New Update Advanced Windows hardening with WDAC - Windows Defender Application Control

[SpyNetGirl]

Created WDAC - Windows Defender Application Control - guides and scripts on my GitHub, sharing them here.
Target users range from Enterprises, Highly-Secure Servers and Data Centers, Highly-Secure Workstations and such.

• Introduction
• WDAC for Lightly Managed Devices
• WDAC for Fully Managed Devices
• WDAC for Fully Managed Devices (2nd variant)
• WDAC Notes
• How to Create and Deploy a Signed WDAC Policy (Important and highly recommended)

There are PowerShell scripts included too that can help automate things.

Please note implementing WDAC needs high-level knowledge about it, the Wiki pages assume you already know the basics but if you don't, in the resources section I've included all the links to Microsoft learn website.
If you have any questions and need quick response, use GitHub discussion because I'm more active there.

 

[WhiteMouse]

For some unknown reason, I only got 1 year certificate

 

[SpyNetGirl]

For some unknown reason, I only got 1 year certificate

Umm, from where?

 

[WhiteMouse]

Create a code signing cert for Windows Defender Application Control - Windows Security

Learn how to set up a publicly issued code signing certificate, so you can sign catalog files or WDAC policies internally.

learn.microsoft.com

After I typed Common Name in step 5 and enrolled it, I got a certificate issued by and to "Common Name", the expired date is 1 year after I enrolled.

 

[SpyNetGirl]

Create a code signing cert for Windows Defender Application Control - Windows Security

Learn how to set up a publicly issued code signing certificate, so you can sign catalog files or WDAC policies internally.

learn.microsoft.com

After I typed Common Name in step 5 and enrolled it, I got a certificate issued by and to "Common Name", the expired date is 1 year after I enrolled.

That Microsoft's article assumes you have an Enterprise CA already and configured it, so it only explains the steps that you have to take afterwards.

You need to use my guide which explains how to set up Enterprise CA role first and the configuration needed to create certificate that can have even 30 years expiry date. I used Windows Server documents to create it.

Home

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Pers...

github.com

I covered everything from 0 to hero, and tried to be as detailed as possible so please follow it and if you think there is any details missing, let me know so I can update it. thanks

 

[WhiteMouse]

I got 30 years certificate and also bricked my PC when I tried to replace the certificate. Signed WDAC policy has a very good anti owner evil maid.

 

[ForgottenSeer 97327]

Firstly: @SpyNetGirl impressive work and many thanks for the detailed information and setup guides

Secondly: why aim for the moon for home use and start with signed policies? As the use case of @WhiteMouse shows isn't this way to ambitious to get started with WDAC?

What about getting stated in AUDIT MODE and enabling the setting 'BOOT AUDIT ON FAILURE' when first turning off AUDIT MODE and running in enforced mode?

How to create exception rules when running in audit mode (maybe @SpyNetGirl could add an 'Using audit mode section' to her impressive HOW-TO WDAC tutorial)?

Use audit events to create WDAC policy rules - Windows Security

Audits allow admins to discover apps, binaries, and scripts that should be added to the WDAC policy.

learn.microsoft.com

 

[Victor M]

bricked my PC when I tried to replace the certificate.

I also bricked my laptop while playing around with WDAC. Restoring from backup disk image doesn't work. And re-installing Win 11 doesn't work ( 1st reboot fails ). I even tried sanitizing the drive and then do a re-install. No joy. Had to sell it running Ubuntu at a big di$count. (Ubuntu works) Didn't know about the WDAC Toolkit. At least if everything is menu driven then it might have been better.

 

[ForgottenSeer 97327]

WDAC is enforced on SYSTEM level, AppLocker on ADMIN level, SRP on SUA level, so when you mess up with WDAC you really mess up.

MT-power users WDAC with ISG really adds little protection over Defender in MAX or SAC in Windows 11, this are my three TIPS

TIP 1: On Windows11 use SAC in stead of WDAC
Add a (free) third-party security solutions to enjoy a double check. Defender's SAC and exploit protection also works when you use a third-party security solution.

TIP 2: On Windows10 when you can't enable Core Isolation, don't use WDAC,
In stead you can use Microsoft Defender on MAX instead with Hard_Configurator in recommended mode (with only tweak tp add the Microsoft recommended block rules for LolBins in the _C sponsor setting, (but @Andy Ful posted that he would update the recommended sponsors in H_C, so you might just use the enhanced sponsors setting in H_C for the time being).

TIP 3: Microsoft works well for Microsoft. Think twice when you use a lot of 3p-software.
I have a near Microsoft only setup (with image and data backup of Macrium Reflect and SyncBack and two secondary scanners Norton and Sophos) and I used the 7 step approach below to add WDAC on Windows10 Pro.

My 7 step best practice WDAC implementation, when you really want to lock your PC in Microsoft Mode (with some signers added)

1. Choose Microsoft mode and add allow rules for Windows and Program Files and Defender Platform in AppData, want to use 3p security --> SHOW STOPPER 1
2. Add allow signatures for image and data backup and secondary security scanners
3. Don't add Microsoft Recommended block rules, use H_C to block sponsors instead (for SUA only)
4. Run in Audit mode first, do you see unexpected WDAC warning related to hardware features = SHOW STOPPER 2 otherwise add the signer rules for forgotten 3p software and repeat
5. Enforce rules by disabling audit mode, but enable Boot Audit on Failure, update your policy
6. Survive three Patch Tuesday updates before disabling this fail break option (Boot Audit on Failure), having problems with updates --> SHOW STOPPER 3
7. Now you can also set Configure Defender to MAX to enforce a cloud whitelist for all stuf WDAC allows

 

[Andy Ful]

Max90,​

The author of this thread mentioned target users like:
"Enterprises, Highly-Secure Servers and Data Centers, Highly-Secure Workstations and such."
Hard_Configurator was not intended to protect computers in such environments - it is adjusted for home users.
It is worth mentioning that WDAC setup presented in this thread will not be appropriate for personal computers.

 

[ForgottenSeer 97327]

@Andy Ful and @SpyNetGirl

Completely true, but that is not the target audience of this website

MalwareTips is a global community of people helping each other with their Security, Technology and Technical Support questions.

Hence my appeal to lower the ambition level, considering the stories of both @Victor M and @WhiteMouse bricking their PC

 

[ForgottenSeer 98186]

The author of this thread mentioned target users like:

"Enterprises, Highly-Secure Servers and Data Centers, Highly-Secure Workstations and such."

There are people here who are inclined to study what @SpyNetGirl has created. For one, her GitHub explanations save initiated users from a lot of searching and deciphering of Microsoft learn pages. I know it is useful for the sysadmin or security enthusiast looking to gain knowledge through experience.

I do not doubt the veracity of peoples' experience experimenting with WDAC. In a lot of respects, the discussions about Windows security internals here assume that the user can experience any number of troubles. Working with Windows security is not free of risk.

Hard_Configurator was not intended to protect computers in such environments - it is adjusted for home users.

Actually, H_C protects quite well in an enterprise environment. That statement is based upon real-world deployments in small enterprise environments.

 

[SpyNetGirl]

I got 30 years certificate and also bricked my PC when I tried to replace the certificate. Signed WDAC policy has a very good anti owner evil maid.

Everything is explained in the Microsoft documents. I clearly mentioned the target users for this, it's not for the average home user to quickly do something.

You need to have read everything and understand what you are doing. That "brick" you are talking about is the exact same thing that prevents unauthorized people from accessing your computer and saves you.

Firstly: @SpyNetGirl impressive work and many thanks for the detailed information and setup guides

Secondly: why aim for the moon for home use and start with signed policies? As the use case of @WhiteMouse shows isn't this way to ambitious to get started with WDAC?
View attachment 273456

What about getting stated in AUDIT MODE and enabling the setting 'BOOT AUDIT ON FAILURE' when first turning off AUDIT MODE and running in enforced mode?
View attachment 273457

Home use?
my post above says: Target users range from Enterprises, Highly-Secure Servers and Data Centers, Highly-Secure Workstations and such.

Cryptographically signing the WDAC policy makes it tamper-proof. I use it at home because I've read how to disable it, update it and so on so I won't brick my computer, but I don't recommend it to home users (i.e. people looking for a quick button to secure everything), for home users my hardening script is the best one.

GitHub - HotCakeX/Harden-Windows-Security: Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Ente

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Pers...

github.com

Also in all of my guides I always use AllowMicrosoft default policy which takes care of allowing everything Microsoft including Windows. So there is no chance of boot failure, unless your hardware has problems? You need to be specific and tell me about a specific case because I haven't seen boot failure when using AllowMicrosoft policy.

How to create exception rules when running in audit mode (maybe @SpyNetGirl could add an 'Using audit mode section' to her impressive HOW-TO WDAC tutorial)?

Use audit events to create WDAC policy rules - Windows Security

Audits allow admins to discover apps, binaries, and scripts that should be added to the WDAC policy.

learn.microsoft.com

Thanks, do you mean after collecting the audit logs and creating the WDAC policy from them, you want to remove some of the rules?

 

[ForgottenSeer 97327]

Thanks, do you mean after collecting the audit logs and creating the WDAC policy from them,?

Yes, as posted you mentioned the target audience of this thread, but that is different from the target audience of this forum (see my reply to Andy). So when you publish stuf you always have to consider that out of bound target audience is going to use it (at least that is what UX considers best practice in the Netherlands)

 

[SpyNetGirl]

Max90,​

The author of this thread mentioned target users like:
"Enterprises, Highly-Secure Servers and Data Centers, Highly-Secure Workstations and such."
Hard_Configurator was not intended to protect computers in such environments - it is adjusted for home users.
It is worth mentioning that WDAC setup presented in this thread will not be appropriate for personal computers.

