About best practices for creating application control rules
You should plan your custom application control rules carefully.
See Creating custom application control rules
See Typical application control rules
When you create application control rules, keep in mind the following best practices:
Table: Best practices for application control rules
Use one rule set per goal
A best practice is to create one rule set that includes all of the actions that allow, block, and monitor one given task.
You want to block write attempts to all removable drives and you want to block applications from tampering with a particular application.
To accomplish these goals, you should create two different rule sets. You should not create all of the necessary rules to accomplish both of these goals with one rule set.
Consider the rule order
Application control rules work similarly to most network-based firewall rules in that both use the first rule match feature. When multiple conditions are true, the first rule is the only one that is applied unless the action that is configured for the rule is to .
You want to prevent all users from moving, copying, and creating files on USB drives.
You have an existing rule with a condition that allows write access to a file named Test.doc. You add a second condition to this existing rule set to block all USB drives. In this scenario, users are still able to create and modify a Test.doc file on USB drives. The to Test.doc condition comes before the to USB drives condition in the rule set. The to USB drives condition does not get processed when the condition that precedes it in the list is true.
Use the Terminate process action sparingly
The action kills a process when the process meets the configured condition.
Only advanced administrators should use the action. Typically, you should use the action instead.
You want to terminate Winword.exe any time that any process launches Winword.exe.
You create a rule and configure it with the condition and the action. You apply the condition to Winword.exe and apply the rule to all processes.
You might expect this rule to terminate Winword.exe, but that is not what the rule does. If you try to start Winword.exe from Windows Explorer, a rule with this configuration terminates Explorer.exe, not Winword.exe. Users can still run Winword.exe if they launch it directly.
Use the Terminate Process Attempts condition to protect processes
The condition allows or blocks an application's ability to terminate a process on a client computer.
The condition does not allow or prevent users from stopping an application by the usual methods, such as clicking Quit from the File menu.
Process Explorer is a tool that displays the DLL processes that have opened or loaded, and what resources the processes use.
You might want to terminate Process Explorer when it tries to terminate a particular application.
Use the condition and the action to create this type of rule. You apply the condition to the Process Explorer application. You apply the rule to the application or applications that you do not want Process Explorer to terminate.