New Update Advanced Windows hardening with WDAC - Windows Defender Application Control

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
Is there a source we can read to compare the features that SAC has to WDAC?
I found this Application Control for Windows
Smart App Control enforces the Microsoft Recommended Driver Block rules and the Microsoft Recommended Block Rules, with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control:

  • Infdefaultinstall.exe
  • Microsoft.Build.dll
  • Microsoft.Build.Framework.dll
  • Wslhost.dll
And somewhere I read that SAC is User-Mode WDAC, whatever User mode is.
 
  • Thanks
Reactions: ForgottenSeer 97327

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
The experiences home users have with default-deny is dependent upon their expectations, their digital habits and their personal temperaments. An older person who does not download stuff, and remains calm and patient when there is a problem, are easier to interact with.
I think so. Unfortunately, from the fact that WDAC is more appropriate in enterprises, it follows that it is less appropriate/optimal at home.
I had the same problem with SRP. The known configurations were also inappropriate at home because they were adjusted to the enterprise environment which is very different from the home environment. It took me 5 years to find a more appropriate setup (with much help from MT members).
Anyway, this thread is not a good place for such discussion. It would be better to make a poll (if someone is interested).
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I found this Application Control for Windows

And somewhere I read that SAC is User-Mode WDAC, whatever User mode is.
This can be easily misunderstood. WDAC uses several options and one of them is User Mode Code Integrity (UMCI).
It does not mean that there is something like User-Mode WDAC. If UMCI is enabled, then WDAC can validate kernel-mode drivers and additionally also user mode executables and scripts. If UMCI is disabled, then WDAC can validate only kernel mode drivers.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Is there a source we can read to compare the features that SAC has to WDAC?
I doubt if there are such sources, except for some posts scattered on the MT forum.

Would you please elaborate?

WDAC ISG has got a special treatment of executables with MOTW. If SmartScreen allows the installer downloaded from the Internet, then ISG will also allow the Exe and DLL files executed by the installer (with some exceptions). Without the MOTW, the SmartScreen ignores the installer, and the installation would be broken if some of the Exe or Dll files tried to execute (while not allowed by ISG).
On the contrary, SAC mostly allows the initial installer if it is allowed by SmartScreen (SmartScreen is a part of SAC), but does not automatically allow the Exe and Dll files dropped/loaded/executed during the installation.

I often used this behavior to fool WDAC. Many applications (installed in UserSpace) blocked normally by WDAC ISG, could be still executed by using RunBySmartscreen. This cannot be done for applications installed in %ProgramFiles% because RunBySmartscreen does not add MOTW in this location.

Post corrected.
 
Last edited:

SpyNetGirl

Level 3
Thread author
Jan 30, 2023
96
New-ConfigWDAC (Windows Defender Application Control) Module, automates most of the tasks, even signing and deploying a signed WDAC policy, so happy with this one, takes care of repetitive stuff for me 😇

PowerShell gallery

GitHub

disregard the previous comment about it lol I can't edit it and it points to a different directory on the repo.

Added a note to the signing wiki post to tell people to test their policy before signing it.
 

SpyNetGirl

Level 3
Thread author
Jan 30, 2023
96
I see there are talks about ISG (Intelligent Security Graph) and Smart App Control:

One of the differences between using ISG in a WDAC policy vs using Smart App Control (which also use ISG) is that WDAC policy + ISG rule option passes along reputation from app installers to the binaries they write to disk, it can over-authorize files in some cases. For example, if the installer launches the app upon completion, any files the app writes during that first run will also be allowed.

Smart App Control however doesn't do this, it will trust the installer file itself if it's trustworthy and subsequently checks the trustworthiness of any binaries the installer tries to use and write to the disk, if any of those binaries or components can't be verified or are malicious, they get blocked.

Explained more in here:

 
F

ForgottenSeer 97327

Okay, I bookmarked @SpyNetGirl github, but so much hard work should be rewarded with a sticky in Microsoft Security forum section IMO.

To be honest in 2019, it took me less than an half an hour to setup my first WDAC. Half the time spend on making an image backup and creating a Macrium reflect recovery USB and testing this recovery fallback option (using this USB).

Until now I have not implemented the Microsoft Recommended blacklist in WDAC, but in SRP for SUA. I will move the ones which are blocked by SAC to WDAC (thanks @oldschool) and keep the remaining LoLBins in SRP blacklist merged with the ones Microsoft adviced for Windows-S (thanks @Oerlink) and use @SpyNetGirl script to automate the update of the driver blacklist.

I thought that I had the most restricted Windows setup of MT, but read that Andy Full also implemented this at home a d guess SpyNetGirl will have a more tighter setup considering the stuff she posted on WDAC and Windos hardening (my Microsof hardening also dates back to 2019)
 
Last edited by a moderator:
  • Like
Reactions: oldschool

WhiteMouse

Level 5
Verified
Well-known
Apr 19, 2017
234
Secondly: why aim for the moon for home use and start with signed policies? As the use case of @WhiteMouse shows isn't this way to ambitious to get started with WDAC?
Sorry, I've already out of the Solar system. If you have time, watch Matt Graeber's videos about extremely strict WDAC policy. I'd like to implement that one day.
 
  • Like
Reactions: ForgottenSeer 97327
F

ForgottenSeer 97327

WDAC. Overly complex. Convoluted. A pain to maintain. Too much work.

