New Update Advanced Windows hardening with WDAC - Windows Defender Application Control

SpyNetGirl

Level 3
Thread author
Jan 30, 2023
96
Created WDAC - Windows Defender Application Control - guides and scripts on my GitHub, sharing them here.
Target users range from Enterprises, Highly-Secure Servers and Data Centers, Highly-Secure Workstations and such.

There are PowerShell scripts included too that can help automate things.

Please note implementing WDAC needs high-level knowledge about it, the Wiki pages assume you already know the basics but if you don't, in the resources section I've included all the links to Microsoft learn website.
If you have any questions and need quick response, use GitHub discussion because I'm more active there.
 
Last edited:

WhiteMouse

Level 5
Verified
Well-known
Apr 19, 2017
234

SpyNetGirl

Level 3
Thread author
Jan 30, 2023
96

After I typed Common Name in step 5 and enrolled it, I got a certificate issued by and to "Common Name", the expired date is 1 year after I enrolled.

That Microsoft's article assumes you have an Enterprise CA already and configured it, so it only explains the steps that you have to take afterwards.

You need to use my guide which explains how to set up Enterprise CA role first and the configuration needed to create certificate that can have even 30 years expiry date. I used Windows Server documents to create it.


I covered everything from 0 to hero, and tried to be as detailed as possible so please follow it and if you think there is any details missing, let me know so I can update it. thanks
 
F

ForgottenSeer 97327

Firstly: @SpyNetGirl impressive work and many thanks for the detailed information and setup guides (y)(y)(y)

Secondly: why aim for the moon for home use and start with signed policies? As the use case of @WhiteMouse shows isn't this way to ambitious to get started with WDAC?
1678442922743.png


What about getting stated in AUDIT MODE and enabling the setting 'BOOT AUDIT ON FAILURE' when first turning off AUDIT MODE and running in enforced mode?
1678443105976.png


How to create exception rules when running in audit mode (maybe @SpyNetGirl could add an 'Using audit mode section' to her impressive HOW-TO WDAC tutorial)?

 
Last edited by a moderator:

Victor M

Level 7
Verified
Well-known
Oct 3, 2022
342
bricked my PC when I tried to replace the certificate.
I also bricked my laptop while playing around with WDAC. Restoring from backup disk image doesn't work. And re-installing Win 11 doesn't work ( 1st reboot fails ). I even tried sanitizing the drive and then do a re-install. No joy. Had to sell it running Ubuntu at a big di$count. (Ubuntu works) Didn't know about the WDAC Toolkit. At least if everything is menu driven then it might have been better.
 
Last edited:
F

ForgottenSeer 97327

WDAC is enforced on SYSTEM level, AppLocker on ADMIN level, SRP on SUA level, so when you mess up with WDAC you really mess up.

MT-power users WDAC with ISG really adds little protection over Defender in MAX or SAC in Windows 11, this are my three TIPS

TIP 1: On Windows11 use SAC in stead of WDAC
Add a (free) third-party security solutions to enjoy a double check. Defender's SAC and exploit protection also works when you use a third-party security solution.

TIP 2: On Windows10 when you can't enable Core Isolation, don't use WDAC,
In stead you can use Microsoft Defender on MAX instead with Hard_Configurator in recommended mode (with only tweak tp add the Microsoft recommended block rules for LolBins in the _C sponsor setting, (but @Andy Ful posted that he would update the recommended sponsors in H_C, so you might just use the enhanced sponsors setting in H_C for the time being).

TIP 3: Microsoft works well for Microsoft. Think twice when you use a lot of 3p-software.
I have a near Microsoft only setup (with image and data backup of Macrium Reflect and SyncBack and two secondary scanners Norton and Sophos) and I used the 7 step approach below to add WDAC on Windows10 Pro.

My 7 step best practice WDAC implementation, when you really want to lock your PC in Microsoft Mode (with some signers added)

1. Choose Microsoft mode and add allow rules for Windows and Program Files and Defender Platform in AppData, want to use 3p security --> SHOW STOPPER 1
2. Add allow signatures for image and data backup and secondary security scanners
3. Don't add Microsoft Recommended block rules, use H_C to block sponsors instead (for SUA only)
4. Run in Audit mode first, do you see unexpected WDAC warning related to hardware features = SHOW STOPPER 2 otherwise add the signer rules for forgotten 3p software and repeat
5. Enforce rules by disabling audit mode, but enable Boot Audit on Failure, update your policy
6. Survive three Patch Tuesday updates before disabling this fail break option (Boot Audit on Failure), having problems with updates --> SHOW STOPPER 3
7. Now you can also set Configure Defender to MAX to enforce a cloud whitelist for all stuf WDAC allows
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040

Max90,​

The author of this thread mentioned target users like:
"Enterprises, Highly-Secure Servers and Data Centers, Highly-Secure Workstations and such."
Hard_Configurator was not intended to protect computers in such environments - it is adjusted for home users.
It is worth mentioning that WDAC setup presented in this thread will not be appropriate for personal computers.
 
F

ForgottenSeer 97327

@Andy Ful and @SpyNetGirl

Completely true, but that is not the target audience of this website
MT website description said:
MalwareTips is a global community of people helping each other with their Security, Technology and Technical Support questions.

Hence my appeal to lower the ambition level, considering the stories of both @Victor M and @WhiteMouse bricking their PC
 
F

ForgottenSeer 98186

The author of this thread mentioned target users like:

"Enterprises, Highly-Secure Servers and Data Centers, Highly-Secure Workstations and such."
There are people here who are inclined to study what @SpyNetGirl has created. For one, her GitHub explanations save initiated users from a lot of searching and deciphering of Microsoft learn pages. I know it is useful for the sysadmin or security enthusiast looking to gain knowledge through experience.

I do not doubt the veracity of peoples' experience experimenting with WDAC. In a lot of respects, the discussions about Windows security internals here assume that the user can experience any number of troubles. Working with Windows security is not free of risk.

Hard_Configurator was not intended to protect computers in such environments - it is adjusted for home users.
Actually, H_C protects quite well in an enterprise environment. That statement is based upon real-world deployments in small enterprise environments.
 

SpyNetGirl

Level 3
Thread author
Jan 30, 2023
96
I got 30 years certificate and also bricked my PC when I tried to replace the certificate. Signed WDAC policy has a very good anti owner evil maid.

Everything is explained in the Microsoft documents.
I clearly mentioned the target users for this, it's not for the average home user to quickly do something.

You need to have read everything and understand what you are doing. That "brick" you are talking about is the exact same thing that prevents unauthorized people from accessing your computer and saves you.

Firstly: @SpyNetGirl impressive work and many thanks for the detailed information and setup guides (y)(y)(y)

Secondly: why aim for the moon for home use and start with signed policies? As the use case of @WhiteMouse shows isn't this way to ambitious to get started with WDAC?
View attachment 273456

What about getting stated in AUDIT MODE and enabling the setting 'BOOT AUDIT ON FAILURE' when first turning off AUDIT MODE and running in enforced mode?
View attachment 273457

Home use?
my post above says: Target users range from Enterprises, Highly-Secure Servers and Data Centers, Highly-Secure Workstations and such.

Cryptographically signing the WDAC policy makes it tamper-proof. I use it at home because I've read how to disable it, update it and so on so I won't brick my computer, but I don't recommend it to home users (i.e. people looking for a quick button to secure everything), for home users my hardening script is the best one.


Also in all of my guides I always use AllowMicrosoft default policy which takes care of allowing everything Microsoft including Windows. So there is no chance of boot failure, unless your hardware has problems? You need to be specific and tell me about a specific case because I haven't seen boot failure when using AllowMicrosoft policy.

How to create exception rules when running in audit mode (maybe @SpyNetGirl could add an 'Using audit mode section' to her impressive HOW-TO WDAC tutorial)?


Thanks, do you mean after collecting the audit logs and creating the WDAC policy from them, you want to remove some of the rules?
 
F

ForgottenSeer 97327

Thanks, do you mean after collecting the audit logs and creating the WDAC policy from them,?
Yes, as posted you mentioned the target audience of this thread, but that is different from the target audience of this forum (see my reply to Andy). So when you publish stuf you always have to consider that out of bound target audience is going to use it (at least that is what UX considers best practice in the Netherlands)
 
  • Like
Reactions: simmerskool

SpyNetGirl

Level 3
Thread author
Jan 30, 2023
96

Max90,​

The author of this thread mentioned target users like:
"Enterprises, Highly-Secure Servers and Data Centers, Highly-Secure Workstations and such."
Hard_Configurator was not intended to protect computers in such environments - it is adjusted for home users.
It is worth mentioning that WDAC setup presented in this thread will not be appropriate for personal computers.

It's not 1 setup, here are the 6 ways/levels you can use WDAC:


and they are very much appropriate and highly recommended for personal computers. only those that are for fully managed devices are harder to maintain for home users that install lots of random programs. Windows 11 22H2 already uses Microsoft recommended driver block rules. Smart App Control is also WDAC, All of them for personal computers.
 
Last edited:
F

ForgottenSeer 97327

As posted @SpyNetGirl mentioned the target audience of this thread, but that is different from the target audience of this forum (see my reply to Andy). So when you publish stuf you always have to consider that out of bound target audience is going to use it (at least that is what UX considers best practice in the Netherlands). So I am not telling you are wrong, just hinting you could do better by taking the 'out of bound' user into the equation, because their negative comments (I have bricked my PC), will impact the valuation of your hard work (which I thanked and applauded explicitelye). But again this is according to Dutch best IT implementation standards.
 
  • Like
Reactions: simmerskool

SpyNetGirl

Level 3
Thread author
Jan 30, 2023
96
I've created a Mega WDAC module and put it on the GitHub here:

It automates a lot of things. I've updated a few Wiki posts so far and will update all of them soon. It organizes everything, no more long scripts in the Wiki posts and it's well formatted so easy to understand, verify and Trust.

You can use it like this:

Code:
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/WDAC-Module.ps1" -OutFile "WDAC-Module.ps1"
Import-Module .\WDAC-Module.ps1 -Force

And after that, just type "New-ConfigWDAC -" in the PowerShell console and press tab, it has tab completion to you don't have to type the parameters 🙂

Here are the parameters: (I will add these to the Wiki posts too)


Let me know if there is any more steps that can be automated.
 
Last edited:

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
There are people here who are inclined to study what @SpyNetGirl has created. For one, her GitHub explanations save initiated users from a lot of searching and deciphering of Microsoft learn pages. I know it is useful for the sysadmin or security enthusiast looking to gain knowledge through experience.
This ^^
I for one probably won't use this script but I enjoy reading and learning.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Smart App Control is also WDAC, All of them for personal computers.
Smart App Control is based on WDAC, but it has got several features that cannot be applied by your scripts and any known methods. These additional features (similar to classic SRP) make SAC appropriate for personal computers. Furthermore, SmartScreen and ISG work differently in SAC, compared to WDAC.
I do not say that WDAC cannot be used on personal computers (I use it on my 2 computers at home together with SRP). But, I am convinced that such a protection is not appropriate for almost all home users. That is a conclusion based on my two-year experience with WDAC and several years of developing security applications for home users.
Of course, I will not be angry if you think differently.
 
Last edited:
F

ForgottenSeer 98186

But, I am convinced that such a protection is not appropriate for almost all home users.
Default-deny is a niche "market" when it comes to "almost all home users." In my experience as well, users can handle default-deny - IF - you configure it for them, teach them the basics, and are available to them when they run into a situation they cannot figure out on their own.

The experiences home users have with default-deny is dependent upon their expectations, their digital habits and their personal temperaments. An older person who does not download stuff, and remains calm and patient when there is a problem, are easier to interact with.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top