From 5afb1f99af068c9f1f8e490ccb7630ba6fea5ac7 Mon Sep 17 00:00:00 2001 From: Violet Hansen Date: Thu, 28 Nov 2024 20:24:55 +0200 Subject: [PATCH 1/7] Updated docs Updated docs --- README.md | 6 +- .../AppControl Manager/Allow New Apps.md | 5 ++ .../AppControl Manager/AppControl Manager.md | 12 +++ ... Advanced Hunting With WDAC App Control.md | 83 ++++++------------- 4 files changed, 47 insertions(+), 59 deletions(-) diff --git a/README.md b/README.md index 66cfe64a0..83136ab94 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ > > ### Indicator for App Control for Business Resources App Control for Business Resources > -> ### Indicator for The WDACConfig Module for App Control for Business The WDACConfig Module for App Control for Business +> ### Indicator for The AppControl Manager app AppControl Manager application > > ### Indicator for the Rationale Behind This GitHub Repository Read the Rationale Behind This GitHub Repository @@ -1414,7 +1414,7 @@ Once you have those Firewall rules added, you can [use this method](https://gith
-Rotating pink checkmark denoting registry or cmdlet **T**o combat the threat of more sophisticated malware, a preemptive measure is taken by creating and deploying a [WDAC](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Introduction) policy on the system. This policy blocks the execution of executables and [other potentially harmful file types](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/feature-availability) in the Downloads folder, using the [WDACConfig module](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDACConfig). +Rotating pink checkmark denoting registry or cmdlet **T**o combat the threat of more sophisticated malware, a preemptive measure is taken by creating and deploying an [App Control](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Introduction) policy on the system. This policy blocks the execution of executables and [other potentially harmful file types](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/feature-availability) in the Downloads folder. This policy defends the system from malware that can launch itself automatically after being downloaded from the Internet. The user must ensure the file's safety and explicitly transfer it to a different folder before running it. @@ -1432,7 +1432,7 @@ They are [insecure](https://textslashplain.com/2024/05/20/attack-techniques-full
-All of the policies can be easily removed using the [**Unprotect-WindowsSecurity**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Harden%E2%80%90Windows%E2%80%90Security%E2%80%90Module#unprotect-windowssecurity-cmdlet) or [**Remove-WDACConfig**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Remove-WDACConfig) cmdlets. +All of the policies can be easily removed using the [**Unprotect-WindowsSecurity**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Harden%E2%80%90Windows%E2%80%90Security%E2%80%90Module#unprotect-windowssecurity-cmdlet) or [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager).

💡 (back to categories)

diff --git a/Wiki posts/AppControl Manager/Allow New Apps.md b/Wiki posts/AppControl Manager/Allow New Apps.md index 962c8eeba..e14450bbc 100644 --- a/Wiki posts/AppControl Manager/Allow New Apps.md +++ b/Wiki posts/AppControl Manager/Allow New Apps.md @@ -12,6 +12,11 @@ While much of the process is automated, you remain in full control. With just a Rest assured, no unauthorized software or malware can make its way into your Supplemental policy. Every file and event is accompanied by highly detailed information, eliminating any guesswork and ensuring only trusted elements are included. +If something like a power outage occurs during the audit mode phase, on the next reboot, the enforced mode base policy will be automatically deployed using a scheduled task that acts as a "snapback guarantee". + +> [!NOTE]\ +> This feature can also detect and create supplemental policy for Kernel protected files, such as the executables of games installed using Xbox app. Make sure you run the game while the base policy is deployed in Audit mode so that it can capture those executables. +
## Configuration Details diff --git a/Wiki posts/AppControl Manager/AppControl Manager.md b/Wiki posts/AppControl Manager/AppControl Manager.md index 0610c1136..42a042694 100644 --- a/Wiki posts/AppControl Manager/AppControl Manager.md +++ b/Wiki posts/AppControl Manager/AppControl Manager.md @@ -89,6 +89,18 @@ AppControl Manager is engineered with a security-first approach from the ground * The AppControl Manager always uses the latest .NET and SDK versions, ensuring all the security patches released by Microsoft will be included. +* The entire codebase is thoroughly commented, allowing code reviewers to effortlessly examine and verify every aspect of AppControl Manager's source code. + +
+ +### Why Does AppControl Manager Require Administrator Privileges? + +* AppControl Manager operates exclusively within the "WDACConfig" directory located in the `Program Files` directory for all read and write operations. No data is accessed or modified outside this directory. This design ensures that non-elevated processes, unauthorized software, or unprivileged malware on the system cannot alter the policies you create, the certificates you generate, or the CIP binary files you deploy. + +* Administrator privileges are required for scanning Code Integrity and AppLocker logs. These scans are integral to several application functions, providing enhanced insights and enabling the generation of precise supplemental policies tailored to your needs. + +* Deploying, removing, modifying, or checking the status of policies also necessitates Administrator privileges to ensure secure and reliable execution of these operations. +
