Using Windows Defender Application Control to block malicious apps and drivers
Ideally, we would lock down our operating systems to only allow the apps we want to run. For many companies, however, finding the software running on their networks requires resources and research that they often don’t have.
A tool built into Windows can provide better control over what is running on your system. Windows Defender Application Control (WDAC), also known as Microsoft Defender Application Control (MDAC), was introduced with Windows 10 and gives you control over drivers and applications on your Windows clients. Some WDAC features are only available on specific versions of Windows. Cmdlets have been available on all SKUs since 1909. An older Microsoft whitelisting technology, AppLocker, is no longer being developed and will receive security fixes, but no new features.
You can use Group Policy or cloud services such as Intune to set policies. While it might be overwhelming to limit which applications are allowed to run on an operating system given business needs, setting a policy to limit which drivers are allowed to run on a system probably isn’t. not a problem.
Use WDAC to block malicious drivers and certificates
A recent event where attackers stole a software certificate used to sign Nvidia drivers highlights the importance of using WDAC to protect your network from malicious drivers. Kim Oppalfens recently explained how you can use WDAC to deny any malicious driver or certificate you want to protect your network from. The only difficult part of this process is that you may need to gain access to the malicious driver or certificate to prepare the rule.
It is recommended that you begin the WDAC deployment process by enabling the rules in audit mode so that you can determine the impact on your network. Code integrity policies help protect Windows 10 by verifying apps against attributes of code signing certificates, examining app binaries, app reputation, and the identity of the process that starts the installation. Typically, an application is launched by the managed installer and examines the path from which the application is installed.
Review Microsoft WDAC sample policies
Start by reviewing the basic policy examples provided by Microsoft. Navigate to C:WindowsschemasCodeIntegrityExamplePolicies and open the xml located in DenyAllAudit.xml.
Microsoft has enabled five default rules in this sample policy:
- System Integrity Policy Unsigned” allows the policy to remain unsigned. When this option is removed, the policy must be signed and certificates trusted for future policy updates must be identified in the UpdatePolicySigners section.
- Audit mode “directs WDAC to log information about applications, binaries, and scripts that would have been blocked if the policy had been enforced. To enforce the policy rather than just logging it, remove this option. »
- The “Advanced Boot Options” menu allows the F8 menu to appear to physically present users. This is a convenient recovery option, but it can pose a security concern if physical access to the device is available to an attacker.
- User-Mode Code Integrity (UMCI) validates user-mode executables and scripts.
- Update policy without reboot “allows future WDAC policy updates to apply without requiring a system reboot.”
Additional policies include (rule option followed by description):
2 Required: WHQL — By default, legacy drivers that are not WHQL (Windows Hardware Quality Labs) signed are allowed to run. Enabling this rule requires every driver running to be WHQL signed and removes support for legacy drivers. Kernel drivers designed for Windows 10 must be WHQL certified.
4 Disabled: Flight signature — If enabled, WDAC policies will not trust flightroot signed binaries. This option would be used by organizations that only want to run released binaries, not pre-released Windows builds.
8 Mandatory: EV Signatories — This rule requires drivers to be WHQL signed and have been submitted by a partner with an Extended Verification (EV) certificate. All Windows 10 and Windows 11 drivers will meet this requirement.
10 Enabled: Boot Failure Audit – Use this option when the WDAC policy is in enforce mode. When a driver fails to boot, the WDAC policy will be put into audit mode so that Windows loads. Administrators can validate the failure reason in the CodeIntegrity event log.
11 Disabled: Script Application — This option disables script application options. Unsigned PowerShell scripts and interactive PowerShell are no longer limited to constrained language mode. This option is required to run HTA files and is supported on builds 1709, 1803, and 1809 with LCU 2019 10C or higher, and on devices with Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows without the appropriate update may have unexpected results.
12 Required: Apply Store Apps — If this policy option is enabled, WDAC policies will also apply to Universal Windows apps.
13 Enabled: Managed Installer — Use this option to automatically allow applications installed by a managed installer.
14 Enabled: Intelligent Security Graph Authorization — Use this option to automatically authorize applications with a “known” reputation as defined by Microsoft’s Intelligent Security Graph (ISG).
15 Enabled: Invalidate EAs on Restart — When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file has been allowed to run. This option will force WDAC to periodically revalidate the reputation of files that have been authorized by the ISG.
17 Enabled: Allow additional policies — Use this option on a base policy to allow additional policies to extend it. This option is only supported on Windows 10, version 1903 and above.
18 Disabled: FilePath runtime rule protection — This option disables the default runtime check that only allows FilePath rules for paths writable only by an administrator. This option is only supported on Windows 10, version 1903 and above.
19 Enabled: Dynamic Code Security – This option enables policy enforcement for .NET applications and dynamically loaded libraries. It is only supported on Windows 10, version 1803 and above.
20 Enabled: revoked expired as unsigned — Use this option to treat binaries signed with expired or revoked certificates as “unsigned binaries” for user-mode processes/components, in enterprise signing scenarios .
GitHub has documented several recommended ways to deploy WDAC policies, ranging from Intune, Endpoint Configuration Manager, Group Policy, and simple old scripts to deploy the policies to your network. As they note, first start in audit mode before applying. Monitor events to make sure you’ll block the events you want to block and won’t block the VP of Sales from accessing the key application that tracks customers. WDAC is an extremely powerful tool that is often overlooked in its ability to protect the network from potential external attacks as well as internal attacks.
Copyright © 2022 IDG Communications, Inc.