New Update Advanced Windows hardening with WDAC - Windows Defender Application Control

SpyNetGirl

SpyNetGirl

Level 2
Thread author
Jan 30, 2023
51
Created WDAC - Windows Defender Application Control - guides and scripts on my GitHub, sharing them here.
Target users range from Enterprises, Highly-Secure Servers and Data Centers, Highly-Secure Workstations and such.

There are PowerShell scripts included too that can help automate things.

Please note implementing WDAC needs high-level knowledge about it, the Wiki pages assume you already know the basics but if you don't, in the resources section I've included all the links to Microsoft learn website.
If you have any questions and need quick response, use GitHub discussion because I'm more active there.
 
Last edited:
  • +Reputation
  • Like
Reactions: SirJon, Correlate, Zero Knowledge and 4 others
SpyNetGirl

SpyNetGirl

Level 2
Thread author
Jan 30, 2023
51
WhiteMouse said:
learn.microsoft.com

Create a code signing cert for Windows Defender Application Control (Windows)

Learn how to set up a publicly issued code signing certificate, so you can sign catalog files or WDAC policies internally.
learn.microsoft.com

After I typed Common Name in step 5 and enrolled it, I got a certificate issued by and to "Common Name", the expired date is 1 year after I enrolled.
Click to expand...

That Microsoft's article assumes you have an Enterprise CA already and configured it, so it only explains the steps that you have to take afterwards.

You need to use my guide which explains how to set up Enterprise CA role first and the configuration needed to create certificate that can have even 30 years expiry date. I used Windows Server documents to create it.

github.com

Home

Harden Windows Safely, Securely using Official Supported Microsoft methods with proper explanation | Always up-to-date and works with the latest build of Windows - HotCakeX/Harden-Windows-Security
github.com github.com

I covered everything from 0 to hero, and tried to be as detailed as possible so please follow it and if you think there is any details missing, let me know so I can update it. thanks
 
  • Like
  • Applause
Reactions: kylprq, Correlate, WhiteMouse and 4 others
M

Max90

Level 11
Verified
Nov 9, 2022
523
Firstly: @SpyNetGirl impressive work and many thanks for the detailed information and setup guides (y)(y)(y)

Secondly: why aim for the moon for home use and start with signed policies? As the use case of @WhiteMouse shows isn't this way to ambitious to get started with WDAC?
1678442922743.png


What about getting stated in AUDIT MODE and enabling the setting 'BOOT AUDIT ON FAILURE' when first turning off AUDIT MODE and running in enforced mode?
1678443105976.png


How to create exception rules when running in audit mode (maybe @SpyNetGirl could add an 'Using audit mode section' to her impressive HOW-TO WDAC tutorial)?

learn.microsoft.com

Use audit events to create WDAC policy rules (Windows)

Audits allow admins to discover apps, binaries, and scripts that should be added to the WDAC policy.
learn.microsoft.com
 
Last edited:
  • Like
Reactions: simmerskool, SpyNetGirl and Correlate
Victor M

Victor M

Level 3
Oct 3, 2022
99
WhiteMouse said:
bricked my PC when I tried to replace the certificate.
Click to expand...
I also bricked my laptop while playing around with WDAC. Restoring from backup disk image doesn't work. And re-installing Win 11 doesn't work ( 1st reboot fails ). I even tried sanitizing the drive and then do a re-install. No joy. Had to sell it running Ubuntu at a big di$count. (Ubuntu works) Didn't know about the WDAC Toolkit. At least if everything is menu driven then it might have been better.
 
Last edited:
  • Wow
  • Sad
Reactions: kylprq and simmerskool
M

Max90

Level 11
Verified
Nov 9, 2022
523
WDAC is enforced on SYSTEM level, AppLocker on ADMIN level, SRP on SUA level, so when you mess up with WDAC you really mess up.

MT-power users WDAC with ISG really adds little protection over Defender in MAX or SAC in Windows 11, this are my three TIPS

TIP 1: On Windows11 use SAC in stead of WDAC
Add a (free) third-party security solutions to enjoy a double check. Defender's SAC and exploit protection also works when you use a third-party security solution.