## About the Installation Process diff --git a/Wiki posts/Windows Defender Application Control (WDAC)/How to Use Microsoft Defender for Endpoint Advanced Hunting With WDAC App Control.md b/Wiki posts/Windows Defender Application Control (WDAC)/How to Use Microsoft Defender for Endpoint Advanced Hunting With WDAC App Control.md index 2a75a0c3d..917eb10ec 100644 --- a/Wiki posts/Windows Defender Application Control (WDAC)/How to Use Microsoft Defender for Endpoint Advanced Hunting With WDAC App Control.md +++ b/Wiki posts/Windows Defender Application Control (WDAC)/How to Use Microsoft Defender for Endpoint Advanced Hunting With WDAC App Control.md @@ -4,7 +4,7 @@ App Control for Business is a highly effective security feature that empowers yo The application whitelisting approach serves as a potent defense against emerging and unknown threats. By emphasizing the identification of trusted applications, it automatically blocks any software that falls outside this trusted realm. -Microsoft Defender for Endpoint (MDE) is one of the tools that can be used by enterprises and organizations to develop the trusted applications policy and mange it at scale. MDE provides the intelligence and insights needed to create and maintain a robust application control policy through its Advanced Hunting feature. This feature uses KQL [(Kusto Query Language)](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/) to query the data collected by MDE and using the WDACConfig module, we can turn this actionable data into App Control policies. We can then use Intune to deploy these policies to our endpoints. All of these tools are built for scalability. +Microsoft Defender for Endpoint (MDE) is one of the tools that can be used by enterprises and organizations to develop the trusted applications policy and mange it at scale. MDE provides the intelligence and insights needed to create and maintain a robust application control policy through its Advanced Hunting feature. This feature uses KQL [(Kusto Query Language)](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/) to query the data collected by MDE and using the [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager), we can turn this actionable data into App Control policies. We can then use Intune to deploy these policies to our endpoints. All of these tools are built for scalability.
@@ -17,27 +17,11 @@ Microsoft Defender for Endpoint (MDE) is one of the tools that can be used by en To start, we need our endpoints to be generating data and intelligence we can work with. These data points are the Code Integrity and AppLocker events. These events are generated when an application or file is blocked or audited by App Control, or when a script or MSI file is blocked or audited by AppLocker. We can trigger the data generation by deploying App Control policies to our endpoints in Audit mode. This mode will not block any applications, instead it will generate data points for any application, file, script, MSI file and so on that would have been blocked if the policy was in Enforce mode. -You can create Audit mode policies using the WDACConfig module based on different levels of trust. +You can create Audit mode policies using the [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) based on different levels of trust. [Use this page](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Create-App-Control-Policy) to see what kind of audit events each base policy template generates when deployed in audit mode. -For instance, the following command will create an Audit mode policy that once deployed on an endpoint, starts generating Audit logs for any file that runs but is not part of the Windows by default. +For instance, once the DefaultWindows template is deployed on an endpoint, it starts generating Audit logs for any file that runs but is not part of the Windows by default. On the other hand, deploying the AllowMicrosoft base policy in Audit mode starts generating Audit logs for any file that runs but is not signed by Microsoft certificates. -```powershell -New-WDACConfig -PolicyType DefaultWindows -Audit -``` - -
- -Another option would be the following command, which will create an Audit mode policy that once deployed, starts generating Audit logs for any file that runs but is not signed by Microsoft certificates. - -```powershell -New-WDACConfig -PolicyType AllowMicrosoft -Audit -``` - -
- -Please refer to [this document](https://github.com/HotCakeX/Harden-Windows-Security/wiki/New-WDACConfig) for further info about the commands. - -You will then use Intune to deploy the generated policies to as many endpoints as you want. +After generating the policy files using the app, you will then use Intune to deploy them to as many endpoints as you want. > [!TIP]\ > [Deploy App Control policies using Mobile Device Management (MDM)](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-intune) @@ -46,7 +30,7 @@ You will then use Intune to deploy the generated policies to as many endpoints a ## Collecting the Data from MDE Advanced Hunting -Now we need to collect the data from MDE Advanced Hunting. We can customize this query to be more specific to our environment, for instance by targeting specific devices and so on, but the following query will give us a good starting point by collecting all of the Code Integrity and AppLocker events: +Now we need to collect the data from MDE Advanced Hunting. The following query will give us a good starting point by collecting all of the Code Integrity and AppLocker events: ```kql DeviceEvents @@ -57,12 +41,27 @@ DeviceEvents
+We can customize the query to be more specific to our environment, for instance by targeting an specific device among all the devices: + +```kql + +DeviceEvents +| where (ActionType startswith "AppControlCodeIntegrity" + or ActionType startswith "AppControlCIScriptBlocked" + or ActionType startswith "AppControlCIScriptAudited") + and DeviceName == "mainframe" +``` + +`mainframe` in this example is the name of our device. + +
+ > [!NOTE]\ > You can access Microsoft Defender for Endpoint's portal by navigating to: [https://security.microsoft.com](https://security.microsoft.com)
-That query generates a standard output of the data in CSV file format which is compatible with what the [WDACConfig module](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDACConfig) requires in order to generate App Control policies. If you want to customize the query further, make sure the subsequent filters are applied after the initial query to ensure correct data format. +That query generates a standard output of the data in CSV file format which is compatible with what the [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) requires in order to generate App Control policies. If you want to customize the query further, make sure the subsequent filters are applied after the initial query to ensure correct data format.