It's not 1 setup, here are the 6 ways/levels you can use WDAC:

https://github.com/HotCakeX/Harden-Windows-Security/wiki/Introduction#wdac-usage-levels

and they are very much appropriate and highly recommended for personal computers. only those that are for fully managed devices are harder to maintain for home users that install lots of random programs. Windows 11 22H2 already uses Microsoft recommended driver block rules. Smart App Control is also WDAC, All of them for personal computers.

 

[ForgottenSeer 97327]

As posted @SpyNetGirl mentioned the target audience of this thread, but that is different from the target audience of this forum (see my reply to Andy). So when you publish stuf you always have to consider that out of bound target audience is going to use it (at least that is what UX considers best practice in the Netherlands). So I am not telling you are wrong, just hinting you could do better by taking the 'out of bound' user into the equation, because their negative comments (I have bricked my PC), will impact the valuation of your hard work (which I thanked and applauded explicitelye). But again this is according to Dutch best IT implementation standards.

 

[SpyNetGirl]

I've created a Mega WDAC module and put it on the GitHub here:

Harden-Windows-Security/WDAC-Module.ps1 at main · HotCakeX/Harden-Windows-Security

Harden Windows 11 safely, securely using Official Supported methods with proper explanation | Always up-to-date and works with the latest build of Windows - Harden-Windows-Security/WDAC-Module.ps1 ...

github.com

It automates a lot of things. I've updated a few Wiki posts so far and will update all of them soon. It organizes everything, no more long scripts in the Wiki posts and it's well formatted so easy to understand, verify and Trust.

You can use it like this:

Invoke-WebRequest -Uri "https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/WDAC-Module.ps1" -OutFile "WDAC-Module.ps1"
Import-Module .\WDAC-Module.ps1 -Force

And after that, just type "New-ConfigWDAC -" in the PowerShell console and press tab, it has tab completion to you don't have to type the parameters

Here are the parameters: (I will add these to the Wiki posts too)

• Get_Recommended_Block_Rules | (Downloads the Microsoft Recommended block list and saves it on the current working directory)
• Get_Recommended_Driver_Block_Rules | (Downloads the Microsoft Recommended driver block list and saves it on the current working directory)
• Merge_Both_Block_Rules_With_Allow_Microsoft | (Downloads the 2 Microsoft recommended block lists and merges them with AllowMicrosoft template policy)
• Install_Latest_Driver_BlockRules | (Installs/Deploys the latest Microsoft recommended driver block rules)
• Create_Scheduled_Task_Auto_Driver_BlockRules_Updat | (Creates a scheduled task that runs every 7 days to download and update the Microsoft recommended driver block rules)
• Create_WDAC_Policy_From_Audit_Logs | (For the Wiki post WDAC for Fully Managed Devices)
• Prep_System_For_MSFT_Only_Audit | (For Audit section of this Wiki post WDAC for Fully Managed Devices)
• Create_Lightly_Managed_WDAC_Policy | (For this wiki post WDAC for Lightly Managed Devices)
• Deploy_Lightly_Managed_WDAC_Policy | (Deploys the WDAC for Lightly Managed Devices)

Let me know if there is any more steps that can be automated.

 

[oldschool]

There are people here who are inclined to study what @SpyNetGirl has created. For one, her GitHub explanations save initiated users from a lot of searching and deciphering of Microsoft learn pages. I know it is useful for the sysadmin or security enthusiast looking to gain knowledge through experience.

This ^^
I for one probably won't use this script but I enjoy reading and learning.

 

[Andy Ful]

Smart App Control is also WDAC, All of them for personal computers.

Smart App Control is based on WDAC, but it has got several features that cannot be applied by your scripts and any known methods. These additional features (similar to classic SRP) make SAC appropriate for personal computers. Furthermore, SmartScreen and ISG work differently in SAC, compared to WDAC.
I do not say that WDAC cannot be used on personal computers (I use it on my 2 computers at home together with SRP). But, I am convinced that such a protection is not appropriate for almost all home users. That is a conclusion based on my two-year experience with WDAC and several years of developing security applications for home users.
Of course, I will not be angry if you think differently.

 

[ForgottenSeer 98186]

But, I am convinced that such a protection is not appropriate for almost all home users.

Default-deny is a niche "market" when it comes to "almost all home users." In my experience as well, users can handle default-deny - IF - you configure it for them, teach them the basics, and are available to them when they run into a situation they cannot figure out on their own.

The experiences home users have with default-deny is dependent upon their expectations, their digital habits and their personal temperaments. An older person who does not download stuff, and remains calm and patient when there is a problem, are easier to interact with.