Advanced Plus Security WhiteMouse's Security Config 2022

Last updated
Sep 21, 2022
Use case
For personal use
Shared with
No one
Desktop OS
Windows 11
Windows OS SKU
Education
Login Unlock
    • Passwordless PIN or Biometrics
Sign-in with
Microsoft account
Primary user
Standard rights - Restricted permissions that prevent harmful changes
OS updates
Automatic updates
Windows UAC
Always notify
Network firewall
Router with network security
Always-on protection
Microsoft Defender
Firewall
Microsoft Defender Firewall (Windows 11 & 10)
Custom RT/Firewall security
  • Security Baseline for Windows 11 22H2, Microsoft Edge and Microsoft Office.
  • Custom WDAC policy: Default Windows + Microsoft recommended block rules + Whitelist all files in Program Files by digital signature or hash + HVCI strict mode.
  • Microsoft Edge: Super Duper Secure mode on for all sites.
Malware testing
No malware samples
Periodic scanning
None
VPN
IVPN
Password manager
Bitwarden
Browsers and Extensions
Microsoft Edge
Utilities for Maintenance
Storage Sense
Files & Photos backup
Onedrive
Files & Photos backup routine
Automatic
Emergency recovery plan
Macrium Reflect
Integrity of recovery plan
Extensively tested on more than one occasion, with many successful results.
Tasks performed
    • Browsing the Internet without an Ad-blocker
    • Browsing to unknown sites
    • Working from home
    • Receiving, sending and opening email attachments
    • Buying goods from online stores, entering card details and addresses
    • Logging into personal banking to check statements and payments
    • Downloading software from reputable sites
    • PC games, mods and cloud-based gaming
    • Watching movies and TV series via subscriptions
    • Streaming audio and videos from sites
Feedback response

I am mostly satisfied. Minimal feedback is appreciated, for minor changes to patch any missed security / privacy issues.

WhiteMouse

Level 3
Thread author
Verified
Well-known
Apr 19, 2017
132
  1. First, go to "C:\Windows\schemas\CodeIntegrity\ExamplePolicies\", you'll see a file called "DefaultWindows_Enforced.xml", copy that file to Downloads folder.

  2. Go to "Microsoft recommended block rules - Windows security", scroll down until you see purple note, click "Expand this section to see the WDAC policy XML" and then click on the Copy button at the top right.
    5493574395.png


    Create a new text file and paste to it, save the file as "MicrosoftRecommendedBlockRules.xml"

  3. Open Terminal (Administrator), change directory to Downloads using "cd .\Downloads\" and create a new policy for Program Files and Program Files (x86) using New-CIPolicy:
    New-CIPolicy -ScanPath 'C:\Program Files' -UserPEs -FilePath ".\ProgramFiles.xml" -Level Publisher -Fallback Hash
    New-CIPolicy -ScanPath 'C:\Program Files (x86)' -UserPEs -FilePath ".\ProgramFilesx86.xml" -Level Publisher -Fallback Hash

  4. Then merge all of those .xml into 1 .xml file:
    Merge-CIPolicy -PolicyPaths '.\DefaultWindows_Enforced.xml','.\MicrosoftRecommendedBlockRules.xml' -OutputFilePath '.\MergedPolicy.xml'
    Merge-CIPolicy -PolicyPaths '.\MergedPolicy.xml','.\ProgramFiles.xml' -OutputFilePath '.\MergedPolicy2.xml'
    Merge-CIPolicy -PolicyPaths '.\MergedPolicy2.xml','.\ProgramFilesx86.xml' -OutputFilePath '.\MergedPolicy3.xml'

  5. Go to "Understand Windows Defender Application Control (WDAC) policy rules and file rules (Windows) - Windows security", there's a list of policy rules (from 0 to 20) that you can add to your .xml file, use these command to add or remove policy rule:
    Set-RuleOption -FilePath <Path to policy XML> -Option <number>
    Set-RuleOption -FilePath <Path to policy XML> -Option <number> -Delete

    I use number 0, 2, 4, 6, 12, 19, 20 and remove everything else. You can use Notepad to open .xml file to see what policy rule is already there and what is missing.

  6. Set HVCI to either enabled mode or strict mode:
    Set-HVCIOptions -Enabled -FilePath <Path to policy XML>
    Set-HVCIOptions -Strict -FilePath <Path to policy XML>

  7. Convert policy into binary file:
    ConvertFrom-CIPolicy -XmlFilePath <Path to policy XML> -BinaryFilePath "<Policy name>.cip"
    Open .xml file and scroll to the end you'll see this line: <PolicyID>{A6D7FBBF-9F6B-4072-BF37-693741E1D745}</PolicyID> (the ID here is just an example, your will be different)
    Rename your .cip file to "{Insert your policy ID here}.cip" with {} bracket.

  8. Finally, copy your .cip file to "C:\Windows\System32\CodeIntegrity\CiPolicies\Active" and reboot your computer.
Note: There's a chance that after you did all of those things above, there're still some files get blocked by WDAC, here is the thing that could happen and solution:
  • Some files has a digital signature but got revoked (rarely happened): copy all those files into one folder, use New-CIPolicy to scan that folder with -Level Hash, no need to -Fallback, after that open .xml with Notepad, use Ctrl + F to find those files and replace the path of the temp folder where you scan it with path of the orginal folder where the file located
  • Drivers get blocked because it's not WHQL signed: Set-RuleOption -FilePath <Path to policy XML> -Option 2 -Delete
  • Files get blocked because it's not in Program Files and Program Files (x86): this shouldn't happen (at least on my computer it's not), but if it's happen, copy those files to one folder and use New-CIPolicy to scan that folder with -Level Publisher -Fallback Hash
 
Last edited by a moderator: