Lead Image © dimaberkut, 123RF.com
Reducing your attack surface
En Garde
Microsoft learned in previous versions of its software that it is difficult to create code integrity (CI) policies (application control policies) under Windows Defender Application Control (WDAC) [1]. As a result, the vendor is now shipping a set of preconfigured CI policies in Microsoft Windows Server 2019 and Windows 10 v1709 that allow the execution of operating system files and applications such as Microsoft SQL Server but block executable files known to bypass the configured CI policies. Additionally, Windows Server 2019 now allows multiple CI policies to be nested to create a whitelist containing all nested CI policies, all without the need to reboot the system.
When a user runs a process, that process has the same access rights to data as the user, which means that confidential information is easily deleted or taken out of the organization. In this article, I show how you can use WDAC to create policies that block all access that is not specified in a configurable whitelist. WDAC is similar to AppLocker, which uses group policies to control access to applications in the form of path, hash, and StoreApps rules. Before Windows 10 v1709, these policies were known as configurable CI policies; Device Guard was the name of WDAC in earlier Windows versions.
Implementing WDAC
A successful WDAC implementation [2] requires extensive planning. You need to determine the necessary hardware and software and decide whether to work with whitelisting or blacklisting. Then, you need to inventory the software used in your departments to decide how many WDAC policies are required. Scanning reference PCs to identify the installed software and create WDAC policies accordingly is also recommended.
Because WDAC policies can also be used with applications and drivers signed with certificates,
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Endpoint Security for Windows 10
Windows 10, build 21H1, has numerous protection mechanisms out of the box. We look at the option for delaying updates, the components and features of Microsoft Defender, and recommendations for hardening the operating system. -
Fight Windows ransomware with on-board tools
Ransomware defense involves two strategies: identifying attacks and slowing the attackers to mitigate their effects. -
Optimizing domain controller security
Configure your domain controller security settings correctly with Policy Analyzer and current Microsoft baselines for a leak-tight Active Directory. -
Group policies on Windows Server 2022
We discuss how to manage and secure clients with group policy object templates and look at some recommendations from various governmental and non-governmental security advocates. -
Data loss prevention with Microsoft Purview
Microsoft Purview combines compliance and data governance to address the security of confidential data in the new hybrid working world.