deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-29 05:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Fixed links

Browse Source
This commit is contained in:
jsuther1974 2023-06-07 08:47:54 -07:00
parent 746c4aa58d
commit 29f96bd6ca
2 changed files with 25 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
View File

@ -14,7 +14,7 @@ ms.reviewer: jsuther1974
ms.author: vinpa
manager: aaroncz
ms.topic: conceptual
ms.date: 10/14/2020
ms.date: 06/07/2023
ms.technology: itpro-security
---
@ -31,12 +31,10 @@ ms.technology: itpro-security
When creating policies for use with Windows Defender Application Control (WDAC), it's recommended to start with a template policy, and then add or remove rules to suit your application control scenario. For this reason, the WDAC Wizard offers three template policies to start from and customize during the base policy creation workflow. Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a new application control policy from a template, configure the policy options, and the signer and file rules.
## Template Base Policies
Each of the template policies has a unique set of policy allowlist rules that will affect the circle-of-trust and security model of the policy. The following table lists the policies in increasing order of trust and freedom. For instance, the Default Windows mode policy trusts fewer application publishers and signers than the Signed and Reputable mode policy. The Default Windows policy will have a smaller circle-of-trust with better security than the Signed and Reputable policy, but at the expense of compatibility.
| Template Base Policy | Description |
|---------------------------------|-------------------------------------------------------------------|
| **Default Windows Mode** | Default Windows mode will authorize the following components: </br><ul><li>Windows operating components - any binary installed by a fresh install of Windows</li><li>Apps installed from the Microsoft Store</li><li>Microsoft Office365 apps, OneDrive, and Microsoft Teams</li><li>Third-party [Windows Hardware Compatible drivers](/windows-hardware/drivers/install/whql-release-signature)</li></ul>|
@ -117,7 +115,7 @@ Filepath rules don't provide the same security guarantees that explicit signer r
### File Attribute Rules
The Wizard supports the creation of [file name rules](select-types-of-rules-to-create.md#windows-defender-application-control-filename-rules) based on authenticated file attributes. File name rules are useful when an application and its dependencies (for example, DLLs) may all share the same product name, for instance. This rule level allows users to easily create targeted policies based on the Product Name file name parameter. To select the file attribute to create the rule, move the slider on the Wizard to the desired attribute. The table below describes each of the supported file attributes off which to create a rule.
The Wizard supports the creation of [file name rules](select-types-of-rules-to-create.md#use--specificfilenamelevel-with-filename-filepublisher-or-whqlfilepublisher-level-rules) based on authenticated file attributes. File name rules are useful when an application and its dependencies (for example, DLLs) may all share the same product name, for instance. This rule level allows users to easily create targeted policies based on the Product Name file name parameter. To select the file attribute to create the rule, move the slider on the Wizard to the desired attribute. The table below describes each of the supported file attributes off which to create a rule.
| Rule level | Description |
|------------ | ----------- |

7
windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
View File

@ -14,7 +14,7 @@ ms.reviewer: isbrahm
ms.author: vinpa
manager: aaroncz
ms.topic: conceptual
ms.date: 10/14/2020
ms.date: 06/07/2023
ms.technology: itpro-security
---
@ -57,7 +57,6 @@ A short description of the rule will be shown at the bottom of the page when the
There are only three policy rules that can be configured by the supplemental policy. A description of each policy rule, beginning with the left-most column, is provided below. Selecting the **+ Advanced Options** label will show another column of policy rules; advanced policy rules.
| Rule option | Description |
|------------ | ----------- |
| **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsofts Intelligent Security Graph (ISG). |
@ -90,7 +89,7 @@ Filepath rules don't provide the same security guarantees that explicit signer r
### File Attribute Rules
The Wizard supports the creation of [file name rules](select-types-of-rules-to-create.md#windows-defender-application-control-filename-rules) based on authenticated file attributes. File name rules are useful when an application and its dependencies (for example, DLLs) may all share the same product name, for instance. This rule level allows users to easily create targeted policies based on the Product Name file name. To select the file attribute to create the rule, move the slider on the Wizard to the desired attribute. The table below describes each of the supported file attributes off which to create a rule.
The Wizard supports the creation of [file name rules](select-types-of-rules-to-create.md#use--specificfilenamelevel-with-filename-filepublisher-or-whqlfilepublisher-level-rules) based on authenticated file attributes. File name rules are useful when an application and its dependencies (for example, DLLs) may all share the same product name, for instance. This rule level allows users to easily create targeted policies based on the Product Name file name. To select the file attribute to create the rule, move the slider on the Wizard to the desired attribute. The table below describes each of the supported file attributes off which to create a rule.
| Rule level | Description |
|------------ | ----------- |
@ -99,14 +98,12 @@ The Wizard supports the creation of [file name rules](select-types-of-rules-to-c
| **Product name** | Specifies the name of the product with which the binary ships. |
| **Internal name** | Specifies the internal name of the binary. |
![Custom file attributes rule.](images/wdac-wizard-custom-file-attribute-rule.png)
### File Hash Rules
Lastly, the Wizard supports creating file rules using the hash of the file. Although this level is specific, it can cause extra administrative overhead to maintain the current product versions hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. By default, the Wizard will use file hash as the fallback in case a file rule can't be created using the specified file rule level.
#### Deleting Signing Rules
The table on the left of the page will document the allow and deny rules in the template, and any custom rules you create. Rules can be deleted from the policy by selecting the rule from the rules list table. Once the rule is highlighted, press the delete button underneath the table. you'll be prompted for another confirmation. Select `Yes` to remove the rule from the policy and the rules table.