From 2e89dfbcb1663306b41f624a789dcf80ffec02c1 Mon Sep 17 00:00:00 2001 From: Joe Henry Date: Mon, 29 Nov 2021 17:31:15 -0500 Subject: [PATCH 01/15] Create create-wdac-deny-policy.md --- .../create-wdac-deny-policy.md | 151 ++++++++++++++++++ 1 file changed, 151 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md new file mode 100644 index 0000000000..cb61b0bc5b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -0,0 +1,151 @@ +--- +title: Create WDAC Deny Policy +description: Explains how to configure a custom Manged Installer. +keywords: WDAC, policy +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jgeurten +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.date: 11/29/2021 +ms.technology: windows-sec +--- + +# Guidance on Creating WDAC Deny Policies + +With Windows Defender Application Control (WDAC), you can create applicatoin contorl policies to explicitly deny specific drivers and applications, as well as signatures and certificates and file paths. + +Topics this article will be discussing are: +1. File Rule Precedence Order +2. Adding Allow Rules +3. Singe Policy Considerations +4. Multiple Policy Considerations +5. Best Practices +6. Tutorial/Walkthrough + +## **File Rule Precendence Order** + +To create effective WDAC deny policies, it is crucial to understand how WDAC pares the policy. The WDAC engine evaluates files against the policy in the following order. + +1. Explicit deny rules - if there is an explicit deny rule, do not process the rest of the rules; the file is untrusted. + +2. Explicit allow rules + +3. WDAC will then check for the Managed Installer extended (EA) Allow Apps with a WDAC managed Installer (windows) - Windows security | Microsoft Docs) + +4. Lastly, WDAC will call the ISG to get reputation on file, if the policy has support for the ISG + +Explicit allow and deny rules encompass rules at any level (e.g. has rules, signer rules path rules, attritbute rules or package family name rules). If there is an explicit deny rule, WDAC does not process any other rules, meaning a deny rule always takes precedence in the case where a deny and allow rule would be at odds. + +## **Interaction with Existing Policies** +### **Adding Allow Rules** + +In the scenario where there is not an explicit allow rule, there is not a managed installer or Intelligent Security Graph (ISG) EA and ISG is not configured, WDAC will block the file as there is nothing in the policy vouching for trust of the file. + +If this deny policy is the only policy on the device, the following rule(s) need to be added to the policy in addition ot the deny/block rules to trust for the driver files outside of the intended blocklisted ones: + +```xml + + + + + + + + + + + + +``` + +If the policy enables user mode code integrity via the ***Enabled:UMCI*** rule-option, the following section needs to be added to the policy in addition to the deny/block rules to trust for the driver and user mode files outside of the intended blocklisted ones: +```xml + + + + + + + + + + + + + + + + + + + + +``` +## Single Policy Considerations +If the set of deny rules is to be added into an existing policy with allow rules, then the above Allow All rules should not be added to the policy. Instead, the deny policy should be merged with the existing WDAC policy via the WDAC Wizard + +```PowerShell +$DenyPolicy = +$ExistingPolicy = +Merge-CIPolicy -PolicyPaths $ DenyPolicy, $ExistingPolicy -OutputFilePath $ExistingPolicy +``` + +## Multiple Policy Considerations +If you are currently using multiple policies [Use multiple Windows Defender Application Control Policies (Windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) on a device, there are two options for integrating the deny list into your policy set. + +(Recommended) The first option is to keep the deny list as its own policy isolated from your allow policies as it is easier to manage. Since applications need to be allowed by both WDAC policies to run on the device [Use multiple Windows Defender Application Control Policies (Windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies#base-and-supplemental-policy-interaction), you will need to add the Allow All rule(s) to your deny policy. This will not override the set of applications allowed by WDAC illustrated by the following example: + +Policy 1 is an allow list of Windows and Microsoft-signed applications. Policy 2 is our new deny policy which blocks MaliciousApp.exe with the Allow All rules. MaliciousApp.exe will be blocked since there is an explicit block rule in Policy 2. Windows and Microsoft applications will be allowed since there is an explicit allow rule in Policy 1 and Policy 2 (due to the Allow All