deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #6952 from jsuther1974/WDAC-Docs

Browse Source 
Added warning with important criteria for code signing certs
This commit is contained in:
Jeff Borsecnik 2022-08-15 16:52:03 -07:00 committed by GitHub
commit 7b50d4acfd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 57 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
View File

@ -22,54 +22,61 @@ ms.technology: windows-sec
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
- Windows 10
- Windows 11
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signature, you'll either need a publicly issued code signing certificate or an internal CA. If you've purchased a code-signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md).
As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signature, you'll either need a publicly issued code signing certificate or an internal CA. If you've purchased a code-signing certificate, you can skip this article and instead follow other articles listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md).
If you have an internal CA, complete these steps to create a code signing certificate.
Only RSA algorithm is supported for the code signing certificate, and signatures must be PKCS 1.5 padded.
ECDSA isn't supported.
If you have an internal CA, complete these steps to create a code signing certificate.
1. Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA.
> [!WARNING]
> Boot failure (blue screen) may occur if your signing certificate does not follow these rules:
>
> - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652).
> - Use RSA SHA-256 only. ECDSA isn't supported.
> - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING.
> - Keys must be less than or equal to 4K key size
>
2. When connected, right-click **Certificate Templates**, and then click **Manage** to open the Certification Templates Console.
1. Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA.
2. When connected, right-click **Certificate Templates**, and then select **Manage** to open the Certification Templates Console.
![CA snap-in showing Certificate Templates.](images/dg-fig27-managecerttemp.png)
Figure 1. Manage the certificate templates
3. In the navigation pane, right-click the Code Signing certificate, and then click **Duplicate Template**.
3. In the navigation pane, right-click the Code Signing certificate, and then select **Duplicate Template**.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** from the **Certification Authority** list, and then select **Windows 8 / Windows Server 2012** from the **Certificate recipient** list.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** from the **Certification Authority** list, and then select **Windows 8 / Windows Server 2012** from the **Certificate recipient** list.
5. On the **General** tab, specify the **Template display name** and **Template name**. This example uses the name **WDAC Catalog Signing Certificate**.
5. On the **General** tab, specify the **Template display name** and **Template name**. This example uses the name **WDAC Catalog Signing Certificate**.
6. On the **Request Handling** tab, select the **Allow private key to be exported** check box.
6. On the **Request Handling** tab, select the **Allow private key to be exported** check box.
7. On the **Extensions** tab, select the **Basic Constraints** check box, and then click **Edit**.
7. On the **Extensions** tab, select the **Basic Constraints** check box, and then select **Edit**.
8. In the **Edit Basic Constraints Extension** dialog box, select **Enable this extension**, as shown in Figure 2.
8. In the **Edit Basic Constraints Extension** dialog box, select **Enable this extension**, as shown in Figure 2.
![Edit Basic Constraints Extension.](images/dg-fig29-enableconstraints.png)
Figure 2. Select constraints on the new template
9. If a certificate manager is required to approve any issued certificates, on the **Issuance Requirements** tab, select **CA certificate manager approval**.
9. If a certificate manager is required to approve any issued certificates, on the **Issuance Requirements** tab, select **CA certificate manager approval**.
10. On the **Subject Name** tab, select **Supply in the request**.
11. On the **Security** tab, verify that whatever account will be used to request the certificate has the right to enroll the certificate.
12. Click **OK** to create the template, and then close the Certificate Template Console.
12. Select **OK** to create the template, and then close the Certificate Template Console.
When this certificate template has been created, you must publish it to the CA published template store. To do so, complete the following steps:
1. In the Certification Authority MMC snap-in, right-click **Certification Templates**, point to **New**, and then click **Certificate Template to Issue**, as shown in Figure 3.
1. In the Certification Authority MMC snap-in, right-click **Certification Templates**, point to **New**, and then select **Certificate Template to Issue**, as shown in Figure 3.
![Select Certificate Template to Issue.](images/dg-fig30-selectnewcert.png)
@ -77,38 +84,38 @@ When this certificate template has been created, you must publish it to the CA p
A list of available templates to issue appears, including the template you created.
2. Select the WDAC Catalog signing certificate, and then click **OK**.
2. Select the WDAC Catalog signing certificate, and then select **OK**.
Now that the template is available to be issued, you must request one from the computer running Windows 10 and Windows 11 on which you create and sign catalog files. To begin, open the MMC, and then complete the following steps:
1. In MMC, from the **File** menu, click **Add/Remove Snap-in**. Double-click **Certificates**, and then select **My user account**.
1. In MMC, from the **File** menu, select **Add/Remove Snap-in**. Double-click **Certificates**, and then select **My user account**.
2. In the Certificates snap-in, right-click the Personal store folder, point to **All Tasks**, and then click **Request New Certificate**.
2. In the Certificates snap-in, right-click the Personal store folder, point to **All Tasks**, and then select **Request New Certificate**.
3. Click **Next** twice to get to the certificate selection list.
3. Select **Next** twice to get to the certificate selection list.
4. In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4.
4. In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4.
![Request Certificates: more information required.](images/dg-fig31-getmoreinfo.png)
Figure 4. Get more information for your code signing certificate
5. In the **Certificate Properties** dialog box, for **Type**, select **Common name**. For **Value**, select **ContosoDGSigningCert**, and then click **Add**. When added, click **OK.**
5. In the **Certificate Properties** dialog box, for **Type**, select **Common name**. For **Value**, select **ContosoDGSigningCert**, and then select **Add**. When added, select **OK.**
6. Enroll and finish.
6. Enroll and finish.
>[!NOTE]
>If a certificate manager is required to approve any issued certificates and you selected to require management approval on the template, the request will need to be approved in the CA before it will be issued to the client.
This certificate must be installed in the user's personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the computer on which you just requested the certificate, exporting the certificate to a .pfx file won't be required because it already exists in your personal store. If you're signing on another computer, you'll need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps:
This certificate must be installed in the user's personal store on the computer that will be signing the catalog files and code integrity policies. If the signing will happen on the same computer you used to request the certificate, you can skip the following steps. If you'll be signing on another computer, you need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps:
1. Right-click the certificate, point to **All Tasks**, and then click **Export**.
1. Right-click the certificate, point to **All Tasks**, and then select **Export**.
2. Click **Next**, and then select **Yes, export the private key**.
2. Select **Next**, and then select **Yes, export the private key**.
3. Choose the default settings, and then select **Export all extended properties**.
3. Choose the default settings, and then select **Export all extended properties**.
4. Set a password, select an export path, and then select **WDACCatSigningCert.pfx** as the file name.
4. Set a password, select an export path, and then select **WDACCatSigningCert.pfx** as the file name.
When the certificate has been exported, import it into the personal store for the user who will be signing the catalog files or code integrity policies on the specific computer that will be signing them.
@ -117,4 +124,3 @@ When the certificate has been exported, import it into the personal store for th
- [Windows Defender Application Control](windows-defender-application-control.md)
- [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md)

37
windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
View File

@ -11,10 +11,10 @@ ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 06/27/2022
ms.date: 08/15/2022
ms.technology: windows-sec
---
@ -31,26 +31,29 @@ ms.technology: windows-sec
Signed Windows Defender Application Control (WDAC) policies give organizations the highest level of malware protection available in Windows—must be signed with [PKCS #7](https://datatracker.ietf.org/doc/html/rfc5652). In addition to their enforced policy rules, signed policies can't be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this idea of the policies in mind, it's much more difficult to remove signed WDAC policies. SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies.
Before you sign with PKCS #7 and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run.
> [!WARNING]
> Boot failure (blue screen) may occur if your signing certificate does not follow these rules:
>
> - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652).
> - Use RSA SHA-256 only. ECDSA isn't supported.
> - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING.
> - Keys must be less than or equal to 4K key size
>
Before you sign with PKCS #7 and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run.
Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward.
If you don't currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA.
If you don't currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA.
Before PKCS #7-signing WDAC policies for the first time, ensure you enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md).
To sign a Windows Defender Application Control policy with SignTool.exe, you need the following components:
- SignTool.exe, found in the [Windows SDK](https://developer.microsoft.com/windows/downloads/windows-10-sdk/) (Windows 7 or later)
- SignTool.exe, found in the [Windows SDK](https://developer.microsoft.com/windows/downloads/windows-10-sdk/) (Windows 7 or later)
- The binary format of the WDAC policy that you generated in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) or another WDAC policy that you've created
- An internal CA code signing certificate or a purchased code signing certificate
> [!NOTE]
> All policies (base and supplemental and single-policy format) must be pkcs7 signed. [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652)
>
>Certificate fields, like 'subject common name' and 'issuer common name,' cannot be UTF-8 encoded, otherwise, blue screens may occur. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING.
- The binary format of the WDAC policy that you generated in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) or another WDAC policy that you've created
- An internal CA code signing certificate or a purchased code signing certificate
If you don't have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) for instructions on how to create one. If you use an alternate certificate or Windows Defender Application Control (WDAC) policy, ensure you update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session:
@ -64,12 +67,12 @@ If you don't have a code signing certificate, see [Optional: Create a code signi
> [!NOTE]
> This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are signing another policy, be sure to update the **$CIPolicyPath** variable with the correct information.
2. Import the .pfx code signing certificate. Import the code signing certificate that you'll use to sign the WDAC policy into the signing users personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
2. Import the .pfx code signing certificate. Import the code signing certificate that you'll use to sign the WDAC policy into the users personal store on the computer where the signing happens. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later.
4. Navigate to your desktop as the working directory:
```powershell
cd $env:USERPROFILE\Desktop
```
@ -104,11 +107,11 @@ If you don't have a code signing certificate, see [Optional: Create a code signi
```powershell
<Path to signtool.exe> sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin
```
> [!NOTE]
> The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md).
> [!NOTE]
> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.
> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.