TIP 2: On Windows10 when you can't enable Core Isolation, don't use WDAC,
In stead you can use Microsoft Defender on MAX instead with Hard_Configurator in recommended mode (with only tweak tp add the Microsoft recommended block rules for LolBins in the _C sponsor setting, (but @Andy Ful posted that he would update the recommended sponsors in H_C, so you might just use the enhanced sponsors setting in H_C for the time being).

TIP 3: Microsoft works well for Microsoft. Think twice when you use a lot of 3p-software.
I have a near Microsoft only setup (with image and data backup of Macrium Reflect and SyncBack and two secondary scanners Norton and Sophos) and I used the 7 step approach below to add WDAC on Windows10 Pro.

My 7 step best practice WDAC implementation, when you really want to lock your PC in Microsoft Mode (with some signers added)

1. Choose Microsoft mode and add allow rules for Windows and Program Files and Defender Platform in AppData, want to use 3p security --> SHOW STOPPER 1
2. Add allow signatures for image and data backup and secondary security scanners
3. Don't add Microsoft Recommended block rules, use H_C to block sponsors instead (for SUA only)
4. Run in Audit mode first, do you see unexpected WDAC warning related to hardware features = SHOW STOPPER 2 otherwise add the signer rules for forgotten 3p software and repeat
5. Enforce rules by disabling audit mode, but enable Boot Audit on Failure, update your policy
6. Survive three Patch Tuesday updates before disabling this fail break option (Boot Audit on Failure), having problems with updates --> SHOW STOPPER 3
7. Now you can also set Configure Defender to MAX to enforce a cloud whitelist for all stuf WDAC allows
 
Last edited:
  • Like
Reactions: Zero Knowledge and simmerskool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,552

Max90,​

The author of this thread mentioned target users like:
"Enterprises, Highly-Secure Servers and Data Centers, Highly-Secure Workstations and such."
Hard_Configurator was not intended to protect computers in such environments - it is adjusted for home users.
It is worth mentioning that WDAC setup presented in this thread will not be appropriate for personal computers.
 
  • Like
  • Applause
Reactions: kylprq, jerzy601, simmerskool and 1 other person
M

Max90

Level 11
Verified
Nov 9, 2022
523
@Andy Ful and @SpyNetGirl

Completely true, but that is not the target audience of this website
MT website description said:
MalwareTips is a global community of people helping each other with their Security, Technology and Technical Support questions.
Click to expand...

Hence my appeal to lower the ambition level, considering the stories of both @Victor M and @WhiteMouse bricking their PC
 
  • Like
Reactions: BryanB, Zero Knowledge, Andy Ful and 1 other person
F

ForgottenSeer 98186

Andy Ful said:
The author of this thread mentioned target users like:

"Enterprises, Highly-Secure Servers and Data Centers, Highly-Secure Workstations and such."
Click to expand...
There are people here who are inclined to study what @SpyNetGirl has created. For one, her GitHub explanations save initiated users from a lot of searching and deciphering of Microsoft learn pages. I know it is useful for the sysadmin or security enthusiast looking to gain knowledge through experience.

I do not doubt the veracity of peoples' experience experimenting with WDAC. In a lot of respects, the discussions about Windows security internals here assume that the user can experience any number of troubles. Working with Windows security is not free of risk.

Andy Ful said:
Hard_Configurator was not intended to protect computers in such environments - it is adjusted for home users.
Click to expand...
Actually, H_C protects quite well in an enterprise environment. That statement is based upon real-world deployments in small enterprise environments.
 
  • Like
  • Hundred Points
  • Applause
Reactions: jerzy601, Andy Ful, simmerskool and 2 others
SpyNetGirl

SpyNetGirl

Level 2
Thread author
Jan 30, 2023
51
WhiteMouse said:
I got 30 years certificate and also bricked my PC when I tried to replace the certificate. Signed WDAC policy has a very good anti owner evil maid.
Click to expand...

Everything is explained in the Microsoft documents. I clearly mentioned the target users for this, it's not for the average home user to quickly do something.

