Bin\ccSvcHst.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
TargetProgram="%systemroot%\system32\wbem\wmiprvse.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
TargetProgram="%systemroot%\system32\lsass.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
TargetProgram="%ProgramFiles%\Microsoft Office\Office*\OUTLOOK.EXE", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
TargetProgram="%systemroot%\Explorer.EXE", Program="%systemroot%\system32\SearchProtocolHost.exe" |
TargetProgram="%systemroot%\system32\svchost.exe", Program="%systemroot%\system32\svchost.exe" |
TargetProgram="%systemroot%\system32\vssvc.exe", Program="%systemroot%\system32\svchost.exe" |
TargetProgram="\Device\HardDiskVolume?\Documents and Settings\User_Name\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
TargetProgram="\Device\HardDiskVolume?\Documents and Settings\User_Name\Local Settings\Application Data\Google\Chrome\Application\chrome.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
TargetProgram="\Device\HardDiskVolume?\Program Files\Microsoft Office Communicator\communicator.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
TargetProgram="%systemroot%\system32\*.scr", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
TargetProgram="%systemroot%\system32\msiexec.exe", Program="%systemroot%\system32\svchost.exe" |
 No-Access Process Access Controls |
Block and log all access to these processes as trivial |
List of processes that should not be accessed |
TargetProgram="%%HKEY_LOCAL_MACHINE\Software\symantec\intrusion security\Agent\InstallRoot%%\IPS\bin\SISIPSService.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
TargetProgram="%%HKEY_LOCAL_MACHINE\Software\symantec\intrusion security\Agent\InstallRoot%%\IPS\bin\SISManager.exe", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k LocalSystemNetworkRestricted *" |
 Resource Lists |
 Writable Resource Lists |
Allow modifications to these Registry keys |
List of Registry keys that can be modified |
Value="\REGISTRY\MACHINE\SYSTEM\*controlset*\services\VSS\Diag\*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k SDRSVC *" |
Value="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows*\CurrentVersion\SPP*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k SDRSVC *" |
Value="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k SDRSVC *" |
Value="\REGISTRY\MACHINE\SYSTEM\*controlset*\services\NetLogon", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k NetworkService *" |
Value="\REGISTRY\MACHINE\SYSTEM\*controlset*\services\NetLogon\*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k NetworkService *" |
Value="\REGISTRY\MACHINE\SYSTEM\*controlset*\services\W32Time\*", Program="%systemroot%\system32\svchost.exe", Arguments="&ci; * -k NetworkService *" |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
def_winsvcs inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
Any (0-65535) |
Inbound udp port list |
List of Inbound udp ports |
Any (0-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="bootpc (68)", RemotePort="bootps (67)", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Allow |
Default inbound rule log setting |
Log when denied |
 Outbound |
 Components |
Outbound hosts list |
def_winsvcs outbound address list |
Local IPs (v4 and v6) |
Any |
Global outbound hosts component |
Outbound udp port list |
List of outbound udp ports |
ntp (123) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Allow |
Default outbound rule log setting |
Log when denied |
 Full Service Options [svc_fullpriv_ps] |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
full_svc inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
Any (0-65535) |
Inbound udp port list |
List of Inbound udp ports |
Any (0-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Allow |
Default inbound rule log setting |
Log when denied |
 Outbound |
 Components |
Outbound hosts list |
full_svc outbound address list |
Local IPs (v4 and v6) |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
Any (0-65535) |
Outbound udp port list |
List of outbound udp ports |
high (1024-65535) |
Any (0-65535) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Allow |
Default outbound rule log setting |
Log when denied |
 SysCall Options |
Allow mounting of filesystems |
Allow creation of hardlinks |
 Safe Service Options [svc_safepriv_ps] |
 Memory Controls |
Enable Buffer Overflow Detection |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
safe_svc inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
Any (0-65535) |
Inbound udp port list |
List of Inbound udp ports |
Any (0-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="bootpc (68)", RemotePort="bootps (67)", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="cisco-vpn (500)", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Allow |
Default inbound rule log setting |
Log when denied |
 Outbound |
 Components |
Outbound hosts list |
safe_svc outbound address list |
Local IPs (v4 and v6) |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
Any (0-65535) |
Outbound udp port list |
List of outbound udp ports |
Any (0-65535) |
Outbound network rules |
List of rules to control outbound network connections |
LocalPort="bootpc (68)", RemotePort="bootps (67)", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Allow |
Default outbound rule log setting |
Log when denied |
 SysCall Options |
Allow mounting of filesystems |
Allow creation of hardlinks |
 Custom Service Options [svc_custompriv_ps] |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
custom_svc inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Deny |
Default inbound rule log setting |
Log |
 Outbound |
 Components |
Outbound hosts list |
custom_svc outbound address list |
Local IPs (v4 and v6) |
Global outbound hosts component |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Deny |
Default outbound rule log setting |
Log |
 Default Service Options [svc_stdpriv_ps] |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
 Alternate Privilege Level (choose only one) |
Run with Safe Service privileges |
 Process Access Controls |
 Full Access Process Access Controls |
Allow full access to these processes |
List of processes to give full access to |
TargetProgram="%systemroot%\explorer.exe", Program="%systemroot%\System32\svchost.exe", Arguments="&ci; * -k netsvcs *" |
 Limited Access Process Access Controls |
Block and log modifications to these processes as trivial |
List of processes that should not be modified |
TargetProgram="%systemroot%\System32\lsass.exe", Program="%systemroot%\system32\wbem\wmiprvse.exe" |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
std_svc inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
Any (0-65535) |
Inbound udp port list |
List of Inbound udp ports |
Any (0-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="cisco-vpn (500)", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Allow |
Default inbound rule log setting |
Log when denied |
 Outbound |
 Components |
Outbound hosts list |
std_svc outbound address list |
Local IPs (v4 and v6) |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
Any (0-65535) |
Outbound udp port list |
List of outbound udp ports |
Any (0-65535) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Allow |
Default outbound rule log setting |
Log when denied |
 Interactive Program Options |
 General Interactive Program Options |
 Alternate Privilege Lists |
Specify Interactive Programs that should not start |
List of Interactive Programs that should not start |
Program="%systemroot%\system32\rstrui.exe" |
Program="%systemroot%\system32\wbem\mofcomp.exe" |
Specify Interactive Programs with Safe privileges |
List of Interactive Programs with Safe privileges |
Program="%systemroot%\System32\mapisp32.exe" |
Program="%systemroot%\System32\msiexec.exe" |
Program="%commonprogramfiles%\InstallShield\engine\*\iKernel.exe" |
Program="%programfiles%\VERITAS\Backup Exec\NT\bengine.exe" |
Program="%systemroot%\System32\CPQMGMT\CPQWMGMT.EXE" |
Program="%systemroot%\System32\CPQMGMT\CqMgHost\CQMGHOST.EXE" |
Program="%systemroot%\MS\SMS\CORE\BIN\*" |
Program="%systemroot%\MS\SMS\CLICOMP\*" |
Program="%commonprogramfiles%\System\MAPI\1033\nt\MAPISP32.EXE" |
Specify groups with Safe privileges |
List of groups with Safe privileges |
%?SIDToName(S-1-5-32-544)?% |
 Specific Interactive Program Options |
 Symantec Data Center Security Server UI Programs [sdcssconsole_ps] |
 Advanced Options |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block modifications to windows services |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
appfireui inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
Any (0-65535) |
Inbound udp port list |
List of Inbound udp ports |
Any (0-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Allow |
Default inbound rule log setting |
Log when denied |
 Outbound |
 Components |
Outbound hosts list |
appfireui outbound address list |
Local IPs (v4 and v6) |
Global outbound hosts component |
SDCSS Server IP |
Outbound tcp port list |
List of outbound tcp ports |
Any (0-65535) |
Outbound udp port list |
List of outbound udp ports |
high (1024-65535) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Allow |
Default outbound rule log setting |
Log when denied |
 Outlook & Outlook Express [outlook_ps, int_mailchild_ps, int_mailchild_unsafe_ps] |
 Advanced Options |
 Memory Controls |
Enable Buffer Overflow Detection |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block modifications to Startup folders |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
Apply Outlook & Outlook Express control to Safe privilege users |
 Process Access Controls |
 Full Access Process Access Controls |
Allow full access to these processes |
List of processes to give full access to |
TargetProgram="%systemroot%\explorer.exe", Program="%programfiles%\Outlook Express\msimn.exe" |
TargetProgram="%systemroot%\explorer.exe", Program="%programfiles%\Microsoft Office\Office12\OUTLOOK.EXE" |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
outlook inbound address list |
Local IPs (v4 and v6) |
Any |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
Any (0-65535) |
Inbound udp port list |
List of Inbound udp ports |
Any (0-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="high (1024-65535)", RemoteIP="pset specific outbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Allow |
Default inbound rule log setting |
Log when denied |
 Outbound |
 Components |
Outbound hosts list |
outlook outbound address list |
Local IPs (v4 and v6) |
Any |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
Any (0-65535) |
Outbound udp port list |
List of outbound udp ports |
Any (0-65535) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific inbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Allow |
Default outbound rule log setting |
Log when denied |
 Microsoft Office [msoffice_ps] |
 Advanced Options |
 Memory Controls |
Enable Buffer Overflow Detection |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block modifications to Startup folders |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
Apply Microsoft Office control to Safe privilege users |
 Process Access Controls |
 Full Access Process Access Controls |
Allow full access to these processes |
List of processes to give full access to |
TargetProgram="%programfiles%\Microsoft Office\Office*\*.exe", Program="%systemroot%\splwow64.exe" |
 Limited Access Process Access Controls |
Block and log modifications to these processes as trivial |
List of processes that should not be modified |
TargetProgram="%systemroot%\explorer.exe", Program="%programfiles%\Microsoft Office\Office*\*.exe" |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
msoffice inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
Any (0-65535) |
Inbound udp port list |
List of Inbound udp ports |
Any (0-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="high (1024-65535)", RemoteIP="pset specific outbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Allow |
Default inbound rule log setting |
Log when denied |
 Outbound |
 Components |
Outbound hosts list |
msoffice outbound address list |
Local IPs (v4 and v6) |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
Any (0-65535) |
Outbound udp port list |
List of outbound udp ports |
Any (0-65535) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific inbound hosts component", RemotePort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Allow |
Default outbound rule log setting |
Log when denied |
 Internet Explorer [iexplore_ps] |
 Basic Options |
Disable execution of specific programs |
List of programs Internet Explorer should not execute |
Program="%systemroot%\system32\cmd.exe" |
 Advanced Options |
 Memory Controls |
Enable Buffer Overflow Detection |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block modifications to Startup folders |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
Apply Internet Explorer control to Safe privilege users |
 Process Access Controls |
 Full Access Process Access Controls |
Allow full access to these processes |
List of processes to give full access to |
TargetProgram="%systemroot%\explorer.exe", Program="%programfiles%\Internet Explorer\iexplore.exe" |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
iexplore inbound address list |
Local IPs (v4 and v6) |
Any |
Global inbound hosts component |
Inbound network rules |
List of rules to control connections into this system |
RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
RemotePort="ftp-data (20)", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Allow |
Default inbound rule log setting |
Log when denied |
 Outbound |
 Components |
Outbound hosts list |
iexplore outbound address list |
Local IPs (v4 and v6) |
Any |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
http (80) |
https (443) |
epmap (135) |
ldap (389) |
ftp (21) |
8081 |
sep server default port (8443) |
sep admin port (9090) |
high (1024-65535) |
Outbound udp port list |
List of outbound udp ports |
domain (53) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="Local IPs (v4 and v6)", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="Local IPs (v4 and v6)", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="high (1024-65535)", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Allow |
Default outbound rule log setting |
Log when denied |
 Full Interactive Program Options [int_fullpriv_ps] |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
full_int inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
Any (0-65535) |
Inbound udp port list |
List of Inbound udp ports |
high (1024-65535) |
Any (0-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Allow |
Default inbound rule log setting |
Log when denied |
 Outbound |
 Components |
Outbound hosts list |
full_int outbound address list |
Local IPs (v4 and v6) |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
Any (0-65535) |
Outbound udp port list |
List of outbound udp ports |
high (1024-65535) |
