Is there a source we can read to compare the features that SAC has to WDAC?
Would you please elaborate?
Advanced Windows hardening with WDAC - Windows Defender Application Control
- Thread starter SpyNetGirl
- Start date
- Mar 29, 2018
- 7,698
I found this Application Control for Windows
And somewhere I read that SAC is User-Mode WDAC, whatever User mode is.
- Apr 19, 2017
- 249
I finally made it works, but I can only put some of supplemental policies into EFI, too many files will trigger automatic repair loop 
- Dec 23, 2014
- 8,592
I think so. Unfortunately, from the fact that WDAC is more appropriate in enterprises, it follows that it is less appropriate/optimal at home.
I had the same problem with SRP. The known configurations were also inappropriate at home because they were adjusted to the enterprise environment which is very different from the home environment. It took me 5 years to find a more appropriate setup (with much help from MT members).
Anyway, this thread is not a good place for such discussion. It would be better to make a poll (if someone is interested).
- Dec 23, 2014
- 8,592
This can be easily misunderstood. WDAC uses several options and one of them is User Mode Code Integrity (UMCI).
It does not mean that there is something like User-Mode WDAC. If UMCI is enabled, then WDAC can validate kernel-mode drivers and additionally also user mode executables and scripts. If UMCI is disabled, then WDAC can validate only kernel mode drivers.
- Dec 23, 2014
- 8,592
I doubt if there are such sources, except for some posts scattered on the MT forum.
WDAC ISG has got a special treatment of executables with MOTW. If SmartScreen allows the installer downloaded from the Internet, then ISG will also allow the Exe and DLL files executed by the installer (with some exceptions). Without the MOTW, the SmartScreen ignores the installer, and the installation would be broken if some of the Exe or Dll files tried to execute (while not allowed by ISG).
On the contrary, SAC mostly allows the initial installer if it is allowed by SmartScreen (SmartScreen is a part of SAC), but does not automatically allow the Exe and Dll files dropped/loaded/executed during the installation.
I often used this behavior to fool WDAC. Many applications (installed in UserSpace) blocked normally by WDAC ISG, could be still executed by using RunBySmartscreen. This cannot be done for applications installed in %ProgramFiles% because RunBySmartscreen does not add MOTW in this location.
Post corrected.
Last edited:
- Jan 30, 2023
- 113
New-ConfigWDAC (Windows Defender Application Control) Module, automates most of the tasks, even signing and deploying a signed WDAC policy, so happy with this one, takes care of repetitive stuff for me 
PowerShell gallery
GitHub
disregard the previous comment about it lol I can't edit it and it points to a different directory on the repo.
Added a note to the signing wiki post to tell people to test their policy before signing it.
PowerShell gallery
GitHub
disregard the previous comment about it lol I can't edit it and it points to a different directory on the repo.
Added a note to the signing wiki post to tell people to test their policy before signing it.
- Jan 30, 2023
- 113
I see there are talks about ISG (Intelligent Security Graph) and Smart App Control:
One of the differences between using ISG in a WDAC policy vs using Smart App Control (which also use ISG) is that WDAC policy + ISG rule option passes along reputation from app installers to the binaries they write to disk, it can over-authorize files in some cases. For example, if the installer launches the app upon completion, any files the app writes during that first run will also be allowed.
Smart App Control however doesn't do this, it will trust the installer file itself if it's trustworthy and subsequently checks the trustworthiness of any binaries the installer tries to use and write to the disk, if any of those binaries or components can't be verified or are malicious, they get blocked.
Explained more in here:
github.com
One of the differences between using ISG in a WDAC policy vs using Smart App Control (which also use ISG) is that WDAC policy + ISG rule option passes along reputation from app installers to the binaries they write to disk, it can over-authorize files in some cases. For example, if the installer launches the app upon completion, any files the app writes during that first run will also be allowed.
Smart App Control however doesn't do this, it will trust the installer file itself if it's trustworthy and subsequently checks the trustworthiness of any binaries the installer tries to use and write to the disk, if any of those binaries or components can't be verified or are malicious, they get blocked.
Explained more in here:
WDAC for Lightly Managed Devices
Harden Windows 11 safely, securely using Official Supported methods with proper explanation | Always up-to-date and works with the latest build of Windows - HotCakeX/Harden-Windows-Security
github.com
Okay, I bookmarked @SpyNetGirl github, but so much hard work should be rewarded with a sticky in Microsoft Security forum section IMO.
To be honest in 2019, it took me less than an half an hour to setup my first WDAC. Half the time spend on making an image backup and creating a Macrium reflect recovery USB and testing this recovery fallback option (using this USB).
Until now I have not implemented the Microsoft Recommended blacklist in WDAC, but in SRP for SUA. I will move the ones which are blocked by SAC to WDAC (thanks @oldschool) and keep the remaining LoLBins in SRP blacklist merged with the ones Microsoft adviced for Windows-S (thanks @Oerlink) and use @SpyNetGirl script to automate the update of the driver blacklist.
I thought that I had the most restricted Windows setup of MT, but read that Andy Full also implemented this at home a d guess SpyNetGirl will have a more tighter setup considering the stuff she posted on WDAC and Windos hardening (my Microsof hardening also dates back to 2019)
To be honest in 2019, it took me less than an half an hour to setup my first WDAC. Half the time spend on making an image backup and creating a Macrium reflect recovery USB and testing this recovery fallback option (using this USB).
Until now I have not implemented the Microsoft Recommended blacklist in WDAC, but in SRP for SUA. I will move the ones which are blocked by SAC to WDAC (thanks @oldschool) and keep the remaining LoLBins in SRP blacklist merged with the ones Microsoft adviced for Windows-S (thanks @Oerlink) and use @SpyNetGirl script to automate the update of the driver blacklist.
I thought that I had the most restricted Windows setup of MT, but read that Andy Full also implemented this at home a d guess SpyNetGirl will have a more tighter setup considering the stuff she posted on WDAC and Windos hardening (my Microsof hardening also dates back to 2019)
Last edited by a moderator:
- Apr 19, 2017
- 249
Sorry, I've already out of the Solar system. If you have time, watch Matt Graeber's videos about extremely strict WDAC policy. I'd like to implement that one day.
- Apr 19, 2017
- 249
- Dec 23, 2014
- 8,592
WDAC. Overly complex. Convoluted. A pain to maintain. Too much work.
It is one thing to deploy WDAC to a single nice, clean Windows home user system or virtual machine. It is quite another to deploy it in enterprise.
Which admin is still installing software on individual PC's?
. In the Netherlands most companies roll out pre-set images to a few different types of devices (max three to five device variances). In my company we have five device variances which are rolled out identically: a 'top end desktop' HP PC, an Intel 'office' NUC , a 'management' Surface Pro and a 'power user' 17 inch HP laptop and 'ambulant worker' HP 15 inch laptop. We write off hardware in 5 years, each year replacing one of the five 'worker profile' devices.In 2019 I did an internal project and met our company's sysadmin. My company wanted to assess the risk of fully working at home, to be ready for the upcoming Covid19 troubles (our worst case scenario of Covid19 became reality). I was impressed with the sysadmin's confidence on IT-security. He explained me a little on WDAC, showed me the WDAC wizzard. His adagium was KISS keep it simple stupid. Things become complex when you allow a lot of variances. When you keep things simple you don't need complex and expensive third-party management and control software.
That is how I managed a strict WDAC policy (Microsof only + Macrium Reflect + Syncback + Norton & Sophos secondary scanners allowed) up and running in less than 30 minutes (spending more than half the time on double checking my image backup and recovery procedure).
Last edited by a moderator:
- Mar 29, 2018
- 7,698
SAC works beautifully here. It's "smart" so I don't need to be.
You had a unique opportunity, but most users aren't like you.
I was not talking about SAC. SAC is partially dependent upon WDAC, but full-on WDAC is a completely different animal.
I never said that any admin is installing software on individual.Which admin is still installing software on individual PC's?
The vast majority of companies do not do this. Many companies still use Windows 7 and Server 2008 machines. Not only that they will continue to use old hardware until it dies.
There is huge variance built-in to environments with old hardware, old OS, all the different software, etc. Any self-respecting security professional has to account for that and make sure everything is covered.
Microsoft itself has admitted that WDAC deployments have been troublesome. So any fanboism or defense of WDAC in terms of enterprise deployment is just plain ignorant.
Actually, at the enterprise level, 3rd party software are often more reliable, less complex, and much easier to use than Microsoft's solutions. Take InTune as a single example. It is a pain to use and often does not work correctly. I've received lots of complaints from the field about InTune not working correctly with Windows 11 22H2 systems. Submit a trouble ticket to Microsoft and you'll wait weeks, and sometimes months, to get the issues resolved. There are enough times where Microsoft support ends up saying "we can't help you." Meanwhile the company has spent a ton of money on Microsoft's overly expensive solutions and support.
So if productivity and profit are of primary importance, then yes, you do need 3rd party software. The relatively poor usability of Microsoft solutions is the reason why a 3rd party market thrives to the tune of 1+ trillion euro valuations.
Last edited by a moderator:
- Mar 29, 2018
- 7,698
I realize that. I meant that SAC is an easier alternative to WDAC for most users even though it's not the same animal. Even SAC and SRP together are easier.
Microsoft explicitly has stated numerous times that SAC is intended for home users - those home users that basically use an essentially 100% Microsoft system. Oh, SAC will allow some 3rd party software due to the numerous complaints about it blocking known-good programs and components, including Microsoft's own. Now Microsoft has made it so that people can set registry keys to turn SAC OFF\ON because it finally gave into the reality that home users are not going to abide having to do a clean install so they can use SAC. Heck, the vast majority of home users don't even know SAC is on their system.
I don't use any shady software on my personal computers. They are all very familiar names such as VMWare, Bitwarden, Authy, etc but despite this, SAC always turns itself OFF on my systems. I already know that if SAC behaves that way on my tightly controlled system, then for millions upon millions of home users SAC is going to turn itself OFF. So not sure exactly what Microsoft is intending to do because right now SAC as a protection for the masses is an epic fail.
SAC is not intended for "users who want to use stuff."
Edit: I think the concept of unmanaged free-use digital systems and allowing users to do whatever they want on their systems is dinosaur ideology.
Last edited by a moderator:
Dear Oerlink, since you did not understand my first reply, I will try to explain it better
Our company buys a limited (in our case 5) different types of PC's. Each device type is optimized for a specific use. For each of those types (5 variances for our 180 employees), you set them up (once) and create a standard image, which you deploy to all devices with the same hardware in your enterprise. Because we (like many companies) have moved our data and applications to the cloud, the images are very clean. Windows takes care of all hardware related software and all of our business applications are SAAS (Software As A Service) solutions, there is little application software on a PC these days. That is also the reason we use refurbished hardware (and are still on Windows10).
Last edited by a moderator:
Similar threads
