deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 11:23:45 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Corrections to code blocks: indentation, content types

Browse Source
This commit is contained in:
Gary Moore
2024-09-25 13:28:24 -07:00
parent dc0eda847a
commit 8ee3271103
10 changed files with 102 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-parsing-event-logs.md
View File

@ -53,13 +53,13 @@ To create rules from the App Control events in [MDE Advanced Hunting](../operati
1. Navigate to the Advanced Hunting section within the MDE console and query the App Control events. **The Wizard requires the following fields** in the Advanced Hunting csv file export: 1. Navigate to the Advanced Hunting section within the MDE console and query the App Control events. **The Wizard requires the following fields** in the Advanced Hunting csv file export:
```KQL ```kusto
| project-keep Timestamp, DeviceId, DeviceName, ActionType, FileName, FolderPath, SHA1, SHA256, IssuerName, IssuerTBSHash, PublisherName, PublisherTBSHash, AuthenticodeHash, PolicyId, PolicyName | project-keep Timestamp, DeviceId, DeviceName, ActionType, FileName, FolderPath, SHA1, SHA256, IssuerName, IssuerTBSHash, PublisherName, PublisherTBSHash, AuthenticodeHash, PolicyId, PolicyName
``` ```
The following Advanced Hunting query is recommended: The following Advanced Hunting query is recommended:
```KQL ```kusto
DeviceEvents DeviceEvents
// Take only App Control events // Take only App Control events
| where ActionType startswith 'AppControlCodeIntegrity' | where ActionType startswith 'AppControlCodeIntegrity'

13
windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-fully-managed-devices.md
View File

@ -112,14 +112,17 @@ At this point, Alice now has an initial policy that is ready to deploy in audit
Alice has defined a policy for Lamna's fully managed devices that makes some trade-offs between security and manageability for apps. Some of the trade-offs include: Alice has defined a policy for Lamna's fully managed devices that makes some trade-offs between security and manageability for apps. Some of the trade-offs include:
- **Users with administrative access**<br> - **Users with administrative access**
Although applying to fewer users, Lamna still allows some IT staff to sign in to its fully managed devices as administrator. This privilege allows these users (or malware running with the user's privileges) to modify or remove altogether the App Control policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish. Although applying to fewer users, Lamna still allows some IT staff to sign in to its fully managed devices as administrator. This privilege allows these users (or malware running with the user's privileges) to modify or remove altogether the App Control policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish.
Possible mitigations: Possible mitigations:
- Use signed App Control policies and UEFI BIOS access protection to prevent tampering of App Control policies. - Use signed App Control policies and UEFI BIOS access protection to prevent tampering of App Control policies.
- Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer. - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
- Use device attestation to detect the configuration state of App Control at boot time and use that information to condition access to sensitive corporate resources. - Use device attestation to detect the configuration state of App Control at boot time and use that information to condition access to sensitive corporate resources.
- **Unsigned policies**<br>
- **Unsigned policies**
Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy. Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
Existing mitigations applied: Existing mitigations applied:
@ -127,7 +130,9 @@ Alice has defined a policy for Lamna's fully managed devices that makes some tra
Possible mitigations: Possible mitigations:
- Use signed App Control policies and UEFI BIOS access protection to prevent tampering of App Control policies. - Use signed App Control policies and UEFI BIOS access protection to prevent tampering of App Control policies.
- **Managed installer**<br>
- **Managed installer**
See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer) See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
Existing mitigations applied: Existing mitigations applied:
@ -135,7 +140,9 @@ Alice has defined a policy for Lamna's fully managed devices that makes some tra
Possible mitigations: Possible mitigations:
- Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer. - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
- **Supplemental policies**<br> - **Supplemental policies**<br>
Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction. Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
Possible mitigations: Possible mitigations:

2
windows/security/application-security/application-control/app-control-for-business/operations/citool-commands.md
View File

@ -42,7 +42,7 @@ CiTool makes App Control for Business policy management easier for IT admins. Yo
### List policies (`--list-policies`) ### List policies (`--list-policies`)
```output ```console
Policy ID: d2bda982-ccf6-4344-ac5b-0b44427b6816 Policy ID: d2bda982-ccf6-4344-ac5b-0b44427b6816
Base Policy ID: d2bda982-ccf6-4344-ac5b-0b44427b6816 Base Policy ID: d2bda982-ccf6-4344-ac5b-0b44427b6816
Friendly Name: Microsoft Windows Driver Policy Friendly Name: Microsoft Windows Driver Policy