rules). All other applications, if not Windows and Microsoft signed, e.g., ExampleApp.exe, will not be allowed as this application is only trusted by Policy 2 (due to the Allow All rules) and not Policy 1. + +## **Best Practices** + +1. **Starting with Audit Mode Policies** - as with all new policies, we recommend rolling out your new deny policy in Audit Mode and monitoring the 3077 block events [Understanding Application Control event IDs (Windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations#microsoft-windows-codeintegrity-operational-log-event-ids) to ensure only the applications you intended to block are being blocked. More information on monitoring block events via the Event Viewer logs and Advanced Hunting: [Managing and troubleshooting Windows Defender Application Control policies (Windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide) + +2. **Recommeneded Deny Rules Types** - signer and file attribute rules are recommended from a security, manageability, and performance perspective. Hash rules should only be utilized where otherwise impossible. The hash of an application is updated for every new version released by the publisher which quickly becomes impractical to manage and protect against new threats where the attacker is quickly iterating on the payload. Additionally, WDAC has optimized parsing of hash rules, but devices may see performance impacts at runtime evaluation when policies have tens of thousands or more hash rules. + +## **Tutorial** + +### Creating a Deny Policy +Deny rules and policies can be created using the PowerShell cmdlets or the WDAC Wizard [Microsoft WDAC Wizard (webapp-wdac-wizard.azurewebsites.net](https://webapp-wdac-wizard.azurewebsites.net/) We recommend creating signer rules (PCACertificate, Publisher, and FilePublisher) wherever possible. In the cases of unsigned binaries, rules must be created on attributes of the file, such as the original filename, or the hash. + +### Software Publisher Based Deny Rule +```Powershell +$DenyRules += New-CIPolicyRule -Level FilePublisher -DriverFilePath -Deny -Fallback FileName,Hash +``` + +### Software Attributes Based Deny Rule +```Powershell +$DenyRules += New-CIPolicyRule -Level FileName -DriverFilePath -Deny -Fallback Hash +``` + +### Hash Based Deny Rule +```PowerShell + New-CIPolicyRule -Level FileName -DriverFilePath -Deny -Fallback Hash + ``` + + ### Adding Allow All Rules +If required, as in the cases listed above, Allow All rules [link to above Allow All section] may need to be added to the policy. The Allow All rules can be manually added to the policy xml or by merging with the AllowAll xml present on the client system in the WDAC template folder: + +```PowerShell +$DenyPolicy = +$AllowAllPolicy = $Env:windir + "\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml" +Merge-CIPolicy -PolicyPaths $DenyPolicy, $AllowAllPolicy -OutputFilePath $DenyPolicy +``` +### Deploying the Deny Policy +Policies should be thoroughly evaluated and first rolled out in audit mode before strict enforcement. Policies can be deployed via multiple options: + +1. Mobile Device Management (MDM): [Deploy WDAC policies using Mobile Device Management (MDM) (Windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) + +2. Microsoft Endpoint Configuration Manager (MEMCM): [Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Endpoint Configuration Manager (MEMCM) (Windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm) + +3. Scripting [Deploy Windows Defender Application Control (WDAC) policies using script (Windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script) + +4. Group Policy: [Deploy WDAC policies via Group Policy (Windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy) \ No newline at end of file From bbd54aab0e198f444ffa0e049b49f0ea8b995532 Mon Sep 17 00:00:00 2001 From: Joe Henry Date: Mon, 29 Nov 2021 19:20:52 -0500 Subject: [PATCH 02/15] Changed Index and TOC.yaml --- .../windows-defender-application-control/TOC.yml | 2 ++ .../create-wdac-deny-policy.md | 2 +- .../windows-defender-application-control/index.yml | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 024e87e042..9b5c1a8967 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -50,6 +50,8 @@ href: create-wdac-policy-for-fully-managed-devices.md - name: Create a WDAC policy for fixed-workload devices href: create-initial-default-policy.md + - name: Create a WDAC Deny List + href: create-wdac-deny-policy.md - name: Microsoft recommended block rules href: microsoft-recommended-block-rules.md - name: Microsoft recommended driver block rules diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index