Andy Ful

Level 36
Content Creator
Trusted
Verified
Is it possible to use WD Application Control (WDAC) on Windows 10 Home, with disabled WD? The answer is somewhat surprising. Why?

WDAC is the Windows 10 security feature, which was introduced for Windows Enterprise editions. It can be used only on the computers with UEFI. The working WDAC (WD Application Control) code integrity policy cannot be created on WIndows Home and Windows Pro via registry tweaks or PowerShell, or GPO.
But, WDAC code integrity policy can be applied on any Windows 10 editions, if the user has the file SIPolicy.p7b, that was created on the machine with Windows Enterprise.

So, yes - WDAC can be used on Windows 10 Home and Pro. But, for the standard home user applying it, in the usual way (block applications), would be impractical.

Yet, WDAC can be used as a very practical diagnostic tool, to monitor the execution of processes, which are not whitelisted by WDAG.
The below events are logged in the Windows Event Log :
  1. All user-mode code not built-in to the OS or originating from the Microsoft Store.
  2. All kernel drivers except Windows, HAL, and ELAM-signed drivers.
The events are logged under Applications and Services Logs >> Microsoft >> Windows >> CodeIntegrity >> Operational, Event Id 3076. It is recommended to make a custom filter only for that event.

Applying it is very easy. Download a pre-built version of SIPolicy.p7b, copy it to C:\Windows\System32\CodeIntegrity (admin rights are required), and reboot. The details are available in Matt Graeber's article:
Threat Detection using Windows Defender Application Control (Device Guard) in Audit Mode
 
Last edited:

Andy Ful

Level 36
Content Creator
Trusted
Verified
The advanced users could (with a little effort) use WDAG for protecting their computers with Windows Home. It would be necessary to make the VM with WIndows Enterprise trial and manage the main system via SIPolicy.p7b, that has been created in the VM. Yet, this could be done in practice only for a really locked system.
 

Andy Ful

Level 36
Content Creator
Trusted
Verified
The below was posted by me on another thread, but I think that it should be also posted here, for the further discussion.

Windows Defender Application Control (WDAC) is very different from HIPS.

"Windows Defender Application Control (WDAC) can help mitigate these types of security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel). WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs in Constrained Language Mode."
Windows Defender Application Control (WDAC) (Windows 10)

So, WDAG is rather a kind of Software and Driver policy. It is very strong because it can block also .NET Dlls. I have been playing with it for some time, but it cannot be configured via GPO or PowerShell, or reg tweaks on Windows Home and Pro. WDAC can be deployed on any Windows 10 edition via SIPolicy.p7b file, or on Windows Pro (and higher ed.) via GPO if the user can have access to the custom policy .bin file. Both SIPolicy.p7b and the custom policy .bin file can be made from the .XML policy file when using PowerShell cmdlets on Windows Enterprise ed. On Windows Home and Pro the required cmdlets are not available, you get the error "ConvertFrom-CIPolicy : Device Guard is not available in this edition of Windows."

WDAC can be also optionally managed via Mobile Device Management (MDM), such as Microsoft Intune, but I did not try this.
I installed Windows 10 Enterprise, and then WDAC can be configured via PowerShell cmdlets.
I made the SIPolicy.p7b file that can be copied to C:\Windows\System32\CodeIntegrity, and then WDAC can work on Windows 10 Home and Pro.

In practice, WDAG restrictions can be applied on Windows Home and Pro via SIPolicy.p7b, as a default-allow setup with a blacklist for vulnerable applications (script interpreters, etc.) and DLLs - one can use the Bouncer blacklist for that.

The advanced users can apply WDAC restrictions as default deny setup for drivers and software, but it is not an easy solution, and can be dangerous to system stability on Windows Home.
 

Andy Ful

Level 36
Content Creator
Trusted
Verified
Q&A - What built-in HIPS functionality exists in Windows 10 ?
Very Interesting!!
So once you generated a SIP file on Enterprise, you can use it and manage it on Win10 Home and Pro?
What specifically would a home user want to do with WDAC that he can't already do with H_C?
You can manage it via Mobile Device Management (MDM), such as Microsoft Intune, but Intune requires subscription (not free).
There is no advantage for home users when using WDAG instead of H_C default-deny setup. But, it can be used as the blacklist for Interpreters and Sponsors in default-allow setup. The WDAG can protect against many Sponsors (Interpreters and vulnerable system tools) and is stronger than SysHardener in this area.
 
Last edited:

shmu26

Level 72
Content Creator
Trusted
Verified
Q&A - What built-in HIPS functionality exists in Windows 10 ?

You can manage it via Mobile Device Management (MDM), such as Microsoft Intune, but Intune requires subscription (not free).
There is no advantage for home users when using WDAG instead of H_C default-deny setup. But, it can be used as the blacklist for Interpreters and Sponsors in default-allow setup. The WDAG can protect against many Sponsors (Interpreters and vulnerable system tools) and is stronger than SysHardener in this area.
I see. So I guess if you have an Enterprise VM, you could manage it that way, too, although it doesn't sound very convenient. Or you could just convert your Windows 10 Home/Pro to Enterprise with a $5 eBay license, if your conscience allows.

Question about blocking sponsors etc with WDAC: can you set a certain integrity level, or can you go according to User? I mean, can you block process X, but still allow it to be run by SYSTEM?
Another question: can you block process X, but make exceptions for it, according to parent and/or command line?
 

Andy Ful

Level 36
Content Creator
Trusted
Verified
I see. So I guess if you have an Enterprise VM, you could manage it that way, too, although it doesn't sound very convenient. Or you could just convert your Windows 10 Home/Pro to Enterprise with a $5 eBay license, if your conscience allows.

Question about blocking sponsors etc with WDAC: can you set a certain integrity level, or can you go according to User? I mean, can you block process X, but still allow it to be run by SYSTEM?
Another question: can you block process X, but make exceptions for it, according to parent and/or command line?
It allows a kind of very simple parent checking, but not advanced one as in Excubits Bouncer.
Furthermore, you cannot allow/block anything by path. For example:
Code:
    <Deny ID="ID_DENY_D_1_1" FriendlyName="scrobj.dll FileRule" FileName="scrobj.dll" MinimumFileVersion="65535.65535.65535.65535" AppIDs="REGSVR32.EXE" />
    <Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="65535.65535.65535.65535"/>
The first rule will block scrobj.dll when loaded by REGSVR32.EXE .
The second will block execution of wmic.exe.
The rules apply to all local users and can recognize the file name from the file properties (hardcoded during compilation). So, if you rename the file a.exe to b.exe then both files will be blocked.
 

shmu26

Level 72
Content Creator
Trusted
Verified
It allows a kind of very simple parent checking, but not advanced one as in Excubits Bouncer.
Furthermore, you cannot allow/block anything by path. For example:
Code:
    <Deny ID="ID_DENY_D_1_1" FriendlyName="scrobj.dll FileRule" FileName="scrobj.dll" MinimumFileVersion="65535.65535.65535.65535" AppIDs="REGSVR32.EXE" />
    <Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="65535.65535.65535.65535"/>
The first rule will block scrobj.dll when loaded by REGSVR32.EXE .
The second will block execution of wmic.exe.
The rules apply to all local users and can recognize the file name from the file properties (hardcoded during compilation). So, if you rename the file a.exe to b.exe then both files will be blocked.
Fascinating. So this can actually complement H_C in the places where you need more flexibility, for instance, if you have a program that depends on a certain sponsor, you can make an exception for it.
 

Andy Ful

Level 36
Content Creator
Trusted
Verified
But you can't make exceptions like I was talking about?
Not in the usual sense, but you can mix several kinds of allow and deny rules by the file name/hash, publisher, publisher rule combined with a version number, file publisher, and several kinds of certificate types.
As I said, the con of WDAC is the lack of the path rules and no wildcards support.
 
Last edited:

shmu26

Level 72
Content Creator
Trusted
Verified
Not in the usual sense, but you can mix several kinds of allow and deny rules by the file name/hash, publisher, publisher rule combined with a version number, file publisher, and several kinds of certificate types.
As I said, the cons of WDAC are the lack of the path rules and no wildcards support.
Still, it sounds very cool. Forgive my chutzpah and my ignorance, but I would be happy if you could educate us about which dlls are dangerous, and why, and how to block them without borking the system.