deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-11 03:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md
Justin Hall 3aa70d4ce8 edits 
added new metadata
2019-02-21 11:58:37 -08:00

8.0 KiB
Raw Blame History

title, description, ms.assetid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, author, manager, audience, ms.collection, ms.topic, ms.date
title description ms.assetid ms.prod ms.mktglfcycl ms.sitesec ms.pagetype ms.localizationpriority author manager audience ms.collection ms.topic ms.date
Document your application control management processes (Windows 10) This planning topic describes the WDAC policy maintenance information to record for your design document. 6397f789-0e36-4933-9f86-f3f6489cf1fb w10 deploy library security medium justinha dansimp ITPro M365-security-compliance conceptual 09/21/2017

Document your application control management processes

Applies to

  • Windows 10
  • Windows Server

This planning topic describes the Windows Defender Application Control (WDAC) policy maintenance information to record for your design document.

Record your findings

To complete this planning document, you should first complete the following steps:

  1. Select the types of rules to create
  2. Plan for WDAC policy management

The three key areas to determine for WDAC policy management are:

  1. Support policy

    Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel know recommended troubleshooting steps and escalation points for your policy.

  2. Event processing

    Document whether events will be collected in a central location, how that store will be archived, and whether the events will be processed for analysis.

  3. Policy maintenance

    Detail how rules will be added to the policy, in which Group Policy Object (GPO) the rules should be defined, and how to modify rules when apps are retired, updated, or added.

The following table contains the added sample data that was collected when determining how to maintain and manage WDAC policies.

Business group Organizational unit Implement WDAC? Apps Installation path Use default rule or define new rule condition Allow or deny GPO name Support policy

Bank Tellers

Teller-East and Teller-West

Yes

Teller Software

C:\Program Files\Woodgrove\Teller.exe

File is signed; create a publisher condition

Allow

Tellers-WDACTellerRules

Web help

Windows files

C:\Windows

Create a path exception to the default rule to exclude \Windows\Temp

Allow

Help desk

Human Resources

HR-All

Yes

Check Payout

C:\Program Files\Woodgrove\HR\Checkcut.exe

File is signed; create a publisher condition

Allow

HR-WDACHRRules

Web help

Time Sheet Organizer

C:\Program Files\Woodgrove\HR\Timesheet.exe

File is not signed; create a file hash condition

Allow

Web help

Internet Explorer 7

C:\Program Files\Internet Explorer\

File is signed; create a publisher condition

Deny

Web help

Windows files

C:\Windows

Use the default rule for the Windows path

Allow

Help desk
  The following two tables illustrate examples of documenting considerations to maintain and manage WDAC policies.

Event processing policy

One discovery method for app usage is to use Audit mode. This will write events to the CodeIntegrity log, which can be managed and analyzed like other Windows logs.

The following table is an example of what to consider and record.

Business group WDAC event collection location Archival policy Analyzed? Security policy

Bank Tellers

Forwarded to: CodeIntegrity Event Repository on srvBT093

Standard

None

Standard

Human Resources

DO NOT FORWARD. srvHR004

60 months

Yes, summary reports monthly to managers

Standard
  **Policy maintenance policy** When applications are identified and policies are created for application control, then you can begin documenting how you intend to update those policies. The following table is an example of what to consider and record.
Business group Rule update policy Application decommission policy Application version policy Application deployment policy

Bank Tellers

Planned: Monthly through business office triage

Emergency: Request through help desk

Through business office triage

30-day notice required

General policy: Keep past versions for 12 months

List policies for each application

Coordinated through business office

30-day notice required

Human Resources

Planned: Monthly through HR triage

Emergency: Request through help desk

Through HR triage

30-day notice required

General policy: Keep past versions for 60 months

List policies for each application

Coordinated through HR

30-day notice required
  ## Next steps

After you determine your application control management strategy for each business group, create your WDAC planning document.