cb61b0bc5b..47e39411f4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -18,7 +18,7 @@ ms.date: 11/29/2021 ms.technology: windows-sec --- -# Guidance on Creating WDAC Deny Policies +# **Guidance on Creating WDAC Deny Policies** With Windows Defender Application Control (WDAC), you can create applicatoin contorl policies to explicitly deny specific drivers and applications, as well as signatures and certificates and file paths. diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml index ef5892459f..5f66230ab6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/index.yml +++ b/windows/security/threat-protection/windows-defender-application-control/index.yml @@ -52,6 +52,8 @@ landingContent: url: create-wdac-policy-for-fully-managed-devices.md - text: Create a WDAC policy for a fixed-workload url: create-initial-default-policy.md + - text: Create a WDAC Deny List + url: create-wdac-deny-policy.md - text: Deploying catalog files for WDAC management url: deploy-catalog-files-to-support-windows-defender-application-control.md - text: Using the WDAC Wizard From 8d780c6d7546cdaa5f0bd13a1b43e3a351f26361 Mon Sep 17 00:00:00 2001 From: Joe Henry Date: Wed, 1 Dec 2021 11:54:55 -0500 Subject: [PATCH 03/15] Update create-wdac-deny-policy.md --- .../create-wdac-deny-policy.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index 47e39411f4..651c208dcc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -18,9 +18,9 @@ ms.date: 11/29/2021 ms.technology: windows-sec --- -# **Guidance on Creating WDAC Deny Policies** +# Guidance on Creating WDAC Deny Policies -With Windows Defender Application Control (WDAC), you can create applicatoin contorl policies to explicitly deny specific drivers and applications, as well as signatures and certificates and file paths. +With Windows Defender Application Control (WDAC), you can create applicatoin control policies to explicitly deny specific drivers and applications, as well as signatures and certificates and file paths. Topics this article will be discussing are: 1. File Rule Precedence Order @@ -30,7 +30,7 @@ Topics this article will be discussing are: 5. Best Practices 6. Tutorial/Walkthrough -## **File Rule Precendence Order** +## File Rule Precendence Order To create effective WDAC deny policies, it is crucial to understand how WDAC pares the policy. The WDAC engine evaluates files against the policy in the following order. @@ -38,18 +38,18 @@ To create effective WDAC deny policies, it is crucial to understand how WDAC par 2. Explicit allow rules -3. WDAC will then check for the Managed Installer extended (EA) Allow Apps with a WDAC managed Installer (windows) - Windows security | Microsoft Docs) +3. WDAC will then check for the Managed Installer extended (EA) [Allow Apps with a WDAC managed Installer (windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer) -4. Lastly, WDAC will call the ISG to get reputation on file, if the policy has support for the ISG +4. Lastly, WDAC will call the Intelligent Security Graph (ISG) to get reputation on file, if the policy has support for the ISG Explicit allow and deny rules encompass rules at any level (e.g. has rules, signer rules path rules, attritbute rules or package family name rules). If there is an explicit deny rule, WDAC does not process any other rules, meaning a deny rule always takes precedence in the case where a deny and allow rule would be at odds. -## **Interaction with Existing Policies** -### **Adding Allow Rules** +## Interaction with Existing Policies +### Adding Allow Rules -In the scenario where there is not an explicit allow rule, there is not a managed installer or Intelligent Security Graph (ISG) EA and ISG is not configured, WDAC will block the file as there is nothing in the policy vouching for trust of the file. +In the scenario where there is not an explicit allow rule, there is not a managed installer or ISG EA and ISG is not configured, WDAC will block the file as there is nothing in the policy vouching for trust of the file. -If this deny policy is the only policy on the device, the following rule(s) need to be added to the policy in addition ot the deny/block rules to trust for the driver files outside of the intended blocklisted ones: +If this deny policy is the only policy on the device, the following rule(s) need to be added to the policy in addition to the deny/block rules to trust for the driver files outside of the intended blocklisted ones: ```xml @@ -90,7 +90,7 @@ If the policy enables user mode code integrity via the ***Enabled:UMCI*** rule-o ``` ## Single Policy Considerations -If the set of deny rules is to be added into an existing policy with allow rules, then the above Allow All rules should not be added to the policy. Instead, the deny policy should be merged with the existing WDAC policy via the WDAC Wizard +If the set of deny rules is to be added into an existing policy with allow rules, then the above Allow All rules should not be added to the policy. Instead, the deny policy should be merged with the existing WDAC policy via the WDAC Wizard. ```PowerShell $DenyPolicy = @@ -105,13 +105,13 @@ If you are currently using multiple policies [Use multiple Windows Defender Appl Policy 1 is an allow list of Windows and Microsoft-signed applications. Policy 2 is our new deny policy which blocks MaliciousApp.exe with the Allow All rules. MaliciousApp.exe will be blocked since there is an explicit block rule in Policy 2. Windows and Microsoft applications will be allowed since there is an explicit allow rule in Policy 1 and Policy 2 (due to the Allow All rules). All other applications, if not Windows and Microsoft signed, e.g., ExampleApp.exe, will not be allowed as this application is only trusted by Policy 2 (due to the Allow All rules) and not Policy 1. -## **Best Practices** +## Best Practices 1. **Starting with Audit Mode Policies** - as with all new policies, we recommend rolling out your new deny policy in Audit Mode and monitoring the 3077 block events [Understanding Application Control event IDs (Windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations#microsoft-windows-codeintegrity-operational-log-event-ids) to ensure only the applications you intended to block are being blocked. More information on monitoring block events via the Event Viewer logs and Advanced Hunting: [Managing and troubleshooting Windows Defender Application Control policies (Windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide) 2. **Recommeneded Deny Rules Types** - signer and file attribute rules are recommended from a security, manageability, and performance perspective. Hash rules should only be utilized where otherwise impossible. The hash of an application is updated for every new version released by the publisher which quickly becomes impractical to manage and protect against new threats where the attacker is quickly iterating on the payload. Additionally, WDAC has optimized parsing of hash rules, but devices may see performance impacts at runtime evaluation when policies have tens of thousands or more hash rules. -## **Tutorial** +## Tutorial ### Creating a Deny Policy Deny rules and policies can be created using the PowerShell cmdlets or the WDAC Wizard [Microsoft WDAC Wizard (webapp-wdac-wizard.azurewebsites.net](https://webapp-wdac-wizard.azurewebsites.net/) We recommend creating signer rules (PCACertificate, Publisher, and FilePublisher) wherever possible. In the cases of unsigned binaries, rules must be created on attributes of the file, such as the original filename, or the hash. From 422ac0cb1fe9936aff3b8e20b80df64d985b3629 Mon Sep 17 00:00:00 2001 From: Joe Henry Date: Wed, 1 Dec 2021 12:06:47 -0500 Subject: [PATCH 04/15] Update create-wdac-deny-policy.md --- .../create-wdac-deny-policy.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index 651c208dcc..7fcfcb1c90 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -20,7 +20,7 @@ ms.technology: windows-sec # Guidance on Creating WDAC Deny Policies -With Windows Defender Application Control (WDAC), you can create applicatoin control policies to explicitly deny specific drivers and applications, as well as signatures and certificates and file paths. +With Windows Defender Application Control (WDAC), you can create application control policies to explicitly deny specific drivers and applications, as well as signatures and certificates and file paths. Topics this article will be discussing are: 1. File Rule Precedence Order @@ -36,11 +36,11 @@ To create effective WDAC deny policies, it is crucial to understand how WDAC par 1. Explicit deny rules - if there is an explicit deny rule, do not process the rest of the rules; the file is untrusted. -2. Explicit allow rules +2. Explicit allow rules. -3. WDAC will then check for the Managed Installer extended (EA) [Allow Apps with a WDAC managed Installer (windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer) +3. WDAC will then check for the Managed Installer extended (EA) [Allow Apps with a WDAC managed Installer (windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer). -4. Lastly, WDAC will call the Intelligent Security Graph (ISG) to get reputation on file, if the policy has support for the ISG +4. Lastly, WDAC will call the Intelligent Security Graph (ISG) to get reputation on file, if the policy has support for the ISG. Explicit allow and deny rules encompass rules at any level (e.g. has rules, signer