New Update Advanced Windows hardening with WDAC - Windows Defender Application Control

F

ForgottenSeer 98186

Dear Oerlink, since you did not understand my first reply, I will try to explain it better

Our company buys a limited (in our case 5) different types of PC's. Each device type is optimized for a specific use. For each of those types (5 variances for our 180 employees), you set them up (once) and create a standard image, which you deploy to all devices with the same hardware in your enterprise. Because we (like many companies) have moved our data and applications to the cloud, the images are very clean. Windows takes care of all hardware related software and all of our business applications are SAAS (Software As A Service) solutions, there is little application software on a PC these days. That is also the reason we use refurbished hardware (and are still on Windows10).
That is not how most larger companies work. Most definitely not how government agencies work. They still do on-premises or hybrid.

I deal only with companies and organizations with 10,000+ employees and endpoints. The largest deployment I have been involved in was 350,000 endpoints. All the discussions of "how easy it is" to do blah, blah, blah does not apply to deployments at scales above a few thousand endpoints.
 
  • Like
Reactions: [correlate]
F

ForgottenSeer 97327

That is not how most larger companies work. Most definitely not how government agencies work. They still do on-premises or hybrid.
That is correct, large and heavy organizations tend to move more slowly. In the US there are just over 1000 companies with 10.000+ employees while there are nearly 5 million companies with less than 10. In the US companies with over 500 employees are considered large enterprise and in the EU over 250 employees. Still in the US the 10.000+ companies only represent 5% (in numbers) of this "large enterprise" market. Since you talked about THE enterprise market in your initial response, I thought it would help to enlighten you with this factual data.
I deal only with companies and organizations with 10,000+ employees and endpoints. The largest deployment I have been involved in was 350,000 endpoints. All the discussions of "how easy it is" to do blah, blah, blah does not apply to deployments at scales above a few thousand endpoints.
Being a contract and service manager working in IT-related services for governments and (very) large companies (that is why I often work abroad) I recognize the communicating style and tone of voice I sometimes encounter in IT-management and support departments, therefore I am wondering in what capacity were you working for those 10.000+ employee companies?
 
Last edited by a moderator:
  • Like
Reactions: [correlate]

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
The term enterprise can have two or more meanings:
  1. Any business organization.
  2. Very big business organization
I am not sure which one is used by @SpyNetGirl.

From Wikipedia (Australia, United States, Canada, Europe):

Business size definitions (by number of employees)
1678706466586.png

https://en.wikipedia.org/wiki/Small_business

From OECD (the answer from Bing AI):
Enterprises can be classified in different categories according to their size; for this purpose, different criteria may be used, but the most common is number of people employed. In small and medium-sized enterprises (SMEs) employ fewer than 250 people. SMEs are further subdivided into micro enterprises (fewer than 10 employees), small enterprises (10 to 49 employees), medium-sized enterprises (50 to 249 employees). Large enterprises employ 250 or more people.


Additional info:
https://www.cubeler.com/en-ca/blog/...or Small-to,the different types of companies.
https://en.wikipedia.org/wiki/Small_and_medium-sized_enterprises
 
Last edited:

SpyNetGirl

Level 3
Thread author
Jan 30, 2023
96
Updated the repository and website with clarifying info about some of the subjects talked about in this thread, specially about alternative hardening tools/scripts etc. They are actually important info that I never thought was necessary to mention.

WDAC (Windows Defender Application Control) is easier to implement and maintain in enterprises and organizations where there is a clear guideline and select bunch of software that are allowed to run. The module I made which is just a wrapper for the actual cmdlets, automates and makes everything so much easy.

All enterprises and orgs etc. need to do is to take AllowMicrosoft or WindowsOnly default policies and either create a supplemental policy or merge a policy that allows all other 3rd part software that they need to run. Let's say a company has selected 50 programs to be allowed to be installed/run/updated on all systems, it's easy and there are more than one way to create trust for those programs. WDAC provides many granular controls over the workflow. You don't need to keep any Windows images, backups etc. Don't need to create modified Windows images to deploy WDAC. WDAC policy doesn't care which Windows image you use, it does its job regardless, with only 1 or 2 file depending on whether it's signed or unsigned.

Each department on a huge enterprise might share the same 50 programs that are common among all employees, but also might need special program packages. No problem, make a supplementary WDAC policy to allow those programs and then deploy the policy only to those workstations.

This cuts down on the expenses as there is no need for security solutions from outside since all of the features are built in Windows.

Enterprises and big organizations aren't only limited to WDAC though, but this thread is only about it. Microsoft has a huge variety of security solutions for them.

For home users, depending on the level of WDAC you consider to use, it can be either very easy or very hard to maintain. If you are home users with very dynamic workflow, install, update, uninstall many new programs constantly, then consider using WDAC for Lightly managed device, if you just want to add some more extra protection. It uses ISG and takes care of allowing all the good programs to run, it will also let you add some programs to the allow list, manually, if they get blocked for being malicious. If not that, then there is Smart App Control, which is stronger and doesn't currently let you allow specific programs manually.

If you are a home user that only installs and updates a few programs every now and then and for the most part have a constant list of programs necessary for your daily usage, then you can implement WDAC for fully managed devices.

But honestly, WDAC for fully managed devices, for a well informed user, is overkill. Use the hardening script and that's all you need. There is no need for fully managed WDAC policy if you aren't going to intentionally compromise yourself and let malware in. I say Intentionally, meaning you yourself turn off the security features of Windows, the ones hardening script enables and enforces, and literally download malware containing zero-days (which is hard to come by).

One thing is for sure though, there is no need for any 3rd party security solution in Windows, they are all marketing, making you think you need other AV solutions otherwise you are in danger. The same tactics used by VPN providers, the usual Scare tactic. Some people might not like hearing it but it's the fact. All of the advanced security features are already built deep inside the core of Windows, available to you for free. All you need to do is to turn them on and enjoy the safe experience.

Security shouldn't be hard and time consuming, that's one reason why I made the script to automate things and spend my time on more important things. 😊
 
Last edited:
F

ForgottenSeer 97327

You don't need to keep any Windows images, backups etc. Don't need to create modified Windows images to deploy WDAC.
My point about the images was that our company only has 5 different types of PC's and 5 different types of software configurations. These 5 are standardized configs and were only mentioned to explain that implementing WDAC is not really a hassle. In the Netherlands it is common to use standard hardware with prepackaged images corresponding to the job-role someone has (so when you hire a new recruit you just order a PC, throw existing software away with which that PC came and load a standard image).
 
F

ForgottenSeer 98186

implementing WDAC is not really a hassle
Yeah. It is. In large enterprises with lots of different departments, hundreds of different software, diverse IT admin systems and procedures across all those departments, all editions and version of Windows, VDI, obsolete hardware, no network maps, etc - there are ALWAYS problems deploying WDAC. I've seen WDAC cause problems or conflicts with Active Directory, Group Policy, Just Enough Administration, PowerShell SSH, and others.

Like I said, when a company has a nice, tidy deployment of endpoints, sure, WDAC is not really a hassle. That's not how it works in very large organizations. It is a tedious, convoluted process. You can argue that those problems have nothing to do with the WDAC technology itself, but otherwise WDAC does contribute to problems.
 
  • Like
Reactions: [correlate]
F

ForgottenSeer 97327

Yeah. It is. In large enterprises with lots of different departments, hundreds of different software, diverse IT admin systems and procedures across all those departments, all editions and version of Windows, VDI, obsolete hardware, no network maps, etc -
Organizations which make such a mess of their infrastructure have other (and probably bigger) problems than WDAC.

I what capacity did you work for those 10.000+ endpoint organizations?
 
  • Like
Reactions: [correlate]
F

ForgottenSeer 98186

I what capacity did you work for those 10.000+ endpoint organizations?
Field Engineering and Compliance

Organizations which make such a mess of their infrastructure have other (and probably bigger) problems than WDAC.
This is how most companies operate. Any environment greater than a couple hundred endpoints in size starts to get messy. Then the older the company, the more likely it will have old hardware and many back-end messes. For example, most banks still use COBOL on ancient hardware. Governments are even worse.

I do not know why but lots of people think the average enterprise has a nice, well-organized, well-staffed, well-funded IT department with nice, tidy hardware, accurate network maps, all software and users accounted for, all old user accounts purged, GPOs and AD correctly configured, etc.

lol, No. Just no.
 
F

ForgottenSeer 97327

When old 3Gen is wrapped in for instance Websphere service layers it is no problem that it is old, because the back end process of a bank transaction from 1983 is the same as in 2023. Front end and (network) access has changed.

Cobol running on mainframes has nothing to do with WDAC on end-points :ROFLMAO:
 
Last edited by a moderator:
  • Like
Reactions: [correlate]
F

ForgottenSeer 98186

When old 3Gen is wrapped in for instance Websphere service layers it is no problem that it is old, because the back end process of a bank transaction from 1983 is the same as in 2023. Front end and (network) access has changed.

Cobol running on mainframes has nothing to do with WDAC on end-points :ROFLMAO:
You work for a tiny employer that has a nice, tidy infrastructure. That is easy to deploy and maintain. Your experience is not the experience of the vast majority of IT sysadmin.

Of course COBOL has nothing to do with WDAC. How would you ever think that I was saying that it did? You missed the point in that companies and organizations are resistant to change, do not want to spend the money to upgrade, and these environments are difficult to manage.

It is a hoot watching people talk here about "enterprise" deployments on 183 endpoints and talking as if their experience applies to 10,000+ endpoints. Two different worlds. The first one has very little to do with the second one.
 

SpyNetGirl

Level 3
Thread author
Jan 30, 2023
96
I made some YouTube video for this:

Creating WDAC policy Code Signing Certificate in Windows Server vNext in 2023 and deploying it




How to Configure, Use and Setup Signed WDAC (Windows Defender Application Control) Policy



How to Configure, Use and Setup WDAC (Windows Defender Application Control) Automatically WDACConfig

 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top