10. Windows Defender App Control (WDAC)
10. WDAC: (Windows Defender Application Control)
Danger
Work in Progress, please review all content before starting, and be cautious in deployment Start in Test/UAT and avoid outliers like Developers Documentation on this page is very light at the moment and needs more review
Troubleshooting: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting
From Eric Mannon: - https://www.linkedin.com/feed/update/urn:li:activity:6996238396973051904/ - Read the above article first - 1st- Install WDACme on all W10 workstations - 2nd- Enable "Smart Application Control" in Evaluation mode on W11 endpoints that support it - 3rd- Lock down Tier 0 (DC's, ADFS & AD Connect servers) with WDAC Microsoft-only mode in block mode. (No 3rd party software should ever be installed on the Tier 0 server type) - 4th- Deploy a supplemental policy to block the Microsoft recommended block list - 🔑Golden rule: "Audit is better than nothing" - 🎯Desired state: "Zero Trust for unapproved code"
🎒Resources:
- WDAC Deployment: https://lnkd.in/em8sV9AK
- ⛄️ Olaf Hartong's: WDACMe: https://lnkd.in/gU33rPzf
- W11 Smart App Control: https://lnkd.in/e5X3WF9H
- Recommended Block Rules: https://lnkd.in/eZEwcwM9
- WDAC Policy Wizard: https://lnkd.in/gwFuvmd4
- Hunting WDAC Events in KQL: https://lnkd.in/eJE8WHZG
Deeper Background
- For those that want a deeper background on how this works, warning this is quite a big rabbit hole
- https://medium.com/falconforce/sysmon-vs-microsoft-defender-for-endpoint-mde-internals-0x01-1e5663b10347
- https://medium.com/falconforce/microsoft-defender-for-endpoint-internals-0x02-audit-settings-and-telemetry-1d0af3ebfb27
- https://medium.com/falconforce/microsoft-defender-for-endpoint-internals-0x03-mde-telemetry-unreliability-and-log-augmentation-ec6e7e5f406f
- https://medium.com/falconforce/microsoft-defender-for-endpoint-internals-0x04-timeline-3f01282839e4
Additional Resources
- Creating a policy for machines already in use (this is the hard one) https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy#create-a-custom-base-policy-to-minimize-user-impact-on-in-use-client-devices
- WDAC Policy creation from DTA - https://desktop.gov.au/blueprint/abac/wdac-policy-creation.html
- https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-application-control
- https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy
- https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/deploying-windows-10-application-control-policy/ba-p/2486267
- https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create
- https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide