From 0abd5d926a01dd90037f6a84cb94726d9024c45d Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 20 Aug 2018 15:00:11 -0700 Subject: [PATCH 1/4] new topic for dynamic code security --- ...tion-control-with-dynamic-code-security.md | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md new file mode 100644 index 0000000000..bfeff53c3e --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -0,0 +1,32 @@ +--- +title: Windows Defender Application Control and .NET Hardening (Windows 10) +description: Dynamic Code Security is an application control feature that can verify code loaded by .NET at runtime. +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: justinha +ms.date: 08/20/2018 +--- + +# Windows Defender Application Control and .NET Hardening + +Historically, Windows Defender Application Control (WDAC) has restricted the set of applications, libraries, and scripts that are allowed to run to those approved by an organization. +Security researchers have found that some .NET applications may be used to circumvent those controls by using .NET’s capabilities to load libraries from external sources or generate new code on the fly. +Beginning with Windows 10, version 1803, WDAC features a new capability, called *Dynamic Code Security* to verify code loaded by .NET at runtime. + +When the Dynamic Code Security option is enabled, WDAC policy is applied to libraries that .NET loads from external sources. +Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with. + +Dynamic Code Security is not enabled by default because existing policies may not account for externally loaded libraries. +Additionally, a small number of .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, are not currently supported with Dynamic Code Security enabled. +Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy. + +To enable Dynamic Code Security, add the following option to the section of your policy: + +```xml + + + +``` From 74e67f651b3e795d233196d69a027a5d98179b84 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 20 Aug 2018 15:12:58 -0700 Subject: [PATCH 2/4] added toc entry --- .../windows-defender-application-control/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 1d9c033045..123f439d6f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -21,6 +21,7 @@ ### [Deploy WDAC with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md) ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md) ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md) +### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md) ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) #### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) #### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) From 141b3927d8971814d788dac77d771c7e83d8936b Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 20 Aug 2018 15:28:51 -0700 Subject: [PATCH 3/4] title caps --- ...s-defender-application-control-with-dynamic-code-security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md index bfeff53c3e..f0d33bfb46 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -10,7 +10,7 @@ author: justinha ms.date: 08/20/2018 --- -# Windows Defender Application Control and .NET Hardening +# Windows Defender Application Control and .NET hardening Historically, Windows Defender Application Control (WDAC) has restricted the set of applications, libraries, and scripts that are allowed to run to those approved by an organization. Security researchers have found that some .NET applications may be used to circumvent those controls by using .NET’s capabilities to load libraries from external sources or generate new code on the fly. From da3d4094c201ad9a8a6b4ca0b4a9c12bb4f59f13 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 20 Aug 2018 16:00:57 -0700 Subject: [PATCH 4/4] added author --- ...s-defender-application-control-with-dynamic-code-security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md index f0d33bfb46..3804a87f11 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: justinha +author: morganbr ms.date: 08/20/2018 ---