Advanced Plus Security WhiteMouse's Security Config 2023

Last updated
Jan 1, 2023
Use case
Private use
Desktop OS
Windows 11
Device encryption
BitLocker (Windows)
Login unlock
    • Passwordless (PIN or Biometrics)
OS updates
Automatic updates
User Access Control
Always notify
Smart App Control
Off by Microsoft (cannot be re-enabled)
WiFi network security
Router firewall: ON
Firmware: up-to-date
Malware protection
Microsoft Defender
Firewall protection
Microsoft Defender Firewall for Windows 11 / 10
Custom security info
  • Security Baseline for Windows 11 22H2, Microsoft Edge and Microsoft Office.
  • Custom WDAC policy: Default Windows + Microsoft recommended block rules + Whitelist all files in Program Files by digital signature or hash + HVCI strict mode.
  • Microsoft Edge: Super Duper Secure mode on for all sites.
Periodic scanners
None
Malware samples
I do not participate in malware testing.
Default browser / extensions
Microsoft Edge: Adblock Plus, Bitwarden
VPN
Mullvad VPN
Password manager
Bitwarden
Maintenance tools
Storage Sense
Personal backup
Onedrive
Backup frequency
Automatic
Recovery backup
Macrium Reflect
Recovery plan integrity
Many successful results with my recovery plan
Risk factors
    • Browsing the Internet without an ad-blocker
    • Browsing to unknown / untrusted / shady sites
    • Working from home
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Downloading software and files from reputable sites
    • Gaming
    • Streaming audio/video content from trusted sites or paid subscriptions
    • Streaming audio/video content from shady sites
Notable changes
2023/1/1: Replace IVPN with Mullvad VPN
2022/12/31: Added Bitwarden extension
2022/12/21: Added Adbock Plus extension
Feedback response

Not looking for any specific feedback, but suggestions welcomed.

WhiteMouse

Level 4
Thread author
Verified
Well-known
Apr 19, 2017
171
  1. First, go to "C:\Windows\schemas\CodeIntegrity\ExamplePolicies\", you'll see a file called "DefaultWindows_Enforced.xml", copy that file to Downloads folder.

  2. Go to "Microsoft recommended block rules - Windows security", scroll down until you see purple note, click "Expand this section to see the WDAC policy XML" and then click on the Copy button at the top right.
    5493574395.png


    Create a new text file and paste to it, save the file as "MicrosoftRecommendedBlockRules.xml"

  3. Open Terminal (Administrator), change directory to Downloads using "cd .\Downloads\" and create a new policy for Program Files and Program Files (x86) using New-CIPolicy:
    New-CIPolicy -ScanPath 'C:\Program Files' -UserPEs -FilePath ".\ProgramFiles.xml" -Level Publisher -Fallback Hash
    New-CIPolicy -ScanPath 'C:\Program Files (x86)' -UserPEs -FilePath ".\ProgramFilesx86.xml" -Level Publisher -Fallback Hash

  4. Then merge all of those .xml into 1 .xml file:
    Merge-CIPolicy -PolicyPaths '.\DefaultWindows_Enforced.xml','.\MicrosoftRecommendedBlockRules.xml' -OutputFilePath '.\MergedPolicy.xml'
    Merge-CIPolicy -PolicyPaths '.\MergedPolicy.xml','.\ProgramFiles.xml' -OutputFilePath '.\MergedPolicy2.xml'
    Merge-CIPolicy -PolicyPaths '.\MergedPolicy2.xml','.\ProgramFilesx86.xml' -OutputFilePath '.\MergedPolicy3.xml'

  5. Go to "Understand Windows Defender Application Control (WDAC) policy rules and file rules (Windows) - Windows security", there's a list of policy rules (from 0 to 20) that you can add to your .xml file, use these command to add or remove policy rule:
    Set-RuleOption -FilePath <Path to policy XML> -Option <number>
    Set-RuleOption -FilePath <Path to policy XML> -Option <number> -Delete

    I use number 0, 2, 4, 6, 12, 19, 20 and remove everything else. You can use Notepad to open .xml file to see what policy rule is already there and what is missing.

