This document provides information about the Access Policy Application Criteria screen, applicable under any segregation option. These criteria help create more effective filters and granularity for your Access policies.
Access Path
- On Segura, in the navigation bar, hover over the Product Menu and select EPM.
- In the side menu, select Policies > Windows > Access policies.
- On the Access policies screen, click the Add button.
- On the Segregation screen, click the General, Workstation or OU button.
- On the General tab, select Applications
Applications Criteria options
In the Applications tab will allow you to define the main parameters of an access policy.
| Criterion | Description | Additional Info |
|---|---|---|
| Certificate | Only certificates marked as Trusted Only are validated. | |
| COM class ID | Enter the GUID-format information present in all applications. | |
| ActiveX version | Specify the ActiveX version. | |
| ActiveX codebase | URL or path specifying the location from which the ActiveX control is downloaded or loaded. | |
| Directory | Specify the complete application path. The rule validates if the registered path is identical to the file path. | |
| File hash | Enter the unique file hash. If you choose this, only this criterion will be considered, and others like Product Name or Directory will be ignored. | If the access list contains multiple file hash criteria, they are evaluated with an OR (||) condition. To get the hash using Windows use Get-Filehash -path c:\\pathToFile\\fileExample.exe -algorithm SHA256 in CMD to obtain the file hash. Replace the path accordingly, admin rights may be required to run the command. |
| File version | Enter the file version. | |
| Internet zone identifier | Identifies the file's source zone (Internet or Local). | |
| Product name | Name of the program. It is recommended not to use only this criterion for security reasons. | |
| Product version | Specify the version. | |
| Parent process | Specify the Parent process. Child process | |
| Child process | Specify the Child process. | |
| Source URL | The file will only be executed if the download URL matches the value provided. | |
| Product code | Unique identifier (GUID) for installed software packages, used by Windows Installer (MSI). | |
| Update code | GUID found in the Windows registry for each program. | |
| Supplier name | Manufacturer's name. | |
| Windows Store Editor | For applications from Microsoft Store, validation is based on directory and Windows Apps folder. | Info: DLLs are handled like applications and can be filtered by Product Name, Product Version, Certificate, File Version, Directory, File Hash, Internet Zone Identifier, and Windows Store Publisher. |
Important logic notes:
- Rules: Fields where you enter information to create a rule. Fill them out according to the selected criteria.
- If more than one criterion is used, the logical operator is AND (&&) (e.g.,
Product Version AND Product Name). - If you define several criteria with different rules, the criteria are joined by AND (&&), and the rules by OR (||) (e.g.,
Product E Version (Product Name A OR Product Name B)).
Warning
When using only the Product name criterion, security risks may arise. Always consider adding other criteria such as Directory, Certificate, or File hash.
Do you still have questions? Reach out to the senhasegura Community.