Though the defense+ in CIS is a powerful tool, it is hard to setup manually with personality. I think the improvement of the policy configuration interface is an urgent task. Make the policies modular will be a good change. We already have File Groups, Registry Groups and COM Groups, but when applying policies we need a POLICY GROUP. Some programs need network and system files access permission, some programs only need to access temporary files, some programs need to access the memory while others need to access keyboard, etc. With a policy group we can make smaller policies bundle and apply them flexibly to various program groups. I believe this will make it easier to manage application behaviors.
a simple chart goes here
[tr][td]programs[/td][td]policy groups[/td][/tr]
[tr][td][/td][td]net[/td][td]file[/td][td]memory[/td][/tr]
[tr][td]program A[/td][td]X[/td][td][/td][td]X[/td][/tr]
[tr][td]program B[/td][td]X[/td][td]X[/td][td][/td][/tr]