You need to have read everything and understand what you are doing. That "brick" you are talking about is the exact same thing that prevents unauthorized people from accessing your computer and saves you.

Max90 said:
Firstly: @SpyNetGirl impressive work and many thanks for the detailed information and setup guides (y)(y)(y)

Secondly: why aim for the moon for home use and start with signed policies? As the use case of @WhiteMouse shows isn't this way to ambitious to get started with WDAC?
View attachment 273456

What about getting stated in AUDIT MODE and enabling the setting 'BOOT AUDIT ON FAILURE' when first turning off AUDIT MODE and running in enforced mode?
View attachment 273457
Click to expand...

Home use?
my post above says: Target users range from Enterprises, Highly-Secure Servers and Data Centers, Highly-Secure Workstations and such.

Cryptographically signing the WDAC policy makes it tamper-proof. I use it at home because I've read how to disable it, update it and so on so I won't brick my computer, but I don't recommend it to home users (i.e. people looking for a quick button to secure everything), for home users my hardening script is the best one.

github.com

GitHub - HotCakeX/Harden-Windows-Security: Harden Windows Safely, Securely using Official Supported Microsoft methods with proper explanation | Always up-to-date and works with the latest build of Windows

Harden Windows Safely, Securely using Official Supported Microsoft methods with proper explanation | Always up-to-date and works with the latest build of Windows - GitHub - HotCakeX/Harden-Windows-...
github.com github.com

Also in all of my guides I always use AllowMicrosoft default policy which takes care of allowing everything Microsoft including Windows. So there is no chance of boot failure, unless your hardware has problems? You need to be specific and tell me about a specific case because I haven't seen boot failure when using AllowMicrosoft policy.

Max90 said:
How to create exception rules when running in audit mode (maybe @SpyNetGirl could add an 'Using audit mode section' to her impressive HOW-TO WDAC tutorial)?

learn.microsoft.com

Use audit events to create WDAC policy rules (Windows)

Audits allow admins to discover apps, binaries, and scripts that should be added to the WDAC policy.
learn.microsoft.com
Click to expand...

Thanks, do you mean after collecting the audit logs and creating the WDAC policy from them, you want to remove some of the rules?
 
  • Like
  • Applause
Reactions: kylprq, Zero Knowledge, simmerskool and 1 other person
M

Max90

Level 11
Verified
Nov 9, 2022
523
SpyNetGirl said:
Thanks, do you mean after collecting the audit logs and creating the WDAC policy from them,?
Click to expand...
Yes, as posted you mentioned the target audience of this thread, but that is different from the target audience of this forum (see my reply to Andy). So when you publish stuf you always have to consider that out of bound target audience is going to use it (at least that is what UX considers best practice in the Netherlands)
 
  • Like
Reactions: simmerskool
SpyNetGirl

SpyNetGirl

Level 2
Thread author
Jan 30, 2023
51
Andy Ful said:

Max90,​

The author of this thread mentioned target users like:
"Enterprises, Highly-Secure Servers and Data Centers, Highly-Secure Workstations and such."
Hard_Configurator was not intended to protect computers in such environments - it is adjusted for home users.
It is worth mentioning that WDAC setup presented in this thread will not be appropriate for personal computers.
Click to expand...

It's not 1 setup, here are the 6 ways/levels you can use WDAC:


and they are very much appropriate and highly recommended for personal computers. only those that are for fully managed devices are harder to maintain for home users that install lots of random programs. Windows 11 22H2 already uses Microsoft recommended driver block rules. Smart App Control is also WDAC, All of them for personal computers.
 
Last edited:
  • Like
  • Thanks
Reactions: kylprq and simmerskool
M

Max90

Level 11
Verified
Nov 9, 2022
523
As posted @SpyNetGirl mentioned the target audience of this thread, but that is different from the target audience of this forum (see my reply to Andy). So when you publish stuf you always have to consider that out of bound target audience is going to use it (at least that is what UX considers best practice in the Netherlands). So I am not telling you are wrong, just hinting you could do better by taking the 'out of bound' user into the equation, because their negative comments (I have bricked my PC), will impact the valuation of your hard work (which I thanked and applauded explicitelye). But again this is according to Dutch best IT implementation standards.
 