@@ -85,28 +84,20 @@ That query generates a standard output of the data in CSV file format which is c ## Generating the App Control Policies -After exporting the data from MDE Advanced Hunting, we can use the [**WDACConfig module**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDACConfig) to generate App Control policies. We need to feed the CSV file(s) we collected MDE Advanced Hunting data into the module like so: - -```powershell -ConvertTo-WDACPolicy -Source MDEAdvancedHunting -MDEAHLogs -BasePolicyGUID -``` - -It is only one example of how you can utilize the WDACConfig for policy generation based on MDE AH data, for more information about the cmdlet please refer to its [**documentations available here**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/ConvertTo-WDACPolicy). - -The command we used above will process the CSV file(s) and open a GUI window where you can filter the logs based on many criteria, and then either select all or only select some of the logs to be included in the App Control policy. - -Note that the generated policy will be a Supplemental policy. +After exporting the data from MDE Advanced Hunting, we can use the [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Create-Policy-From-MDE-Advanced-Hunting) to generate App Control policies. We need to feed the exported CSV file(s) we collected to the application by simply browsing for them. The app will quickly scan them and display them with full details. It provides controls that allow you to filter or sort the logs based on different properties. You can search through the scan results, remove unwanted logs and once you're happy with the results, you can generate the supplemental App Control policy.
-### WDACConfig Features For MDE Advanced Hunting +### AppControl Manager Features For MDE Advanced Hunting * Systematic approach for converting the MDE AH data to App Control policy with high precision and performance * Uses parallel processing to speed up the policy generation process * Provides a GUI for filtering the logs based on various criteria * Never includes duplicate rules in the policy, regardless of the number of the duplicate logs you give it -### The Module Can Create 3 Types of Rules for Files: +### The App Can Create 3 Types of Rules for Files: + +You can choose the level based on which the logs will be scanned. By default, the following rules apply to the scan: * If a file is unsigned then a hash rule will be created for it. * If a file is signed then there are multiple possibilities: @@ -117,29 +108,9 @@ These levels are selected based on their security. You can read more about the l
-### Video Demonstration - -The following video demonstrates the process of collecting the data from MDE Advanced Hunting and generating App Control policies using the WDACConfig module - -MDE AH Demo - -
- ## Deploying the App Control Policies -After generating the Supplemental policies based off of the MDE Advanced Hunting data, you need to remove the Audit mode policies you deployed to your endpoints initially and replace them with Enforced mode policies. - -#### [Generate Allow Microsoft Base Policy (Enforced Mode)](https://github.com/HotCakeX/Harden-Windows-Security/wiki/New-WDACConfig#new-wdacconfig--policytype) - -```powershell -New-WDACConfig -PolicyType AllowMicrosoft -``` - -#### [Generate Default Windows Base Policy (Enforced Mode)](https://github.com/HotCakeX/Harden-Windows-Security/wiki/New-WDACConfig#new-wdacconfig--policytype) - -```powershell -New-WDACConfig -PolicyType DefaultWindows -``` +After generating the Supplemental policies based off of the MDE Advanced Hunting data, you need to remove the Audit mode policies you deployed to your endpoints initially and replace them with Enforced mode policies. [AppControl Manager offers an easy way to do so.](https://github.com/HotCakeX/Harden-Windows-Security/wiki/System-Information)
From 8e0332cda9462b951cfaba3a3968fbc172ef3d6c Mon Sep 17 00:00:00 2001 From: Violet Hansen Date: Fri, 29 Nov 2024 17:23:54 +0200 Subject: [PATCH 2/7] Update Build New Certificate.md --- Wiki posts/AppControl Manager/Build New Certificate.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Wiki posts/AppControl Manager/Build New Certificate.md b/Wiki posts/AppControl Manager/Build New Certificate.md index 9a3cf7da9..612c71c85 100644 --- a/Wiki posts/AppControl Manager/Build New Certificate.md +++ b/Wiki posts/AppControl Manager/Build New Certificate.md @@ -1,6 +1,6 @@ # Build New Certificate -Use this page in [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) to build a new Code Signing certificate that is suitable for signing App Control policies according to the [Microsoft's requirements](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/use-signed-policies-to-protect-appcontrol-against-tampering). This page offers multiple options to configure the generated certificate according to your needs and requirements. They keys use `SHA2-512` hashing algorithm. +Use this page in [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) to build a new Code Signing certificate that is suitable for signing App Control policies according to the [Microsoft's requirements](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/use-signed-policies-to-protect-appcontrol-against-tampering). This page offers multiple options to configure the generated certificate according to your needs and requirements. The keys use `SHA2-512` hashing algorithm. You will see a prompt asking for password during certificate building process. This is the password that will be used to protect the certificate's private key on your system. You can uncheck the box for passwords and only use confirmation prompts. The password or confirmation prompt will be displayed to you every time the private key of the certificate is going to be used to sign a file. @@ -22,7 +22,7 @@ You will see a prompt asking for password during certificate building process. T