Any (0-65535) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Allow |
Default outbound rule log setting |
Log when denied |
 SysCall Options |
Allow mounting of filesystems |
Allow creation of hardlinks |
 Safe Interactive Program Options [int_safepriv_ps] |
 Memory Controls |
Enable Buffer Overflow Detection |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
safe_int inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
Any (0-65535) |
Inbound udp port list |
List of Inbound udp ports |
high (1024-65535) |
Any (0-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="high (1024-65535)", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Allow |
Default inbound rule log setting |
Log when denied |
 Outbound |
 Components |
Outbound hosts list |
safe_int outbound address list |
Local IPs (v4 and v6) |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
Any (0-65535) |
Outbound udp port list |
List of outbound udp ports |
high (1024-65535) |
Any (0-65535) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Allow |
Default outbound rule log setting |
Log when denied |
 Custom Interactive Program Options [int_custompriv_ps] |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block modifications to Startup folders |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
custom_int inbound address list |
Local IPs (v4 and v6) |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
epmap (135) |
Inbound udp port list |
List of Inbound udp ports |
epmap (135) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Deny |
Default inbound rule log setting |
Log |
 Outbound |
 Components |
Outbound hosts list |
custom_int outbound address list |
Local IPs (v4 and v6) |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
epmap (135) |
ldap (389) |
http (80) |
Outbound udp port list |
List of outbound udp ports |
epmap (135) |
Outbound network rules |
List of rules to control outbound network connections |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Deny |
Default outbound rule log setting |
Log |
 Default Interactive Program Options [int_stdpriv_ps] |
Block modifications to executable files |
Block execution of files with non-executable extensions |
Block modifications to Startup folders |
Block registration of COM and ActiveX controls |
Block modifications to windows services |
 Memory Controls |
Enable Buffer Overflow Detection |
 Alternate Privilege Level (choose only one) |
Run with Safe Interactive Program privileges |
 Process Access Controls |
 Limited Access Process Access Controls |
Block and log modifications to these processes as trivial |
List of processes that should not be modified |
TargetProgram="%systemroot%\System32\lsass.exe", Program="%systemroot%\system32\mmc.exe" |
 Network Controls |
 Inbound |
 Components |
Inbound hosts list |
std_int inbound address list |
Local IPs (v4 and v6) |
Any |
Global inbound hosts component |
Inbound tcp port list |
List of Inbound tcp ports |
Any (0-65535) |
Inbound udp port list |
List of Inbound udp ports |
Any (0-65535) |
Inbound network rules |
List of rules to control connections into this system |
LocalPort="high (1024-65535)", RemoteIP="pset specific outbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="Any", Protocol="TCP", Action="Allow", Log="Do not log", Program="%-def_int_srvprog_list:prog%", Arguments="&ci; %-def_int_srvprog_list:cmdline%", User="%-def_int_srvprog_list:id%", Group="%-def_int_srvprog_list:groupid%" |
LocalPort="pset specific tcp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="TCP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default inbound rule |
Default inbound rule action |
Allow |
Default inbound rule log setting |
Log when denied |
 Outbound |
 Components |
Outbound hosts list |
std_int outbound address list |
Local IPs (v4 and v6) |
Any |
Global outbound hosts component |
Outbound tcp port list |
List of outbound tcp ports |
ldap (389) |
http (80) |
https (443) |
epmap (135) |
Outbound udp port list |
List of outbound udp ports |
high (1024-65535) |
Outbound network rules |
List of rules to control outbound network connections |
LocalPort="high (1024-65535)", RemoteIP="pset specific outbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
RemoteIP="Any", Protocol="TCP", Action="Allow", Log="Do not log", Program="%-def_int_srvprog_list:prog%", Arguments="&ci; %-def_int_srvprog_list:cmdline%", User="%-def_int_srvprog_list:id%", Group="%-def_int_srvprog_list:groupid%" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific tcp outbound port component", Protocol="TCP", Action="Allow", Log="Do not log" |
RemoteIP="pset specific outbound hosts component", RemotePort="pset specific udp outbound port component", Protocol="UDP", Action="Allow", Log="Do not log" |
LocalPort="pset specific udp inbound port component", RemoteIP="pset specific inbound hosts component", Protocol="UDP", Action="Allow", Log="Do not log" |
Default outbound rule |
Default outbound rule action |
Allow |
Default outbound rule log setting |
Log when denied |