4
windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md
View File

@ -76,13 +76,13 @@ MSI installer files are always detected as user writeable on Windows 10, and on
Installing .msi files directly from the internet to a computer protected by App Control fails. Installing .msi files directly from the internet to a computer protected by App Control fails.
For example, this command fails: For example, this command fails:
```console ```cmd
msiexec -i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E-76209EA4F429/Windows10_Version_1511_ADMX.msi msiexec -i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E-76209EA4F429/Windows10_Version_1511_ADMX.msi
``` ```
As a workaround, download the MSI file and run it locally: As a workaround, download the MSI file and run it locally:
```console ```cmd
msiexec -i c:\temp\Windows10_Version_1511_ADMX.msi msiexec -i c:\temp\Windows10_Version_1511_ADMX.msi
``` ```

6
windows/security/application-security/application-control/app-control-for-business/operations/querying-application-control-events-centrally-using-advanced-hunting.md
View File

@ -8,7 +8,7 @@ ms.topic: troubleshooting
# Querying App Control events centrally using Advanced hunting # Querying App Control events centrally using Advanced hunting
an App Control for Business policy logs events locally in Windows Event Viewer in either enforced or audit mode. An App Control for Business policy logs events locally in Windows Event Viewer in either enforced or audit mode.
While Event Viewer helps to see the impact on a single system, IT Pros want to gauge it across many systems. While Event Viewer helps to see the impact on a single system, IT Pros want to gauge it across many systems.
In November 2018, we added functionality in Microsoft Defender for Endpoint that makes it easy to view App Control events centrally from all connected systems. In November 2018, we added functionality in Microsoft Defender for Endpoint that makes it easy to view App Control events centrally from all connected systems.
@ -47,7 +47,7 @@ Query Example 1: Query the App Control action types summarized by type for past
Here's a simple example query that shows all the App Control for Business events generated in the last seven days from machines being monitored by Microsoft Defender for Endpoint: Here's a simple example query that shows all the App Control for Business events generated in the last seven days from machines being monitored by Microsoft Defender for Endpoint:
``` ```kusto
DeviceEvents DeviceEvents
| where Timestamp > ago(7d) and | where Timestamp > ago(7d) and
ActionType startswith "AppControl" ActionType startswith "AppControl"
@ -64,7 +64,7 @@ The query results can be used for several important functions related to managin
Query Example #2: Query to determine audit blocks in the past seven days Query Example #2: Query to determine audit blocks in the past seven days
``` ```kusto
DeviceEvents DeviceEvents
| where ActionType startswith "AppControlExecutableAudited" | where ActionType startswith "AppControlExecutableAudited"
| where Timestamp > ago(7d) | where Timestamp > ago(7d)

26
windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -73,7 +73,7 @@ Set the following registry keys to enable memory integrity. These keys provide s
Recommended settings (to enable memory integrity without UEFI Lock): Recommended settings (to enable memory integrity without UEFI Lock):
```console ```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
@ -85,55 +85,55 @@ If you want to customize the preceding recommended settings, use the following r
**To enable VBS only (no memory integrity)** **To enable VBS only (no memory integrity)**
```console ```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
``` ```
**To enable VBS and require Secure boot only (value 1)** **To enable VBS and require Secure boot only (value 1)**
```console ```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
``` ```
**To enable VBS with Secure Boot and DMA protection (value 3)** **To enable VBS with Secure Boot and DMA protection (value 3)**
```console ```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
``` ```
**To enable VBS without UEFI lock (value 0)** **To enable VBS without UEFI lock (value 0)**
```console ```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
``` ```
**To enable VBS with UEFI lock (value 1)** **To enable VBS with UEFI lock (value 1)**
```console ```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f
``` ```
**To enable memory integrity** **To enable memory integrity**
```console ```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
``` ```
**To enable memory integrity without UEFI lock (value 0)** **To enable memory integrity without UEFI lock (value 0)**
```console ```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
``` ```
**To enable memory integrity with UEFI lock (value 1)** **To enable memory integrity with UEFI lock (value 1)**
```console ```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
``` ```
**To enable VBS (and memory integrity) in mandatory mode** **To enable VBS (and memory integrity) in mandatory mode**
```console ```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f
``` ```
@ -143,12 +143,12 @@ The **Mandatory** setting prevents the OS loader from continuing to boot in case
> Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot. > Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot.
**To gray out the memory integrity UI and display the message "This setting is managed by your administrator"** **To gray out the memory integrity UI and display the message "This setting is managed by your administrator"**
```console ```cmd
reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /f reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /f
``` ```
**To let memory integrity UI behave normally (Not grayed out)** **To let memory integrity UI behave normally (Not grayed out)**
```console ```cmd
reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /t REG_DWORD /d 2 /f reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /t REG_DWORD /d 2 /f
``` ```
@ -269,7 +269,7 @@ Another method to determine the available and enabled VBS features is to run msi
2. Then, boot to Windows RE on the affected computer, see [Windows RE Technical Reference](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference). 2. Then, boot to Windows RE on the affected computer, see [Windows RE Technical Reference](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference).
3. After logging in to Windows RE, set the memory integrity registry key to off: 3. After logging in to Windows RE, set the memory integrity registry key to off:
```console ```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
``` ```