« Previous 1 2 3 Next »
Reducing your attack surface
En Garde
Microsoft learned in previous versions of its software that it is difficult to create code integrity (CI) policies (application control policies) under Windows Defender Application Control (WDAC) [1]. As a result, the vendor is now shipping a set of preconfigured CI policies in Microsoft Windows Server 2019 and Windows 10 v1709 that allow the execution of operating system files and applications such as Microsoft SQL Server but block executable files known to bypass the configured CI policies. Additionally, Windows Server 2019 now allows multiple CI policies to be nested to create a whitelist containing all nested CI policies, all without the need to reboot the system.
When a user runs a process, that process has the same access rights to data as the user, which means that confidential information is easily deleted or taken out of the organization. In this article, I show how you can use WDAC to create policies that block all access that is not specified in a configurable whitelist. WDAC is similar to AppLocker, which uses group policies to control access to applications in the form of path, hash, and StoreApps rules. Before Windows 10 v1709, these policies were known as configurable CI policies; Device Guard was the name of WDAC in earlier Windows versions.
Implementing WDAC
A successful WDAC implementation [2] requires extensive planning. You need to determine the necessary hardware and software and decide whether to work with whitelisting or blacklisting. Then, you need to inventory the software used in your departments to decide how many WDAC policies are required. Scanning reference PCs to identify the installed software and create WDAC policies accordingly is also recommended.
Because WDAC policies can also be used with applications and drivers signed with certificates,
...Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
 
            
		





 
         
         
         
        