> [!NOTE]\ -> HSM (Hardware Security Module) +> HSM (Hardware Security Module) > > The most secure method of storing code signing certificates is to use a hardware security module (HSM) or a similar device. Furthermore, obtaining certificates from a regulated or publicly trusted certificate authority (CA) requires the use of an HSM. The HSMs must also comply with the Federal Information Processing Standards (FIPS). From e49c033165ed73701b5630e660bd728475d4f79c Mon Sep 17 00:00:00 2001 From: Violet Hansen Date: Fri, 29 Nov 2024 18:23:32 +0200 Subject: [PATCH 3/7] Update How to Use Microsoft Defender for Endpoint Advanced Hunting With WDAC App Control.md --- ...ender for Endpoint Advanced Hunting With WDAC App Control.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Wiki posts/Windows Defender Application Control (WDAC)/How to Use Microsoft Defender for Endpoint Advanced Hunting With WDAC App Control.md b/Wiki posts/Windows Defender Application Control (WDAC)/How to Use Microsoft Defender for Endpoint Advanced Hunting With WDAC App Control.md index 917eb10ec..96c04bc25 100644 --- a/Wiki posts/Windows Defender Application Control (WDAC)/How to Use Microsoft Defender for Endpoint Advanced Hunting With WDAC App Control.md +++ b/Wiki posts/Windows Defender Application Control (WDAC)/How to Use Microsoft Defender for Endpoint Advanced Hunting With WDAC App Control.md @@ -4,7 +4,7 @@ App Control for Business is a highly effective security feature that empowers yo The application whitelisting approach serves as a potent defense against emerging and unknown threats. By emphasizing the identification of trusted applications, it automatically blocks any software that falls outside this trusted realm. -Microsoft Defender for Endpoint (MDE) is one of the tools that can be used by enterprises and organizations to develop the trusted applications policy and mange it at scale. MDE provides the intelligence and insights needed to create and maintain a robust application control policy through its Advanced Hunting feature. This feature uses KQL [(Kusto Query Language)](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/) to query the data collected by MDE and using the [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager), we can turn this actionable data into App Control policies. We can then use Intune to deploy these policies to our endpoints. All of these tools are built for scalability. +Microsoft Defender for Endpoint (MDE) is one of the tools that can be used by enterprises and organizations to develop a trusted application policy and manage it at scale. MDE provides the intelligence and insights needed to create and maintain a robust application control policy through its Advanced Hunting feature. This feature uses KQL [(Kusto Query Language)](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/) to query the data collected by MDE and using the [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager), we can turn this actionable data into App Control policies. We can then use Intune to deploy these policies to our endpoints. All of these tools are built for scalability.
From 05db75dcd6ff2b6ce720bd102206fe4684894652 Mon Sep 17 00:00:00 2001 From: Violet Hansen Date: Sun, 1 Dec 2024 09:28:01 +0200 Subject: [PATCH 4/7] Update AppControl Manager.md --- Wiki posts/AppControl Manager/AppControl Manager.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Wiki posts/AppControl Manager/AppControl Manager.md b/Wiki posts/AppControl Manager/AppControl Manager.md index 42a042694..9f0342885 100644 --- a/Wiki posts/AppControl Manager/AppControl Manager.md +++ b/Wiki posts/AppControl Manager/AppControl Manager.md @@ -32,7 +32,11 @@ Please feel free to open a discussion if you have any questions about the build ## Preview of the App -AppControl Manager preview + AppControl Manager YouTube Video demo thumbnail + +
+ + AppControl Manager preview
From da15881f0e47afbc5a27c1f7111cbc91845487c1 Mon Sep 17 00:00:00 2001 From: Violet Hansen Date: Sun, 1 Dec 2024 09:29:33 +0200 Subject: [PATCH 5/7] docs update docs update --- .../AppControl Manager/AppControl Manager.md | 8 +++-- .../WDACConfig Module Main/WDACConfig.md | 8 +++++ ...ol WDAC Frequently Asked Questions FAQs.md | 10 ------- ...DAC, App Control for Business, Policies.md | 4 +-- ... Create and Deploy a Signed WDAC Policy.md | 30 +++++-------------- .../Introduction.md | 6 ++-- ...guage Mode in WDAC App Control Policies.md | 28 +++++++---------- .../WDAC Notes.md | 4 +-- .../WDAC Rule Levels Comparison and Guide.md | 2 +- 9 files changed, 40 insertions(+), 60 deletions(-) diff --git a/Wiki posts/AppControl Manager/AppControl Manager.md b/Wiki posts/AppControl Manager/AppControl Manager.md index 9f0342885..f9cfd0d38 100644 --- a/Wiki posts/AppControl Manager/AppControl Manager.md +++ b/Wiki posts/AppControl Manager/AppControl Manager.md @@ -32,11 +32,15 @@ Please feel free to open a discussion if you have any questions about the build ## Preview of the App - AppControl Manager YouTube Video demo thumbnail +
+ + AppControl Manager preview
- AppControl Manager preview + AppControl Manager YouTube Video demo thumbnail + +

