Lockdown on frequently updated IIS webserver & file server

Hello,  I work in a company that is looking to use the lockdown feature to narrow our attack surface.

I've successfully tested in on our SQL, DCs but I have a few servers that are being trouble some.

I have a MS Team Foundry Server, IIS Web server with two web root directories. There is also an SMB file share server which has user home directories and our PDQ/WSUS server.

I've tried to used the using the Allowed files/folders option in the base lockdown policy. But it doesn't seem to let users update the websites, save/delete or use files from their home directories. Allow PDQ or WSUS to get updated patches and application installs.

Is there another place I should be putting this info for lockdown to allow changes in the directories?

  • Hi Christopher, 

    You will benefit from raising a support call for your issues (bottom right of the screen). Lockdown does serve specific use cases, and if users are making regular changes, via SMB or locally, using allowed file/folder policy options might not be a suitable solution.