From c4fdca18556aa6ee7801fa3d2cc392fb870e2e4d Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 11 Aug 2023 09:30:16 -0700 Subject: [PATCH 1/3] Removed claim that user writeable check is done for parent directories recursively --- .../select-types-of-rules-to-create.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 1c867e7010..898cbea016 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -13,7 +13,7 @@ author: jgeurten ms.reviewer: jsuther1974 ms.author: vinpa manager: aaroncz -ms.date: 06/07/2023 +ms.date: 08/11/2023 ms.technology: itpro-security ms.topic: article --- @@ -144,7 +144,7 @@ Filepath rules don't provide the same security guarantees that explicit signer r ### User-writable filepaths -By default, WDAC performs a user-writeability check at runtime that ensures that the current permissions on the specified filepath and its parent directories (recursively) don't allow standard users write access. +By default, WDAC performs a user-writeability check at runtime that ensures that the current permissions on the specified filepath only allow write access for admin users. There's a defined list of SIDs that WDAC recognizes as admins. If a filepath allows write permissions for any SID not in this list, the filepath is considered to be user-writeable, even if the SID is associated to a custom admin user. To handle these special cases, you can override WDAC's runtime admin-writeable check with the **Disabled:Runtime FilePath Rule Protection** option described earlier. From b6af2c127059dec45c0d35101c0cd06533c74f76 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 11 Aug 2023 09:38:05 -0700 Subject: [PATCH 2/3] Removed claim that user writeable check is done recursively for parent directories. --- .../design/select-types-of-rules-to-create.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md index 7bc080da18..97baa28219 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md @@ -2,7 +2,7 @@ title: Understand Windows Defender Application Control (WDAC) policy rules and file rules description: Learn how WDAC policy rules and file rules can control your Windows 10 and Windows 11 computers. ms.localizationpriority: medium -ms.date: 06/07/2023 +ms.date: 08/11/2023 ms.topic: article --- @@ -127,7 +127,7 @@ Filepath rules don't provide the same security guarantees that explicit signer r ### User-writable filepaths -By default, WDAC performs a user-writeability check at runtime that ensures that the current permissions on the specified filepath and its parent directories (recursively) don't allow standard users write access. +By default, WDAC performs a user-writeability check at runtime that ensures that the current permissions on the specified filepath only allows write access for admin users. There's a defined list of SIDs that WDAC recognizes as admins. If a filepath allows write permissions for any SID not in this list, the filepath is considered to be user-writeable, even if the SID is associated to a custom admin user. To handle these special cases, you can override WDAC's runtime admin-writeable check with the **Disabled:Runtime FilePath Rule Protection** option described earlier. From 9000507ab809fca8c094115aa0d2eb2ff86ed5c1 Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Mon, 14 Aug 2023 12:59:47 -0500 Subject: [PATCH 3/3] Update windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md --- .../design/select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md index 97baa28219..a5798f2f02 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md @@ -127,7 +127,7 @@ Filepath rules don't provide the same security guarantees that explicit signer r ### User-writable filepaths -By default, WDAC performs a user-writeability check at runtime that ensures that the current permissions on the specified filepath only allows write access for admin users. +By default, WDAC performs a user-writeability check at runtime that ensures that the current permissions on the specified filepath only allow write access for admin users. There's a defined list of SIDs that WDAC recognizes as admins. If a filepath allows write permissions for any SID not in this list, the filepath is considered to be user-writeable, even if the SID is associated to a custom admin user. To handle these special cases, you can override WDAC's runtime admin-writeable check with the **Disabled:Runtime FilePath Rule Protection** option described earlier.