Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Other security for Windows, Mac, Linux
Advanced Windows hardening with WDAC - Windows Defender Application Control
Message
<blockquote data-quote="ForgottenSeer 97327" data-source="post: 1029476"><p>WDAC is enforced on SYSTEM level, AppLocker on ADMIN level, SRP on SUA level, so when you mess up with WDAC you really mess up.</p><p></p><p> MT-power users WDAC with ISG really adds little protection over Defender in MAX or SAC in Windows 11, this are my three TIPS</p><p></p><p>TIP 1: On Windows11 use SAC in stead of WDAC</p><p>Add a (free) third-party security solutions to enjoy a double check. Defender's SAC and exploit protection also works when you use a third-party security solution.</p><p></p><p>TIP 2: On Windows10 when you can't enable Core Isolation, don't use WDAC,</p><p>In stead you can use Microsoft Defender on MAX instead with Hard_Configurator in recommended mode (with only tweak tp add the Microsoft recommended block rules for LolBins in the _C sponsor setting, (but [USER=32260]@Andy Ful[/USER] posted that he would update the recommended sponsors in H_C, so you might just use the enhanced sponsors setting in H_C for the time being).</p><p></p><p>TIP 3: Microsoft works well for Microsoft. Think twice when you use a lot of 3p-software.</p><p>I have a near Microsoft only setup (with image and data backup of Macrium Reflect and SyncBack and two secondary scanners Norton and Sophos) and I used the 7 step approach below to add WDAC on Windows10 Pro.</p><p></p><p>My 7 step best practice WDAC implementation, when you really want to lock your PC in Microsoft Mode (with some signers added)</p><p></p><p>1. Choose Microsoft mode and add allow rules for Windows and Program Files and Defender Platform in AppData, want to use 3p security --> SHOW STOPPER 1</p><p>2. Add allow signatures for image and data backup and secondary security scanners</p><p>3. Don't add Microsoft Recommended block rules, use H_C to block sponsors instead (for SUA only)</p><p>4. Run in Audit mode first, do you see unexpected WDAC warning related to hardware features = SHOW STOPPER 2 otherwise add the signer rules for forgotten 3p software and repeat</p><p>5. Enforce rules by disabling audit mode, but enable Boot Audit on Failure, update your policy</p><p>6. Survive three Patch Tuesday updates before disabling this fail break option (Boot Audit on Failure), having problems with updates --> SHOW STOPPER 3</p><p>7. Now you can also set Configure Defender to MAX to enforce a cloud whitelist for all stuf WDAC allows</p></blockquote><p></p>
[QUOTE="ForgottenSeer 97327, post: 1029476"] WDAC is enforced on SYSTEM level, AppLocker on ADMIN level, SRP on SUA level, so when you mess up with WDAC you really mess up. MT-power users WDAC with ISG really adds little protection over Defender in MAX or SAC in Windows 11, this are my three TIPS TIP 1: On Windows11 use SAC in stead of WDAC Add a (free) third-party security solutions to enjoy a double check. Defender's SAC and exploit protection also works when you use a third-party security solution. TIP 2: On Windows10 when you can't enable Core Isolation, don't use WDAC, In stead you can use Microsoft Defender on MAX instead with Hard_Configurator in recommended mode (with only tweak tp add the Microsoft recommended block rules for LolBins in the _C sponsor setting, (but [USER=32260]@Andy Ful[/USER] posted that he would update the recommended sponsors in H_C, so you might just use the enhanced sponsors setting in H_C for the time being). TIP 3: Microsoft works well for Microsoft. Think twice when you use a lot of 3p-software. I have a near Microsoft only setup (with image and data backup of Macrium Reflect and SyncBack and two secondary scanners Norton and Sophos) and I used the 7 step approach below to add WDAC on Windows10 Pro. My 7 step best practice WDAC implementation, when you really want to lock your PC in Microsoft Mode (with some signers added) 1. Choose Microsoft mode and add allow rules for Windows and Program Files and Defender Platform in AppData, want to use 3p security --> SHOW STOPPER 1 2. Add allow signatures for image and data backup and secondary security scanners 3. Don't add Microsoft Recommended block rules, use H_C to block sponsors instead (for SUA only) 4. Run in Audit mode first, do you see unexpected WDAC warning related to hardware features = SHOW STOPPER 2 otherwise add the signer rules for forgotten 3p software and repeat 5. Enforce rules by disabling audit mode, but enable Boot Audit on Failure, update your policy 6. Survive three Patch Tuesday updates before disabling this fail break option (Boot Audit on Failure), having problems with updates --> SHOW STOPPER 3 7. Now you can also set Configure Defender to MAX to enforce a cloud whitelist for all stuf WDAC allows [/QUOTE]
Insert quotes…
Verification
Post reply
Top