diff --git a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md index f330f24100..69df945159 100644 --- a/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/AppIdTagging/design-create-appid-tagging-policies.md @@ -92,8 +92,8 @@ After creating your AppId Tagging policy in the above steps, you can deploy the 2. Optionally, deploy it for local testing: ```powershell - copy ".\{Policy ID}.cip" c:\windows\system32\codeintegrity\CiPolicies\Active\ - ./RefreshPolicy.exe + copy ".\{Policy ID}.cip" c:\windows\system32\codeintegrity\CiPolicies\Active\ + ./RefreshPolicy.exe ``` RefreshPolicy.exe is available for download from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=102925). diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md b/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md index b3ba7121e7..4ee7ef2757 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md @@ -16,23 +16,23 @@ You should now have one or more App Control for Business policies ready to deplo Before you deploy your App Control policies, you must first convert the XML to its binary form. You can do this using the following PowerShell example. You must set the $AppControlPolicyXMLFile variable to point to your App Control policy XML file. - ```powershell - ## Update the path to your App Control policy XML - $AppControlPolicyXMLFile = $env:USERPROFILE + "\Desktop\MyAppControlPolicy.xml" - [xml]$AppControlPolicy = Get-Content -Path $AppControlPolicyXMLFile - if (($AppControlPolicy.SiPolicy.PolicyID) -ne $null) ## Multiple policy format (For Windows builds 1903+ only, including Server 2022) - { - $PolicyID = $AppControlPolicy.SiPolicy.PolicyID - $PolicyBinary = $PolicyID+".cip" - } - else ## Single policy format (Windows Server 2016 and 2019, and Windows 10 1809 LTSC) - { - $PolicyBinary = "SiPolicy.p7b" - } +```powershell +## Update the path to your App Control policy XML +$AppControlPolicyXMLFile = $env:USERPROFILE + "\Desktop\MyAppControlPolicy.xml" +[xml]$AppControlPolicy = Get-Content -Path $AppControlPolicyXMLFile +if (($AppControlPolicy.SiPolicy.PolicyID) -ne $null) ## Multiple policy format (For Windows builds 1903+ only, including Server 2022) +{ + $PolicyID = $AppControlPolicy.SiPolicy.PolicyID + $PolicyBinary = $PolicyID+".cip" +} +else ## Single policy format (Windows Server 2016 and 2019, and Windows 10 1809 LTSC) +{ + $PolicyBinary = "SiPolicy.p7b" +} - ## Binary file will be written to your desktop - ConvertFrom-CIPolicy -XmlFilePath $AppControlPolicyXMLFile -BinaryFilePath $env:USERPROFILE\Desktop\$PolicyBinary - ``` +## Binary file will be written to your desktop +ConvertFrom-CIPolicy -XmlFilePath $AppControlPolicyXMLFile -BinaryFilePath $env:USERPROFILE\Desktop\$PolicyBinary +``` ## Plan your deployment diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md b/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md index a3add21030..f1e65d8fff 100644 --- a/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md +++ b/windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md @@ -43,7 +43,7 @@ To make a policy effectively inactive before removing it, you can first replace Beginning with the Windows 11 2022 Update, you can remove App Control policies using CiTool.exe. From an elevated command window, run the following command. Be sure to replace the text *PolicyId GUID* with the actual PolicyId of the App Control policy you want to remove: ```powershell - CiTool.exe -rp "{PolicyId GUID}" -json +CiTool.exe -rp "{PolicyId GUID}" -json ``` Then restart the computer. diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-editing-policy.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-editing-policy.md index f6c6797de5..111961661b 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-editing-policy.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-editing-policy.md @@ -40,11 +40,11 @@ The App Control Wizard makes deleting file rules from an existing policy quick a **Note:** removing a publisher rule will also remove the associated File Attribute rules. For instance, in the xml block below, removing ID_SIGNER_CONTOSO_PUBLISHER would also remove the rules ID_FILEATTRIB_LOB_APP_1 and ID_FILEATTRIB_LOB_APP_2. ```xml - - - - - + + + + + ``` [comment]: <> (## Editing File Rules Coming soon!) diff --git a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-parsing-event-logs.md b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-parsing-event-logs.md index 2f94b6e7c6..5e2b4e4017 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-parsing-event-logs.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-parsing-event-logs.md @@ -53,13 +53,13 @@ To create rules from the App Control events in [MDE Advanced Hunting](../operati 1. Navigate to the Advanced Hunting section within the MDE console and query the App Control events. **The Wizard requires the following fields** in the Advanced Hunting csv file export: - ```KQL + ```kusto | project-keep Timestamp, DeviceId, DeviceName, ActionType, FileName, FolderPath, SHA1, SHA256, IssuerName, IssuerTBSHash, PublisherName, PublisherTBSHash, AuthenticodeHash, PolicyId, PolicyName ``` The following Advanced Hunting query is recommended: - ```KQL + ```kusto DeviceEvents // Take only App Control events | where ActionType startswith 'AppControlCodeIntegrity' diff --git a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md index 978a986c90..1563a69a95 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md @@ -61,47 +61,47 @@ Alice follows these steps to complete this task: 2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables: - ```powershell - $PolicyPath=$env:userprofile+"\Desktop\" - $PolicyName= "Lamna_FullyManagedClients_Audit" - $LamnaPolicy=$PolicyPath+$PolicyName+".xml" - $ConfigMgrPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml" - ``` + ```powershell + $PolicyPath=$env:userprofile+"\Desktop\" + $PolicyName= "Lamna_FullyManagedClients_Audit" + $LamnaPolicy=$PolicyPath+$PolicyName+".xml" + $ConfigMgrPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml" + ``` 3. Copy the policy created by Configuration Manager to the desktop: - ```powershell - cp $ConfigMgrPolicy $LamnaPolicy - ``` + ```powershell + cp $ConfigMgrPolicy $LamnaPolicy + ``` 4. Give the new policy a unique ID, descriptive name, and initial version number: - ```powershell - Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID - Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0" - ``` + ```powershell + Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID + Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0" + ``` 5. Modify the copied policy to set policy rules: - ```powershell - Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode - Set-RuleOption -FilePath $LamnaPolicy -Option 6 # Unsigned Policy - Set-RuleOption -FilePath $LamnaPolicy -Option 9 # Advanced Boot Menu - Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps - Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer - Set-RuleOption -FilePath $LamnaPolicy -Option 16 # No Reboot - Set-RuleOption -FilePath $LamnaPolicy -Option 17 # Allow Supplemental - Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security - ``` + ```powershell + Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode + Set-RuleOption -FilePath $LamnaPolicy -Option 6 # Unsigned Policy + Set-RuleOption -FilePath $LamnaPolicy -Option 9 # Advanced Boot Menu + Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps + Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer + Set-RuleOption -FilePath $LamnaPolicy -Option 16 # No Reboot + Set-RuleOption -FilePath $LamnaPolicy -Option 17 # Allow Supplemental + Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security + ``` 6. If appropriate, add more signer or file rules to further customize the policy for your organization. 7. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the App Control for Business policy to a binary format: ```powershell - [xml]$PolicyXML = Get-Content $LamnaPolicy - $LamnaPolicyBin = Join-Path $PolicyPath "$($PolicyXML.SiPolicy.PolicyID).cip" - ConvertFrom-CIPolicy $LamnaPolicy $LamnaPolicyBin + [xml]$PolicyXML = Get-Content $LamnaPolicy + $LamnaPolicyBin = Join-Path $PolicyPath "$($PolicyXML.SiPolicy.PolicyID).cip" + ConvertFrom-CIPolicy $LamnaPolicy $LamnaPolicyBin ``` 8. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration). @@ -112,33 +112,40 @@ At this point, Alice now has an initial policy that is ready to deploy in audit Alice has defined a policy for Lamna's fully managed devices that makes some trade-offs between security and manageability for apps. Some of the trade-offs include: -- **Users with administrative access**
- Although applying to fewer users, Lamna still allows some IT staff to sign in to its fully managed devices as administrator. This privilege allows these users (or malware running with the user's privileges) to modify or remove altogether the App Control policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish. +- **Users with administrative access** - Possible mitigations: + Although applying to fewer users, Lamna still allows some IT staff to sign in to its fully managed devices as administrator. This privilege allows these users (or malware running with the user's privileges) to modify or remove altogether the App Control policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish. + + Possible mitigations: - Use signed App Control policies and UEFI BIOS access protection to prevent tampering of App Control policies. - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer. - Use device attestation to detect the configuration state of App Control at boot time and use that information to condition access to sensitive corporate resources. -- **Unsigned policies**
- Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy. - Existing mitigations applied: +- **Unsigned policies** + + Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy. + + Existing mitigations applied: - Limit who can elevate to administrator on the device. - Possible mitigations: + Possible mitigations: - Use signed App Control policies and UEFI BIOS access protection to prevent tampering of App Control policies. -- **Managed installer**
- See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer) - Existing mitigations applied: +- **Managed installer** + + See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer) + + Existing mitigations applied: - Limit who can elevate to administrator on the device. - Possible mitigations: + Possible mitigations: - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer. -- **Supplemental policies**
- Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction. - Possible mitigations: +- **Supplemental policies**
+ + Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction. + + Possible mitigations: - Use signed App Control policies that allow authorized signed supplemental policies only. - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection. diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/citool-commands.md b/windows/security/application-security/application-control/app-control-for-business/operations/citool-commands.md index d5dba038d4..c8bb39fb47 100644 --- a/windows/security/application-security/application-control/app-control-for-business/operations/citool-commands.md +++ b/windows/security/application-security/application-control/app-control-for-business/operations/citool-commands.md @@ -42,17 +42,17 @@ CiTool makes App Control for Business policy management easier for IT admins. Yo ### List policies (`--list-policies`) -```output - Policy ID: d2bda982-ccf6-4344-ac5b-0b44427b6816 - Base Policy ID: d2bda982-ccf6-4344-ac5b-0b44427b6816 - Friendly Name: Microsoft Windows Driver Policy - Version: 2814751463178240 - Platform Policy: true - Policy is Signed: true - Has File on Disk: false - Is Currently Enforced: true - Is Authorized: true - Status: 0 +```console +Policy ID: d2bda982-ccf6-4344-ac5b-0b44427b6816 +Base Policy ID: d2bda982-ccf6-4344-ac5b-0b44427b6816 +Friendly Name: Microsoft Windows Driver Policy +Version: 2814751463178240 +Platform Policy: true +Policy is Signed: true +Has File on Disk: false +Is Currently Enforced: true +Is Authorized: true +Status: 0 ``` | Attribute | Description | Example value | diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md b/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md index 5288f40a3e..018a5a86c7 100644 --- a/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md +++ b/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md @@ -76,13 +76,13 @@ MSI installer files are always detected as user writeable on Windows 10, and on Installing .msi files directly from the internet to a computer protected by App Control fails. For example, this command fails: -```console +```cmd msiexec -i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E-76209EA4F429/Windows10_Version_1511_ADMX.msi ``` As a workaround, download the MSI file and run it locally: -```console +```cmd msiexec -i c:\temp\Windows10_Version_1511_ADMX.msi ``` diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/application-security/application-control/app-control-for-business/operations/querying-application-control-events-centrally-using-advanced-hunting.md index d6d7b0bf4d..d39105c4a1 100644 --- a/windows/security/application-security/application-control/app-control-for-business/operations/querying-application-control-events-centrally-using-advanced-hunting.md +++ b/windows/security/application-security/application-control/app-control-for-business/operations/querying-application-control-events-centrally-using-advanced-hunting.md @@ -8,7 +8,7 @@ ms.topic: troubleshooting # Querying App Control events centrally using Advanced hunting -an App Control for Business policy logs events locally in Windows Event Viewer in either enforced or audit mode. +An App Control for Business policy logs events locally in Windows Event Viewer in either enforced or audit mode. While Event Viewer helps to see the impact on a single system, IT Pros want to gauge it across many systems. In November 2018, we added functionality in Microsoft Defender for Endpoint that makes it easy to view App Control events centrally from all connected systems. @@ -47,7 +47,7 @@ Query Example 1: Query the App Control action types summarized by type for past Here's a simple example query that shows all the App Control for Business events generated in the last seven days from machines being monitored by Microsoft Defender for Endpoint: -``` +```kusto DeviceEvents | where Timestamp > ago(7d) and ActionType startswith "AppControl" @@ -64,7 +64,7 @@ The query results can be used for several important functions related to managin Query Example #2: Query to determine audit blocks in the past seven days -``` +```kusto DeviceEvents | where ActionType startswith "AppControlExecutableAudited" | where Timestamp > ago(7d) diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md index d11b54e8b9..53dfb74978 100644 --- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md @@ -73,7 +73,7 @@ Set the following registry keys to enable memory integrity. These keys provide s Recommended settings (to enable memory integrity without UEFI Lock): -```console +```cmd reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f @@ -85,55 +85,55 @@ If you want to customize the preceding recommended settings, use the following r **To enable VBS only (no memory integrity)** -```console +```cmd reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f ``` **To enable VBS and require Secure boot only (value 1)** -```console +```cmd reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f ``` **To enable VBS with Secure Boot and DMA protection (value 3)** -```console +```cmd reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f ``` **To enable VBS without UEFI lock (value 0)** -```console +```cmd reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f ``` **To enable VBS with UEFI lock (value 1)** -```console +```cmd reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f ``` **To enable memory integrity** -```console +```cmd reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f ``` **To enable memory integrity without UEFI lock (value 0)** -```console +```cmd reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f ``` **To enable memory integrity with UEFI lock (value 1)** -```console +```cmd reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f ``` **To enable VBS (and memory integrity) in mandatory mode** -```console +```cmd reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f ``` @@ -143,12 +143,12 @@ The **Mandatory** setting prevents the OS loader from continuing to boot in case > Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot. **To gray out the memory integrity UI and display the message "This setting is managed by your administrator"** -```console +```cmd reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /f ``` **To let memory integrity UI behave normally (Not grayed out)** -```console +```cmd reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /t REG_DWORD /d 2 /f ``` @@ -269,7 +269,7 @@ Another method to determine the available and enabled VBS features is to run msi 2. Then, boot to Windows RE on the affected computer, see [Windows RE Technical Reference](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference). 3. After logging in to Windows RE, set the memory integrity registry key to off: - ```console + ```cmd reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f ```