deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update create-wdac-deny-policy.md

Browse Source
This commit is contained in:
denisebmsft 2021-12-03 09:05:18 -08:00
parent bf405964e8
commit e311c354df
1 changed files with 11 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
View File

@ -38,7 +38,7 @@ To create effective WDAC deny policies, it is crucial to understand how WDAC par
2. Explicit allow rules.
3. WDAC will then check for the Managed Installer extended (EA) [Allow Apps with a WDAC managed Installer (windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer).
3. WDAC will then check for the Managed Installer extended (EA) [Allow Apps with a WDAC managed Installer](configure-authorized-apps-deployed-with-a-managed-installer.md).
4. Lastly, WDAC will call the Intelligent Security Graph (ISG) to get reputation on file, if the policy has support for the ISG.
@ -90,7 +90,7 @@ If the policy enables user mode code integrity via the ***Enabled:UMCI*** rule-o
</SigningScenarios>
```
## Single Policy Considerations
If the set of deny rules is to be added into an existing policy with allow rules, then the above Allow All rules should not be added to the policy. Instead, the deny policy should be merged with the existing WDAC policy via the WDAC Wizard [Windows Defender Application Control Wizard Policy Merging Operation - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies) or using the following PowerShell command:
If the set of deny rules is to be added into an existing policy with allow rules, then the above Allow All rules should not be added to the policy. Instead, the deny policy should be merged with the existing WDAC policy via the WDAC Wizard [Windows Defender Application Control Wizard Policy Merging Operation](wdac-wizard-merging-policies.md) or using the following PowerShell command:
```PowerShell
$DenyPolicy = <path_to_deny_policy>
@ -101,13 +101,13 @@ Merge-CIPolicy -PolicyPaths $ DenyPolicy, $ExistingPolicy -OutputFilePath $Exist
## Multiple Policy Considerations
If you are currently using [multiple policies] (deploy-multiple-windows-defender-application-control-policies.md) on a device, there are two options for integrating the blocklist into your policy set.
(Recommended) The first option is to keep the blocklist as its own policy isolated from your allow policies as it is easier to manage. Since applications need to be [allowed by both WDAC policies to run on the device](deploy-multiple-windows-defender-application-control-policies#base-and-supplemental-policy-interaction), you will need to add the Allow All rule(s) to your deny policy. This will not override the set of applications allowed by WDAC illustrated by the following example:
(Recommended) The first option is to keep the blocklist as its own policy isolated from your allow policies as it is easier to manage. Since applications need to be [allowed by both WDAC policies to run on the device](deploy-multiple-windows-defender-application-control-policies.md#base-and-supplemental-policy-interaction), you will need to add the Allow All rule(s) to your deny policy. This will not override the set of applications allowed by WDAC illustrated by the following example:
Policy 1 is an allowlist of Windows and Microsoft-signed applications. Policy 2 is our new deny policy that blocks MaliciousApp.exe with the Allow All rules. MaliciousApp.exe will be blocked since there is an explicit block rule in Policy 2. Windows and Microsoft applications will be allowed since there is an explicit allow rule in Policy 1 and Policy 2 (due to the Allow All rules). All other applications, if not Windows and Microsoft signed, for example, ExampleApp.exe, will not be allowed as this application is only trusted by Policy 2 (due to the Allow All rules) and not Policy 1.
## Best Practices
1. **Starting with Audit Mode Policies** - as with all new policies, we recommend rolling out your new deny policy in Audit Mode and monitoring the [3077 block events](event-id-explanations#microsoft-windows-codeintegrity-operational-log-event-ids) to ensure only the applications you intended to block are being blocked. More information on monitoring block events via the Event Viewer logs and Advanced Hunting: [Managing and troubleshooting Windows Defender Application Control policies](windows-defender-application-control-operational-guide)
1. **Starting with Audit Mode Policies** - as with all new policies, we recommend rolling out your new deny policy in Audit Mode and monitoring the [3077 block events](event-id-explanations.md#microsoft-windows-codeintegrity-operational-log-event-ids) to ensure only the applications you intended to block are being blocked. More information on monitoring block events via the Event Viewer logs and Advanced Hunting: [Windows Defender Application Control operational guide](windows-defender-application-control-operational-guide.md)
2. **Recommended Deny Rules Types** - signer and file attribute rules are recommended from a security, manageability, and performance perspective. Hash rules should only be utilized where otherwise impossible. The hash of an application is updated for every new version released by the publisher that quickly becomes impractical to manage and protect against new threats where the attacker is quickly iterating on the payload. Additionally, WDAC has optimized parsing of hash rules, but devices may see performance impacts at runtime evaluation when policies have tens of thousands or more hash rules.
@ -118,11 +118,9 @@ Deny rules and policies can be created using the PowerShell cmdlets or the WDAC
## Tutorial
### Creating a Deny Policy
Deny rules and policies can be created using the PowerShell cmdlets or the [WDAC Wizard] (https://webapp-wdac-wizard.azurewebsites.net/) We recommend creating signer rules (PCACertificate, Publisher, and FilePublisher) wherever possible. In the cases of unsigned binaries, rules must be created on attributes of the file, such as the original filename, or the hash.
<<<<<<< HEAD
>>>>>>> d2313afd3e53ed3184ca3c47b7242dd156a935af
=======
>>>>>>> d2313afd3e53ed3184ca3c47b7242dd156a935af
Deny rules and policies can be created using the PowerShell cmdlets or the [WDAC Wizard](https://webapp-wdac-wizard.azurewebsites.net/) We recommend creating signer rules (PCACertificate, Publisher, and FilePublisher) wherever possible. In the cases of unsigned binaries, rules must be created on attributes of the file, such as the original filename, or the hash.
`d2313afd3e53ed3184ca3c47b7242dd156a935af`
### Software Publisher Based Deny Rule
```Powershell
@ -150,10 +148,10 @@ Merge-CIPolicy -PolicyPaths $DenyPolicy, $AllowAllPolicy -OutputFilePath $DenyPo
### Deploying the Deny Policy
Policies should be thoroughly evaluated and first rolled out in audit mode before strict enforcement. Policies can be deployed via multiple options:
1. Mobile Device Management (MDM): [Deploy WDAC policies using Mobile Device Management (MDM) (Windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune)
1. Mobile Device Management (MDM): [Deploy WDAC policies using Mobile Device Management (MDM)](deploy-windows-defender-application-control-policies-using-intune.md)
2. Microsoft Endpoint Configuration Manager (MEMCM): [Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Endpoint Configuration Manager (MEMCM) (Windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm)
2. Microsoft Endpoint Configuration Manager (MEMCM): [Deploy WDAC policies by using Microsoft Endpoint Configuration Manager (MEMCM)](deployment/deploy-wdac-policies-with-memcm.md)
3. Scripting [Deploy Windows Defender Application Control (WDAC) policies using script (Windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script)
3. Scripting: [Deploy WDAC policies using script](deployment/deploy-wdac-policies-with-script.md)
4. Group Policy: [Deploy WDAC policies via Group Policy (Windows) - Windows security | Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy)
4. Group Policy: [Deploy Windows Defender Application Control policies by using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)