diff --git a/Wiki posts/WDACConfig Module Main/WDACConfig.md b/Wiki posts/WDACConfig Module Main/WDACConfig.md index b04e1e9f0..cef5e412d 100644 --- a/Wiki posts/WDACConfig Module Main/WDACConfig.md +++ b/Wiki posts/WDACConfig Module Main/WDACConfig.md @@ -1,5 +1,13 @@ # WDACConfig (Windows Defender Application Control) Module +> [!IMPORTANT]\ +> This module is being deprecated. Use the new AppControl Manager application -> https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager +> +> YouTube demo: +> https://www.youtube.com/watch?v=SzMs13n7elE + +
+ [**WDACConfig**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDACConfig) is an advanced PowerShell module designed with the aim of automating [Application and File whitelisting in Windows](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/appcontrol) using App Control for Business. [You can always find its source code on GitHub](https://github.com/HotCakeX/Harden-Windows-Security/tree/main/WDACConfig) and Install it from [**PowerShell Gallery**](https://www.powershellgallery.com/packages/WDACConfig/). This page is also available [on my website.](https://spynetgirl.github.io/WDACConfig%20Module/WDACConfig/) diff --git a/Wiki posts/Windows Defender Application Control (WDAC)/Application Control WDAC Frequently Asked Questions FAQs.md b/Wiki posts/Windows Defender Application Control (WDAC)/Application Control WDAC Frequently Asked Questions FAQs.md index 2a4a4383d..141ace3a4 100644 --- a/Wiki posts/Windows Defender Application Control (WDAC)/Application Control WDAC Frequently Asked Questions FAQs.md +++ b/Wiki posts/Windows Defender Application Control (WDAC)/Application Control WDAC Frequently Asked Questions FAQs.md @@ -70,16 +70,6 @@ There is no limit on how many App Control policies you can deploy on a system.
-## What Are The Tools I Need To Get Started With App Control Policies? - -What Are The Tools I Need To Get Started With App Control Policies - -
- -[WDACConfig PowerShell module](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDACConfig) and [WDAC Wizard](https://webapp-wdac-wizard.azurewebsites.net/) are all you need to begin your Application Control journey and create a robust security policy for your environment. They provide many advanced features that you can explore further when you're ready. - -
- ## What Is ISG And How Can I Use It In An App Control Policy? What Is ISG And How Can I Use It In An App Control Policy diff --git a/Wiki posts/Windows Defender Application Control (WDAC)/EKUs in WDAC, App Control for Business, Policies.md b/Wiki posts/Windows Defender Application Control (WDAC)/EKUs in WDAC, App Control for Business, Policies.md index 548c27a62..6be49b67b 100644 --- a/Wiki posts/Windows Defender Application Control (WDAC)/EKUs in WDAC, App Control for Business, Policies.md +++ b/Wiki posts/Windows Defender Application Control (WDAC)/EKUs in WDAC, App Control for Business, Policies.md @@ -1,4 +1,4 @@ -# EKUs in WDAC, App Control for Business, Policies +# EKUs in App Control for Business Policies

AI generated cat girl on the root in a rainy cloudy day @@ -355,9 +355,9 @@ In every Signer, the `CertEKU` node should only be placed directly after `CertRo ## Continue Reading +* [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) * [App Control Policy for BYOVD Kernel Mode Only Protection](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection) * [WDAC Notes](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-Notes) -* [WDACConfig Module](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDACConfig)

Thank You Gif diff --git a/Wiki posts/Windows Defender Application Control (WDAC)/How to Create and Deploy a Signed WDAC Policy.md b/Wiki posts/Windows Defender Application Control (WDAC)/How to Create and Deploy a Signed WDAC Policy.md index 256dcc734..3073e2cc6 100644 --- a/Wiki posts/Windows Defender Application Control (WDAC)/How to Create and Deploy a Signed WDAC Policy.md +++ b/Wiki posts/Windows Defender Application Control (WDAC)/How to Create and Deploy a Signed WDAC Policy.md @@ -1,7 +1,7 @@ # Create and Deploy Signed Application Control (WDAC) Policies > [!IMPORTANT]\ -> [WDACConfig module](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Build-WDACCertificate) can easily and quickly generate a Code Signing certificate to be used for signing App Control policies. +> [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) can easily and quickly generate a Code Signing certificate to be used for signing App Control policies. > > This guide is only for those who want to learn how to setup a Windows Server with Active Directory and Certification Authority roles and create their own CA. @@ -14,7 +14,7 @@ * [Refer to Microsoft's website](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-design-guide) or [my other wiki posts](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Introduction) If you want to learn about App Control itself and how to create a customized App Control policy for your own environment. * Always test and deploy your App Control policy in Audit mode first to make sure it works correctly, before deploying the Signed version of it. - - The [WDACConfig](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDACConfig) module has an optional parameter called `-TestMode` that will deploy the policies with ***Boot Audit on Failure*** and ***Advanced Boot Options Menu*** policy rule options. + - The [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) has a ***Test Mode*** feature that will deploy the policies with ***Boot Audit on Failure*** and ***Advanced Boot Options Menu*** policy rule options. * Keep the xml file(s) of the deployed base policy(s) in a safe place, they are needed if you decide to disable or modify the signed deployed App Control policy later on. @@ -288,30 +288,14 @@ The [Personal Information Exchange (.pfx)](https://learn.microsoft.com/en-us/win
