1. Kean University
  2. Solution home
  3. Internet & Network
  4. Online Browsing & Cybersecurity

ThreatLocker

Modified on: Tue, Jul 22, 2025 11:11 AM

Table of Contents

Introduction

To strengthen the security of university-managed devices, Kean IT has deployed a layered endpoint protection strategy that combines ThreatLocker and CrowdStrike (our Managed Detection and Response, or MDR) platforms.

While CrowdStrike specializes in detecting and responding to threats in real time, ThreatLocker adds a critical layer of prevention by controlling which applications are allowed to run and restricting how they interact with other system components.

By working together, these tools offer a powerful combination of prevention, detection, and response while reducing risk and improving overall cybersecurity across campus.

Application Allowlisting

Application Allowlisting prevents unauthorized software from running by allowing only explicitly approved programs. This blocks potentially harmful applications, including ransomware, before they can execute.

How it Works:

  • Once ThreatLocker is installed, it enters a Learning Mode that tracks and catalogs all applications currently in use.
  • After the learning period, Kean IT will review and remove unnecessary or potentially risky software.
  • Going forward, only approved applications will be allowed to run. 
    • Requests for new applications can be submitted to IT and are typically approved within 60 seconds.

The User Experience:

  • If a user attempts to launch an unapproved program, a pop-up alert will appear explaining why it was blocked, showing relevant details about the application.

    The windows installer will not be opened, due to ThreatLocker treating the application as if installation files are missing; but in reality, ThreatLocker is preventing the application from loading entirely.



Why it Matters:

Application Allowlisting enables us to proactively control applications reducing cyber threats or unpermitted/sanctioned software from executing in our environments.

Ringfencing

Ringfencing adds an additional layer of protection by controlling what approved applications can do. It limits their ability to access or interact with other files, programs, or system resources, reducing the effectiveness of malicious activity.


For example: While both Microsoft Word and Microsoft PowerShell may be allowed, Ringfencing can prevent ringfenced applications, a common method used in malware attacks.

How it Works:

  • Devices are configured with default Ringfencing rules for widely used applications.
  • Without Ringfencing: applications can access all the same data and resources available to the user, which poses a risk if the user is compromised.
  • With Ringfencing: applications are restricted to only the resources they need, helping prevent lateral movement and data exfiltration.

Why it Matters:

Under normal operations, all applications permitted on a device have the same access to other applications, files, and the network the user has. In the event a user is compromised, an attacker can use an application for malicious actions such as stealing files, communicate with malicious IPs, and make changes to the system. Ringfencing allows for the creation of boundaries to permit applications to only access what’s needed.

Elevation Control

Elevation Control lets users run specific applications with administrator-level permissions without giving them full admin access or requiring them to enter admin credentials.

How it Works:

  • During the Learning Mode, ThreatLocker identifies applications that may need elevated rights.
  • The 24/7 CyberHero team reviews and approves trusted apps to run with elevated privileges.
  • Once approved, users can launch these apps with admin rights automatically, without needing passwords or additional permissions.
  • If an application has not been learned or pre-approved, Users will be able to request temporary elevations. Please see Elevation Request Workflow below:


Why it Matters:

Administrator credentials are a top target for cyber attackers. Elevation Control removes the need for users to hold these credentials, reducing the risk of compromise while preserving access to essential tools.

Elevation Request Workflow

Some applications require administrator-level access to function properly, such as updating software. Rather than giving users full administrative rights, Elevation Control allows users to request temporary elevated privileges for specific, approved applications.

Steps:

  • User attempts to launch an application that requires elevated privileges.
  • A ThreatLocker elevation prompt appears, showing details of the application and why elevation is needed.
  • If the application is pre-approved for elevation, the user can run it with admin rights immediately — no credentials required.
  • If the application is not yet approved for elevation, the user can click “Send Request.”
  • Once approved, the application will run with the necessary elevated permissions.
    Picture

Storage Control

Storage Control enforces policies over access to storage locations like local folders, network shares, or external drives.


How it Works:

  • Policies are based on users, time, file type, and the application attempting access.
  • When access is blocked, users receive a pop-up with the option to request access.
  • Admin can approve access typically within 60 seconds.


Why it Matters:

Sensitive data protection is critical. Storage Control enables granular control over where data can be accessed or stored, enhancing data security across local and network resources.

Was this answer helpful? Yes No

Sorry we couldn't be helpful. Help us improve this article with your feedback.