rules path rules, attritbute rules or package family name rules). If there is an explicit deny rule, WDAC does not process any other rules, meaning a deny rule always takes precedence in the case where a deny and allow rule would be at odds. From 7a93c7863a796a82d682e2f13561df61397a8ed6 Mon Sep 17 00:00:00 2001 From: Joe Henry Date: Wed, 1 Dec 2021 12:13:57 -0500 Subject: [PATCH 05/15] Update create-wdac-deny-policy.md --- .../create-wdac-deny-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index 7fcfcb1c90..180cb7b8c6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -132,7 +132,7 @@ $DenyRules += New-CIPolicyRule -Level FileName -DriverFilePath ``` ### Adding Allow All Rules -If required, as in the cases listed above, Allow All rules [link to above Allow All section] may need to be added to the policy. The Allow All rules can be manually added to the policy xml or by merging with the AllowAll xml present on the client system in the WDAC template folder: +If required, as in the cases listed above, [Allow All rules](48) may need to be added to the policy. The Allow All rules can be manually added to the policy xml or by merging with the AllowAll xml present on the client system in the WDAC template folder: ```PowerShell $DenyPolicy = From 5c749f2d1e2ff80bcd03a9dc0a5f4141be29c9af Mon Sep 17 00:00:00 2001 From: Joe Henry Date: Thu, 2 Dec 2021 11:34:51 -0500 Subject: [PATCH 06/15] Update windows/security/threat-protection/windows-defender-application-control/TOC.yml Co-authored-by: Jordan Geurten --- .../windows-defender-application-control/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 9b5c1a8967..c25b0dbb9a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -50,7 +50,7 @@ href: create-wdac-policy-for-fully-managed-devices.md - name: Create a WDAC policy for fixed-workload devices href: create-initial-default-policy.md - - name: Create a WDAC Deny List + - name: Create a WDAC deny list policy href: create-wdac-deny-policy.md - name: Microsoft recommended block rules href: microsoft-recommended-block-rules.md From e20056f3df6512ab37294ed1066e8879501e6184 Mon Sep 17 00:00:00 2001 From: Joe Henry Date: Thu, 2 Dec 2021 11:34:59 -0500 Subject: [PATCH 07/15] Update windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md Co-authored-by: Jordan Geurten --- .../create-wdac-deny-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index 180cb7b8c6..d9025761ae 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance author: jgeurten -ms.reviewer: isbrahm +ms.reviewer: jsuther1974 ms.author: dansimp manager: dansimp ms.date: 11/29/2021 From 057917ed85969748985aa2ad2086dda0a2f2ec94 Mon Sep 17 00:00:00 2001 From: Joe Henry Date: Thu, 2 Dec 2021 11:35:06 -0500 Subject: [PATCH 08/15] Update windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md Co-authored-by: Jordan Geurten --- .../create-wdac-deny-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index d9025761ae..3bdff2c695 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -114,7 +114,7 @@ Policy 1 is an allow list of Windows and Microsoft-signed applications. Policy 2 ## Tutorial ### Creating a Deny Policy -Deny rules and policies can be created using the PowerShell cmdlets or the WDAC Wizard [Microsoft WDAC Wizard (webapp-wdac-wizard.azurewebsites.net](https://webapp-wdac-wizard.azurewebsites.net/) We recommend creating signer rules (PCACertificate, Publisher, and FilePublisher) wherever possible. In the cases of unsigned binaries, rules must be created on attributes of the file, such as the original filename, or the hash. +Deny rules and policies can be created using the PowerShell cmdlets or the [WDAC Wizard] (https://webapp-wdac-wizard.azurewebsites.net/) We recommend creating signer rules (PCACertificate, Publisher, and FilePublisher) wherever possible. In the cases of unsigned binaries, rules must be created on attributes of the file, such as the original filename, or the hash. ### Software Publisher Based Deny Rule ```Powershell From 90d3666ae32384a30fb53621ab48de21cd251e61 Mon Sep 17 00:00:00 2001 From: Joe Henry Date: Thu, 2 Dec 2021 11:35:14 -0500 Subject: [PATCH 09/15] Update windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md Co-authored-by: Jordan Geurten --- .../create-wdac-deny-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index 3bdff2c695..2c57f8abaa 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -131,7 +131,7 @@ $DenyRules += New-CIPolicyRule -Level FileName -DriverFilePath New-CIPolicyRule -Level FileName -DriverFilePath -Deny -Fallback Hash ``` - ### Adding Allow All Rules +### Adding Allow All Rules If required, as in the cases listed above, [Allow All rules](48) may need to be added to