-## Use [WDACConfig module](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Deploy-SignedWDACConfig) to sign and deploy App Control policies +## Use [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) to sign and deploy App Control policies -
- -WDACConfig module with the `Deploy-SignedWDACConfig` [cmdlet](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Deploy-SignedWDACConfig) can automate the entire process of signing and deploying a signed App Control policy. - -```powershell -Deploy-SignedWDACConfig -CertPath -PolicyPaths -CertCN -``` - -**[Cmdlet Info](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Deploy-SignedWDACConfig)** - -
- -> [!NOTE]\ -> The `Deploy-SignedWDACConfig` cmdlet will offer to automatically download the `SignTool.exe` from the Microsoft server if it cannot find it on your system. - -If you want to manually download it, here are the steps: - -* [Download the latest Windows stable SDK **installer**](https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/) -* [Download the latest Windows Insider SDK **ISO**](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewSDK) +It supports creating certificates and signing, deploying and removing signed policies. -Run it and only select `Windows SDK Signing Tools for Desktop Apps` to install. After that `signtool.exe` will be placed at `C:\Program Files (x86)\Windows Kits\10\bin` and the WDACConfig module will automatically detect and use it for signing. You can even copy the executable to another location for later usage on another system where SDK is not installed and then use the optional `-SignToolPath ` parameter of WDACConfig module to browse for executable. +You don't need to manually download SignTool.exe but here are some of the sources that it can be retrieved from: +* [Windows stable SDK **installer**](https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/) +* [Windows Insider SDK **ISO**](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewSDK) * *SignTool is also included in the [Windows ADK](https://learn.microsoft.com/en-us/windows-hardware/get-started/adk-install) but the one in SDK is the newest and recommended place to get it.*
diff --git a/Wiki posts/Windows Defender Application Control (WDAC)/Introduction.md b/Wiki posts/Windows Defender Application Control (WDAC)/Introduction.md index 37475834d..94d7b5912 100644 --- a/Wiki posts/Windows Defender Application Control (WDAC)/Introduction.md +++ b/Wiki posts/Windows Defender Application Control (WDAC)/Introduction.md @@ -1,7 +1,7 @@ # What is Application Control for Business?

-App Control for Business introduction and WDACConfig Module +App Control for Business introduction

@@ -32,9 +32,9 @@ There are many ways you can utilize Application Control features and here they a - [The built-in driver blocklist is updated with each new major release of Windows, typically 1-2 times per year.](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules) 2. Update Microsoft recommended driver block rules outside of the twice a year schedule. - - The drivers block list itself [is updated more frequently](https://github.com/MicrosoftDocs/windows-itpro-docs/commits/public/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md) than twice a year schedule, [use the WDACConfig Module to setup a scheduled task that keeps the list up-to-date.](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Fast-and-Automatic-Microsoft-Recommended-Driver-Block-Rules-updates) + - The drivers block list itself [is updated more frequently](https://github.com/MicrosoftDocs/windows-itpro-docs/commits/public/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md) than twice a year schedule, [use the AppControl Manager to setup a scheduled task that keeps the list up-to-date.](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Fast-and-Automatic-Microsoft-Recommended-Driver-Block-Rules-updates) 3. Use Microsoft recommended block rules + Recommended driver block rules - - Use the [WDACConfig Module](https://github.com/HotCakeX/Harden-Windows-Security/wiki/New-WDACConfig#new-wdacconfig--getblockrules) to easily deploy the User-Mode Microsoft recommended block rules on your system. + - Use the [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) to easily deploy the User-Mode Microsoft recommended block rules on your system. 4. Create WDAC policy for **Lightly managed devices** - [Microsoft's guide: Create a WDAC policy for lightly managed devices](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/create-appcontrol-policy-for-lightly-managed-devices) - [My guide: WDAC for Lightly Managed Devices](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-for-Lightly-Managed-Devices) diff --git a/Wiki posts/Windows Defender Application Control (WDAC)/Script Enforcement and PowerShell Constrained Language Mode in WDAC App Control Policies.md b/Wiki posts/Windows Defender Application Control (WDAC)/Script Enforcement and PowerShell Constrained Language Mode in WDAC App Control Policies.md index 893fe3ba5..23e524337 100644 --- a/Wiki posts/Windows Defender Application Control (WDAC)/Script Enforcement and PowerShell Constrained Language Mode in WDAC App Control Policies.md +++ b/Wiki posts/Windows Defender Application Control (WDAC)/Script Enforcement and PowerShell Constrained Language Mode in WDAC App Control Policies.md @@ -1,4 +1,4 @@ -# Script Enforcement and PowerShell Constrained Language Mode in WDAC App Control Policies +# Script Enforcement and PowerShell Constrained Language Mode in App Control Policies ## Introduction @@ -102,23 +102,22 @@ As you can see, we need the TBS Hash value of the root certificate.
-### Use the WDACConfig Module to Automatically Allow Certificates +### Use the AppControl Manager to Automatically Allow Certificates -You can use the WDACConfig module to create a supplemental policy that allows the certificates you select to be allowed by App Control. To do that, you can use the following command: +You can use the [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) to create a supplemental policy that allows the certificates you select to be allowed by App Control. -```powershell -New-SupplementalWDACConfig -Certificates -CertificatePaths "certificate.cer" -SuppPolicyName '' -PolicyPath "" -``` - -[**More info regarding the cmdlet is available here**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/New-SupplementalWDACConfig#new-supplementalwdacconfig--certificates) +***[Refer to this page for more information](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Create-Supplemental-App-Control-Policy#create-a-supplemental-policy-from-certificate-files)***
-A manual way to get the TBS Hash value of a certificate is using the following command, which also works for signed files and will show the details of the certificates in the chain as well. -```powershell -certutil.exe –v -``` +> [!TIP]\ +> A manual way to get the TBS Hash value of a certificate is using the following command, which also works for signed files and will show the details of the certificates in the chain as well. +> +> ```powershell +> certutil.exe –v +> ``` +> TBS Hash value using certutil.exe -v @@ -133,8 +132,3 @@ When an App Control policy with script enforcement is deployed and you try to im * The module you're trying to load is signed but at least one of its files is tampered with and has a hash mismatch. Even adding a single space on an empty line causes hash mismatch, **which is expected**.
- -> [!IMPORTANT]\ -> WDACConfig module is currently not compatible with constrained language mode due to using advanced PowerShell features that are not allowed in that mode. - -
diff --git a/Wiki posts/Windows Defender Application Control (WDAC)/WDAC Notes.md b/Wiki posts/Windows Defender Application Control (WDAC)/WDAC Notes.md index 98f76e2ec..bd2b55725 100644 --- a/Wiki posts/Windows Defender Application Control (WDAC)/WDAC Notes.md +++ b/Wiki posts/Windows Defender Application Control (WDAC)/WDAC Notes.md @@ -1,4 +1,4 @@ -# Important Notes and Tips about WDAC policies +# Important Notes and Tips about App Control policies * App Control for Business was formerly known as WDAC (Windows Defender Application Control) * It's used for Application and File whitelisting in Windows. @@ -466,7 +466,7 @@ In order to automatically remove unnecessary things from a policy file, such as Merge-CIPolicy .\Policy.xml -OutputFilePath .\Policy1.xml ``` -It essentially merges a policy with itself, adding `_0` to each ID and SignerID of the xml nodes which is easily removable using WDACConfig module, **although it's not necessary to remove them at all, they are perfectly fine.** +It essentially merges a policy with itself, adding `_0` to each ID and SignerID of the xml nodes.
diff --git a/Wiki posts/Windows Defender Application Control (WDAC)/WDAC Rule Levels Comparison and Guide.md b/Wiki posts/Windows Defender Application Control (WDAC)/WDAC Rule Levels Comparison and Guide.md index c8dd2c58f..9c1fb353f 100644 --- a/Wiki posts/Windows Defender Application Control (WDAC)/WDAC Rule Levels Comparison and Guide.md +++ b/Wiki posts/Windows Defender Application Control (WDAC)/WDAC Rule Levels Comparison and Guide.md @@ -1,4 +1,4 @@ -# WDAC Rule Levels Comparison and Guide +# App Control Rule Levels Comparison and Guide This document lists all of the levels of App Control rules. **From Top to bottom, from the most secure to the least secure**, the levels are: From 456bcf1499b2a5ea8a57fc51bdcb621c0d8638f2 Mon Sep 17 00:00:00 2001 From: Violet Hansen Date: Sun, 1 Dec 2024 11:57:38 +0200 Subject: [PATCH 6/7] Update README.md --- README.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/README.md b/README.md index 83136ab94..46c42d70a 100644 --- a/README.md +++ b/README.md @@ -99,6 +99,30 @@ Unprotect-WindowsSecurity Harden Windows Security App Demo + + +
+ +horizontal super thin rainbow RGB line + +
+ +### GitHub logo pink SVG [Install the AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) + +* [**YouTube demo**](https://www.youtube.com/watch?v=SzMs13n7elE) +* [**Documentation**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) + +```powershell +(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex +``` + +
+ +
+ +AppControl Manager app + +

From ef829002caab97e411cc28bba3776c7869216252 Mon Sep 17 00:00:00 2001 From: Violet Hansen Date: Sun, 1 Dec 2024 12:03:52 +0200 Subject: [PATCH 7/7] Update Rationale.md --- Rationale.md | 26 +++++++------------------- 1 file changed, 7 insertions(+), 19 deletions(-) diff --git a/Rationale.md b/Rationale.md index e4e784065..376d892ca 100644 --- a/Rationale.md +++ b/Rationale.md @@ -42,11 +42,11 @@ It uses the same security features built into your device and Windows operating [App Control for Business resources](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Introduction) are suitable for both personal users as well as enterprises, businesses and highly secure workstations. -When a proper WDAC policy is deployed on your device, it will be secure against 99.999% of the threats [^1], either from the Internet or physical. It's true that there is no absolute security, but then again there is nothing absolute in the universe either. Everything, even