  • Like
Reactions: simmerskool
SpyNetGirl

SpyNetGirl

Level 2
Thread author
Jan 30, 2023
51
I've created a Mega WDAC module and put it on the GitHub here:
github.com

Harden-Windows-Security/WDAC-Module.ps1 at main · HotCakeX/Harden-Windows-Security

Harden Windows 11 safely, securely using Official Supported methods with proper explanation | Always up-to-date and works with the latest build of Windows - Harden-Windows-Security/WDAC-Module.ps1 ...
github.com github.com

It automates a lot of things. I've updated a few Wiki posts so far and will update all of them soon. It organizes everything, no more long scripts in the Wiki posts and it's well formatted so easy to understand, verify and Trust.

You can use it like this:

Code: 
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/WDAC-Module.ps1" -OutFile "WDAC-Module.ps1"
Import-Module .\WDAC-Module.ps1 -Force

And after that, just type "New-ConfigWDAC -" in the PowerShell console and press tab, it has tab completion to you don't have to type the parameters 🙂

Here are the parameters: (I will add these to the Wiki posts too)


Let me know if there is any more steps that can be automated.
 
Last edited:
  • +Reputation
  • Like
  • Hundred Points
Reactions: kylprq, simmerskool, ForgottenSeer 98186 and 1 other person
oldschool

oldschool

Level 76
Top Poster
Well-known
Mar 29, 2018
6,505
Oerlink said:
There are people here who are inclined to study what @SpyNetGirl has created. For one, her GitHub explanations save initiated users from a lot of searching and deciphering of Microsoft learn pages. I know it is useful for the sysadmin or security enthusiast looking to gain knowledge through experience.
Click to expand...
This ^^
I for one probably won't use this script but I enjoy reading and learning.
 
  • Like
Reactions: simmerskool and Moonhorse
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,552
SpyNetGirl said:
Smart App Control is also WDAC, All of them for personal computers.
Click to expand...
Smart App Control is based on WDAC, but it has got several features that cannot be applied by your scripts and any known methods. These additional features (similar to classic SRP) make SAC appropriate for personal computers. Furthermore, SmartScreen and ISG work differently in SAC, compared to WDAC.
I do not say that WDAC cannot be used on personal computers (I use it on my 2 computers at home together with SRP). But, I am convinced that such a protection is not appropriate for almost all home users. That is a conclusion based on my two-year experience with WDAC and several years of developing security applications for home users.
Of course, I will not be angry if you think differently.
 
Last edited:
  • Like
Reactions: kylprq, BryanB, oldschool and 2 others
F

ForgottenSeer 98186

Andy Ful said:
But, I am convinced that such a protection is not appropriate for almost all home users.
Click to expand...
Default-deny is a niche "market" when it comes to "almost all home users." In my experience as well, users can handle default-deny - IF - you configure it for them, teach them the basics, and are available to them when they run into a situation they cannot figure out on their own.

The experiences home users have with default-deny is dependent upon their expectations, their digital habits and their personal temperaments. An older person who does not download stuff, and remains calm and patient when there is a problem, are easier to interact with.
 
  • Like
  • +Reputation
Reactions: I Walk MY Way, BryanB, Victor M and 2 others

Similar threads

Gandalf_The_Grey
    • Like
    • Thanks
    • +Reputation
New Update Windows 11 KB5025305 adds prioritized Windows updates setting
Replies
3
Views
422
Windows 11
silversurfer
silversurfer
Bot
    • Like
    • Applause
Releasing Windows 10 Build 19045.2787 to Release Preview Channel
Replies
0
Views
238
Windows 11
Bot
Bot
SpyNetGirl
    • Like
    • +Reputation
    • Hundred Points
Harden Windows Security | Only with official documented methods | Always up to date
Replies
59
Views
4,660
Other security for Windows, Mac, Linux
NormanF
N

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top