the policy. The Allow All rules can be manually added to the policy xml or by merging with the AllowAll xml present on the client system in the WDAC template folder: ```PowerShell From 3d2994ed7399f5047dcebb3d1dfe7e5cf9f38cbe Mon Sep 17 00:00:00 2001 From: Joe Henry Date: Thu, 2 Dec 2021 11:35:21 -0500 Subject: [PATCH 10/15] Update windows/security/threat-protection/windows-defender-application-control/index.yml Co-authored-by: Jordan Geurten --- .../windows-defender-application-control/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml index 5f66230ab6..fb59f7473b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/index.yml +++ b/windows/security/threat-protection/windows-defender-application-control/index.yml @@ -52,7 +52,7 @@ landingContent: url: create-wdac-policy-for-fully-managed-devices.md - text: Create a WDAC policy for a fixed-workload url: create-initial-default-policy.md - - text: Create a WDAC Deny List + - text: Create a WDAC deny list policy url: create-wdac-deny-policy.md - text: Deploying catalog files for WDAC management url: deploy-catalog-files-to-support-windows-defender-application-control.md From cf073cb6eb3a20eea897ef3c543a1d20bbb7c1fa Mon Sep 17 00:00:00 2001 From: Joe Henry Date: Thu, 2 Dec 2021 11:35:40 -0500 Subject: [PATCH 11/15] Update windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md Co-authored-by: Jordan Geurten --- .../create-wdac-deny-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index 2c57f8abaa..171f2c4e88 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -128,7 +128,7 @@ $DenyRules += New-CIPolicyRule -Level FileName -DriverFilePath ### Hash Based Deny Rule ```PowerShell - New-CIPolicyRule -Level FileName -DriverFilePath -Deny -Fallback Hash + New-CIPolicyRule -Level Hash -DriverFilePath -Deny ``` ### Adding Allow All Rules From 0c1cd4d0ce8c9215a2a49a13d59045d2d94b8cbd Mon Sep 17 00:00:00 2001 From: Joe Henry Date: Thu, 2 Dec 2021 11:36:38 -0500 Subject: [PATCH 12/15] Update windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md Co-authored-by: Jordan Geurten --- .../create-wdac-deny-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index 171f2c4e88..4e5951ecf0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -42,7 +42,7 @@ To create effective WDAC deny policies, it is crucial to understand how WDAC par 4. Lastly, WDAC will call the Intelligent Security Graph (ISG) to get reputation on file, if the policy has support for the ISG. -Explicit allow and deny rules encompass rules at any level (e.g. has rules, signer rules path rules, attritbute rules or package family name rules). If there is an explicit deny rule, WDAC does not process any other rules, meaning a deny rule always takes precedence in the case where a deny and allow rule would be at odds. +Explicit allow and deny rules encompass rules at any level (e.g. hash rules, signer rules path rules, attribute rules or package family name rules). If there is an explicit deny rule, WDAC does not process any other rules, meaning a deny rule always takes precedence in the case where a deny and allow rule would be at odds. ## Interaction with Existing Policies ### Adding Allow Rules From 68e6f6a2de5f6b2208bb58af2226ad71c1d1eeec Mon Sep 17 00:00:00 2001 From: Joe Henry Date: Thu, 2 Dec 2021 11:37:21 -0500 Subject: [PATCH 13/15] Update windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md Co-authored-by: Jordan Geurten --- .../create-wdac-deny-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index 4e5951ecf0..0cf8bade00 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -99,7 +99,7 @@ Merge-CIPolicy -PolicyPaths $ DenyPolicy, $ExistingPolicy -OutputFilePath $Exist ``` ## Multiple Policy Considerations -If you are currently using multiple policies [Use multiple Windows Defender Application Control Policies (Windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) on a device, there are two options for integrating the deny list into your policy set. +If you are currently using [multiple policies] (deploy-multiple-windows-defender-application-control-policies.md) on a device, there are two options for integrating the deny list into your policy set. (Recommended) The first option is to keep the deny list as its own policy isolated from your allow policies as it is easier to manage. Since applications need to be allowed by both WDAC policies to run on the device [Use multiple Windows Defender Application Control Policies (Windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies#base-and-supplemental-policy-interaction), you will need to add the Allow All rule(s) to your deny policy. This will not override the set of applications allowed by WDAC illustrated by the following example: From 2591aab5cd1821cd69a4701c8655a2c8531f0a4c Mon Sep 17 00:00:00 2001 From: Joe Henry Date: Thu, 2 Dec 2021 11:38:34 -0500 Subject: [PATCH 14/15] Update windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md Co-authored-by: Jordan Geurten --- .../create-wdac-deny-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index 0cf8bade00..49ff999cbb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -101,7 +101,7 @@ Merge-CIPolicy -PolicyPaths $ DenyPolicy, $ExistingPolicy -OutputFilePath $Exist ## Multiple Policy Considerations If you are currently using [multiple policies] (deploy-multiple-windows-defender-application-control-policies.md) on a device, there are two options for integrating the deny list into your policy set. -(Recommended) The first option is to keep the deny list as its own policy isolated from your allow policies as it is easier to manage. Since applications need to be allowed by both WDAC policies to run on the device [Use multiple Windows Defender Application Control Policies (Windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies#base-and-supplemental-policy-interaction), you will need to add the Allow All rule(s) to your deny policy. This will not override the set of applications allowed by WDAC illustrated by the following example: +(Recommended) The first option is to keep the deny list as its own policy isolated from your allow policies as it is easier to manage. Since applications need to be [allowed by both WDAC policies to run on the device](deploy-multiple-windows-defender-application-control-policies#base-and-supplemental-policy-interaction), you will need to add the Allow All rule(s) to your deny policy. This will not override the set of applications allowed by WDAC illustrated by the following example: Policy 1 is an allow list of Windows and Microsoft-signed applications. Policy 2 is our new deny policy which blocks MaliciousApp.exe with the Allow All rules. MaliciousApp.exe will be blocked since there is an explicit block rule in Policy 2. Windows and Microsoft applications will be allowed since there is an explicit allow rule in Policy 1 and Policy 2 (due to the Allow All rules). All other applications, if not Windows and Microsoft signed, e.g., ExampleApp.exe, will not be allowed as this application is only trusted by Policy 2 (due to the Allow All rules) and not Policy 1. From d2313afd3e53ed3184ca3c47b7242dd156a935af Mon Sep 17 00:00:00 2001 From: Joe Henry Date: Thu, 2 Dec 2021 12:08:35 -0500 Subject: [PATCH 15/15] Update windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md Co-authored-by: Jordan Geurten --- .../create-wdac-deny-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index 49ff999cbb..29bf1068fc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -107,7 +107,7 @@ Policy 1 is an allow list of Windows and Microsoft-signed applications. Policy 2 ## Best Practices -1. **Starting with Audit Mode Policies** - as with all new policies, we recommend rolling out your new deny policy in Audit Mode and monitoring the 3077 block events [Understanding Application Control event IDs (Windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations#microsoft-windows-codeintegrity-operational-log-event-ids) to ensure only the applications you intended to block are being blocked. More information on monitoring block events via the Event Viewer logs and Advanced Hunting: [Managing and troubleshooting Windows Defender Application Control policies (Windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide) +1. **Starting with Audit Mode Policies** - as with all new policies, we recommend rolling out your new deny policy in Audit Mode and monitoring the [3077 block events](event-id-explanations#microsoft-windows-codeintegrity-operational-log-event-ids) to ensure only the applications you intended to block are being blocked. More information on monitoring block events via the Event Viewer logs and Advanced Hunting: [Managing and troubleshooting Windows Defender Application Control policies](windows-defender-application-control-operational-guide) 2. **Recommeneded Deny Rules Types** - signer and file attribute rules are recommended from a security, manageability, and performance perspective. Hash rules should only be utilized where otherwise impossible. The hash of an application is updated for every new version released by the publisher which quickly becomes impractical to manage and protect against new threats where the attacker is quickly iterating on the payload. Additionally, WDAC has optimized parsing of hash rules, but devices may see performance impacts at runtime evaluation when policies have tens of thousands or more hash rules.