  6. Set HVCI to either enabled mode or strict mode:
    Set-HVCIOptions -Enabled -FilePath <Path to policy XML>
    Set-HVCIOptions -Strict -FilePath <Path to policy XML>

  7. Convert policy into binary file:
    ConvertFrom-CIPolicy -XmlFilePath <Path to policy XML> -BinaryFilePath "<Policy name>.cip"
    Open .xml file and scroll to the end you'll see this line: <PolicyID>{A6D7FBBF-9F6B-4072-BF37-693741E1D745}</PolicyID> (the ID here is just an example, your will be different)
    Rename your .cip file to "{Insert your policy ID here}.cip" with {} bracket.

  8. Finally, copy your .cip file to "C:\Windows\System32\CodeIntegrity\CiPolicies\Active" and reboot your computer.
Note: There's a chance that after you did all of those things above, there're still some files get blocked by WDAC, here is the thing that could happen and solution:
  • Some files has a digital signature but got revoked (rarely happened): copy all those files into one folder, use New-CIPolicy to scan that folder with -Level Hash, no need to -Fallback, after that open .xml with Notepad, use Ctrl + F to find those files and replace the path of the temp folder where you scan it with path of the orginal folder where the file located
  • Drivers get blocked because it's not WHQL signed: Set-RuleOption -FilePath <Path to policy XML> -Option 2 -Delete
  • Files get blocked because it's not in Program Files and Program Files (x86): this shouldn't happen (at least on my computer it's not), but if it's happen, copy those files to one folder and use New-CIPolicy to scan that folder with -Level Publisher -Fallback Hash
 
Last edited by a moderator:

Victor M

Level 2
Oct 3, 2022
72
So WhiteMouse, I followed your instructions re WDAC and rebooted. Then I downloaded Firefox to my Downloads folder and the installer runs! I suppose this is due to some existing rule having Option 14 Enabled:Intelligent Security Graph Authorization specified, allowing programs with 'good reputation' to run. What if someone breaks into my desktop using scripts to install a signed RAT? I would be screwed. There are several existing policies inside the policy folder, and I don't know what they are allowing, and I can't remove them because one of them must be designed to allow MS Windows System32 programs to run.

EDIT: So I created a cip for the Windows folder. Moved all the existing cips to another folder. And copied in my cip to the Active folder. So now I only have the 2 cips I created. And the Firefox installer still runs!
 
Last edited:

WhiteMouse

Level 4
Thread author
Verified
Well-known
Apr 19, 2017
171
So WhiteMouse, I followed your instructions re WDAC and rebooted. Then I downloaded Firefox to my Downloads folder and the installer runs! I suppose this is due to some existing rule having Option 14 Enabled:Intelligent Security Graph Authorization specified, allowing programs with 'good reputation' to run. What if someone breaks into my desktop using scripts to install a signed RAT? I would be screwed. There are several existing policies inside the policy folder, and I don't know what they are allowing, and I can't remove them because one of them must be designed to allow MS Windows System32 programs to run.

EDIT: So I created a cip for the Windows folder. Moved all the existing cips to another folder. And copied in my cip to the Active folder. So now I only have the 2 cips I created. And the Firefox installer still runs!

I did mention above I only use 0, 2, 4, 6, 12, 19, 20, everything else must be REMOVED. There's no need to scan for "\Windows\System32\", the DefaultWindows_Enforced have already covered that folder by default. That guide I made is for single wdac policy, it doesn't work for multiple wdac policies.

And btw, I stopped using the guides I made above because it's too much works to maintain that when an application update to a new version. I'll post a new guide I'm currently using right now if you're interested in that.

Also, this is the result I got from running Firefox installer on my computer

45739574390570.png
 

Victor M

Level 2
Oct 3, 2022
72
Do you think my WDAC not working can be due to my Win 11 machine is over 10 yrs old and was installed using a workaround for not having a TPM? Or maybe because my old CPU does not support virtualization protection VBS?
 

WhiteMouse

Level 4
Thread author
Verified
Well-known
Apr 19, 2017
171
Do you think my WDAC not working can be due to my Win 11 machine is over 10 yrs old and was installed using a workaround for not having a TPM? Or maybe because my old CPU does not support virtualization protection VBS?
My computer doesn't meet the requirements for Windows 11 and I don't have a TPM.
 

Victor M

Level 2
Oct 3, 2022
72
I found out what I did wrong. You posted only your chosen options: 0, 2, 4, 6, 12, 19, 20 but did not mention I have to specifically Delete option 3, which, as the MS site says, is a default.

Also I am working on a newer 2yr old machine now, and VBS is fully supported.
 
