This document explains how to configure application access lists on Segura® EPM Windows clients. You will learn how to set up general segregation policies to allow or deny access to applications across all workstations, using a variety of criteria to increase security and control.
Requirements
- You must be at least an EPM Administrator.
- Have information about the applications according to the selected criteria (e.g., certificate, file hash, directory, etc.).
Configure application access lists
- In Segura®, access the Access Lists page:
- Navigate to Grid Menu > EPM > Policies > Windows > Access lists.
- Click on the Show actions button (represented by three vertical dots).
- Select segregation General, Device or Organizational Unit.
- In the General tab, fill in the following fields:
- Choose category screen, select Applications.
- Name*: Set a name for this policy.
- Status*: Set as active or inactive.
- Action*: Choose between allowlist (to allow) or denylist (to block).
- Segura® Intelligence Suggestions: Enable this option to allow administrators to gain insights from Segura® AI regarding the accuracy and effectiveness of this policy.
- In the Applications tab, complete the following:
- Control Parent Process*:
- If Enabled, all child processes created by the parent will follow the access list permissions.
- If Disabled, all processes are evaluated individually by the access list.
- Control Child Process*:
- If Enabled, the access list is applied to all processes originating from the child process.
- If Disabled, all processes are evaluated individually.
- In Criteria, add one or more (you can check all criterias in the Applications Criteria List EPM Windows).
- Control Parent Process*:
- If using Workstation or Organizational Unit segregation, additional tabs will appear to complete the following steps:
- For Workstation segregation, select one or more registered Workstations.
- For Organizational Unit segregation, add a New OU and enter the OU name in the ou field. Note: enter only the OU name (e.g., "MyOUName"), not the full distinguished name (e.g., "ou=myOUName, DC=mydomain, DC=local").
- In the Workflow tab, complete the following:
- In the Elevation Setting options, select as needed:
- User can upgrade applications
- Requires justification to elevate applications
- Requires approval to upgrade applications
- Allow emergency access
- Approval in levels: Requires approvers defined in Approval workflow. - If Require approval to elevate applications is checked, set the number of times for each specific action:
- Required approvals: Number of approvals necessary for privilege elevation.
- Deprecations required: Number of actions to cancel elevation.
- Answer Yes or No to the following Access Request Settings:
- Is it mandatory to specify governance code when justifying?
- Always add the user manager to approvers?
- In the Elevation Setting options, select as needed:
- Go to Review tab, check if all is correct.
- Click Save to apply the access list configuration.