It is one thing to deploy WDAC to a single nice, clean Windows home user system or virtual machine. It is quite another to deploy it in enterprise.
Which admin is still installing software on individual PC's? :unsure::ROFLMAO::cool:. In the Netherlands most companies roll out pre-set images to a few different types of devices (max three to five device variances). In my company we have five device variances which are rolled out identically: a 'top end desktop' HP PC, an Intel 'office' NUC , a 'management' Surface Pro and a 'power user' 17 inch HP laptop and 'ambulant worker' HP 15 inch laptop. We write off hardware in 5 years, each year replacing one of the five 'worker profile' devices.

In 2019 I did an internal project and met our company's sysadmin. My company wanted to assess the risk of fully working at home, to be ready for the upcoming Covid19 troubles (our worst case scenario of Covid19 became reality). I was impressed with the sysadmin's confidence on IT-security. He explained me a little on WDAC, showed me the WDAC wizzard. His adagium was KISS keep it simple stupid. Things become complex when you allow a lot of variances. When you keep things simple you don't need complex and expensive third-party management and control software.

That is how I managed a strict WDAC policy (Microsof only + Macrium Reflect + Syncback + Norton & Sophos secondary scanners allowed) up and running in less than 30 minutes (spending more than half the time on double checking my image backup and recovery procedure).
 
Last edited by a moderator:
F

ForgottenSeer 98186

SAC works beautifully here. It's "smart" so I don't need to be.
I was not talking about SAC. SAC is partially dependent upon WDAC, but full-on WDAC is a completely different animal.

Which admin is still installing software on individual PC's? :unsure::ROFLMAO::cool:
I never said that any admin is installing software on individual.

We write off hardware in 5 years, each year replacing one of the five 'worker profile' devices.
The vast majority of companies do not do this. Many companies still use Windows 7 and Server 2008 machines. Not only that they will continue to use old hardware until it dies.

Things become complex when you allow a lot of variances.
There is huge variance built-in to environments with old hardware, old OS, all the different software, etc. Any self-respecting security professional has to account for that and make sure everything is covered.

Microsoft itself has admitted that WDAC deployments have been troublesome. So any fanboism or defense of WDAC in terms of enterprise deployment is just plain ignorant.

When you keep things simple you don't need complex and expensive third-party management and control software.
Actually, at the enterprise level, 3rd party software are often more reliable, less complex, and much easier to use than Microsoft's solutions. Take InTune as a single example. It is a pain to use and often does not work correctly. I've received lots of complaints from the field about InTune not working correctly with Windows 11 22H2 systems. Submit a trouble ticket to Microsoft and you'll wait weeks, and sometimes months, to get the issues resolved. There are enough times where Microsoft support ends up saying "we can't help you." Meanwhile the company has spent a ton of money on Microsoft's overly expensive solutions and support.

So if productivity and profit are of primary importance, then yes, you do need 3rd party software. The relatively poor usability of Microsoft solutions is the reason why a 3rd party market thrives to the tune of 1+ trillion euro valuations.
 
Last edited by a moderator:
  • Like
Reactions: simmerskool

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
I was not talking about SAC. SAC is partially dependent upon WDAC, but full-on WDAC is a completely different animal.
I realize that. I meant that SAC is an easier alternative to WDAC for most users even though it's not the same animal. Even SAC and SRP together are easier.
 
  • Like
Reactions: simmerskool
F

ForgottenSeer 98186

I meant that SAC is an easier alternative to WDAC for most users even though it's not the same animal.
Microsoft explicitly has stated numerous times that SAC is intended for home users - those home users that basically use an essentially 100% Microsoft system. Oh, SAC will allow some 3rd party software due to the numerous complaints about it blocking known-good programs and components, including Microsoft's own. Now Microsoft has made it so that people can set registry keys to turn SAC OFF\ON because it finally gave into the reality that home users are not going to abide having to do a clean install so they can use SAC. Heck, the vast majority of home users don't even know SAC is on their system.

I don't use any shady software on my personal computers. They are all very familiar names such as VMWare, Bitwarden, Authy, etc but despite this, SAC always turns itself OFF on my systems. I already know that if SAC behaves that way on my tightly controlled system, then for millions upon millions of home users SAC is going to turn itself OFF. So not sure exactly what Microsoft is intending to do because right now SAC as a protection for the masses is an epic fail.

SAC is not intended for "users who want to use stuff."

Edit: I think the concept of unmanaged free-use digital systems and allowing users to do whatever they want on their systems is dinosaur ideology.
 
Last edited by a moderator:
F

ForgottenSeer 97327

WDAC. Overly complex. Convoluted. A pain to maintain. Too much work.

It is one thing to deploy WDAC to a single nice, clean Windows home user system or virtual machine. It is quite another to deploy it in enterprise.
Dear Oerlink, since you did not understand my first reply, I will try to explain it better

Our company buys a limited (in our case 5) different types of PC's. Each device type is optimized for a specific use. For each of those types (5 variances for our 180 employees), you set them up (once) and create a standard image, which you deploy to all devices with the same hardware in your enterprise. Because we (like many companies) have moved our data and applications to the cloud, the images are very clean. Windows takes care of all hardware related software and all of our business applications are SAAS (Software As A Service) solutions, there is little application software on a PC these days. That is also the reason we use refurbished hardware (and are still on Windows10).
 
Last edited by a moderator:
  • Like
Reactions: Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top