Last edited:
  • Like
Reactions: Nevi

WhiteMouse

Level 4
Thread author
Verified
Well-known
Apr 19, 2017
171
Update:
  1. First, go to "C:\Windows\schemas\CodeIntegrity\ExamplePolicies\", copy "DefaultWindows_Enforced.xml" to Downloads folder.

  2. Go to "Microsoft recommended block rules - Windows security", scroll down until you see purple note, click "Expand this section to see the WDAC policy XML" and then click on the Copy button at the top right.
    5493574395.png


    Create a new text file and paste to it, save the file as "MicrosoftRecommendedBlockRules.xml"

  3. Open Terminal (Administrator), change directory to Downloads using "cd .\Downloads\" and create a new policy for each software you INSTALLED in Program Files and Program Files (x86) using New-CIPolicy:
    New-CIPolicy -ScanPath 'C:\Program Files\(name of software)' -UserPEs -FilePath ".\(name of software).xml" -Level FilePublisher -Fallback Hash
    New-CIPolicy -ScanPath 'C:\Program Files (x86)\(name of software)' -UserPEs -FilePath ".\(name of software).xml" -Level FilePublisher -Fallback Hash

  4. Go to "Understand Windows Defender Application Control (WDAC) policy rules and file rules (Windows) - Windows security", there's a list of policy rules (from 0 to 20) that you can add to your DefaultWindows_Enforced.xml file, use these command to add or remove policy rule:
    Set-RuleOption -FilePath ".\DefaultWindows_Enforced.xml" -Option <number>
    Set-RuleOption -FilePath ".\DefaultWindows_Enforced.xml" -Option <number> -Delete

    I use number 0, 2, 4, 6, 12, 19, 20 and remove everything else. You can use Notepad to open .xml file to see what policy rule is already there and what is missing.
    For "MicrosoftRecommendedBlockRules.xml" and each "(name of software).xml", run this command:
    Set-RuleOption -FilePath <Path to policy XML> -Option 3 -Delete

  5. Set HVCI to either enabled mode or strict mode (Optional):
    Set-HVCIOptions -Enabled -FilePath ".\DefaultWindows_Enforced.xml"
    Set-HVCIOptions -Strict -FilePath ".\DefaultWindows_Enforced.xml"

  6. Open "DefaultWindows_Enforced.xml" with Notepad and scroll down to the end, you'll see something like this <PolicyID>{A6D7FBBF-9F6B-4072-BF37-693741E1D745}</PolicyID>, copy what is inside the bracket to the end of this command, do it for each policy file except "DefaultWindows_Enforced.xml"
    Set-CIPolicyIdInfo -FilePath <Path to policy XML> -SupplementsBasePolicyID (policy ID)
    without () bracket.

  7. Convert every policy into binary file:
    ConvertFrom-CIPolicy -XmlFilePath <Path to policy XML> -BinaryFilePath "(Policy ID).cip"

    Use the guide in 6 to find Policy ID but this time copy it with {} bracket.

  8. Finally, copy your all of your .cip files to "C:\Windows\System32\CodeIntegrity\CiPolicies\Active" and reboot your computer or you can use this tool to refresh policy Download Refresh CI Policy from Official Microsoft Download Center , download the amd64 version.
Q/A:
  • What is the difference between this guide the the above one?
    This is much more secure, since you only whitelist specific software from a company. For example, Iobit has many softwares (Driver Booster, Smart Defrag, Advanced SystemCare) and you only want to use Advanced SystemCare, this guide only allows Advanced SystemCare to run and blocks the others while the guide above allows everything to run since they are all signed by Iobit.

  • How do I update the policy when there's a new software update?
    This config is very strict, so you won't be able to update software while the policies are active (except for Windows Update, Microsoft Store and Office). First, you need to temparory turn off the protection, copy the "DefaultWindows_Enforced.xml" to Downloads ot any folder you like, add audit mode to that file "Set-RuleOption -FilePath ".\DefaultWindows_Enforced.xml" -Option 3", convert it to binary and move it to "C:\Windows\System32\CodeIntegrity\CiPolicies\Active", then run RefreshCIPolicy(AMD64).exe. After that you can freely update softwares without issues (but be-careful, this is the only way you can get infected using this config), use 3, 4, 6, 7, 8 from the guide above to update your policy file.
Done, this is too long. I should give myself a cookie for this.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top