the most fundamental physical laws, are and have been subject to change and conditions. +When a proper App Control policy is deployed on your device, it will be secure against 99.999% of the threats [^1], either from the Internet or physical. It's true that there is no absolute security, but then again there is nothing absolute in the universe either. Everything, even the most fundamental physical laws, are and have been subject to change and conditions. -I've created a PowerShell module called [**WDACConfig**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDACConfig), designed with the aim of automating Application and File whitelisting in Windows using App Control for Business feature. It's an alternative to [WDAC Wizard](https://webapp-wdac-wizard.azurewebsites.net/) which only has a fraction of the features that WDACConfig module offers. +I've created an application called [**AppControl Manager**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager), designed with the aim of automating Application and File whitelisting in Windows using App Control for Business feature. -Full details, guides and videos available [here on GitHub](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDACConfig) and on [my website.](https://spynetgirl.github.io/WDACConfig%20Module/WDACConfig/) +Full details, guides and [videos](https://www.youtube.com/watch?v=SzMs13n7elE) available [here on GitHub](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) and on [my website.](https://spynetgirl.github.io/AppControl%20Manager/AppControl%20Manager/)
@@ -56,9 +56,9 @@ First use the Harden Windows Security Module to apply the hardening measures des ### If you want even more security and control, you have at least 2 more options: -1. you can either use **[Smart App Control](https://learn.microsoft.com/en-us/windows/apps/develop/smart-app-control/overview)**, which deploys an automatic and AI based WDAC policy that uses [Intelligent Security Graph](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/use-appcontrol-with-intelligent-security-graph) to authorize safe and reputable applications and files and blocks unknown and malicious files. +1. you can either use **[Smart App Control](https://learn.microsoft.com/en-us/windows/apps/develop/smart-app-control/overview)**, which deploys an automatic and AI based App Control policy that uses [Intelligent Security Graph](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/use-appcontrol-with-intelligent-security-graph) to authorize safe and reputable applications and files and blocks unknown and malicious files. -2. Use [WDACConfig module](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDACConfig) to deploy an App Control for Business policy and have even more control over the operation of the Windows Application Control. +2. Use [AppControl Manager](https://spynetgirl.github.io/AppControl%20Manager/AppControl%20Manager/) to deploy an App Control for Business policy and have even more control over the operation of the Windows Application Control. These methods will create multiple layers of security; also known as defense in depth. Additionally, you can create [**Kernel-level Zero-Trust strategy**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection) for your system. @@ -171,19 +171,7 @@ Make sure to use Surface products that support [Device Firmware Configuration In * Secured core PCs provide the hardware that is capable of protecting against BYOVD attacks. It is your responsibility to turn the features on, those include App Control for Business, ASR (Attack Surface Reduction) rules, Dynamic/static root of trust and [firmware](https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/firmware-attack-surface-reduction) that is extensible for revoking drivers. They are specially useful for drivers not explicitly mentioned in the [Microsoft Recommended Driver Block List](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules), which are the more dynamic side of things. -* Use [Strict Kernel-mode WDAC policy for complete BYOVD protection](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection) - -
- -

-YOUTUBE VIDEO: How to easily protect against BYOVD attack scenarios with WDAC policy in Windows

- - YOUTUBE VIDEO: How to easily protect against BYOVD attack scenarios with WDAC policy in Windows - Windows Defender - -

- -
+* Use [Strict Kernel-mode App Control policy for complete BYOVD protection](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection)
@@ -220,7 +208,7 @@ How to properly perform a pentest and benchmark a system hardened by this reposi 1. Use a physical machine if possible, it should have Windows 11 certified hardware, [Standard user account](https://learn.microsoft.com/en-us/windows-server/remote/multipoint-services/create-a-standard-user-account). * If you can't use a physical machine, use Hyper-V hypervisor. Your host (aka physical machine) must have Windows 11 certified hardware and meet all the hardware and UEFI security requirements explained in the Readme. VMs however are prone to side channel attacks, so don't use that attack vector in pentests if you want more realistic results. -2. First apply the [Harden Windows Security module](https://github.com/HotCakeX/Harden-Windows-Security) *(All categories of it)* and then use the [WDACConfig module](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDACConfig) to deploy a suitable [Signed](https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-to-Create-and-Deploy-a-Signed-WDAC-Policy-Windows-Defender-Application-Control#system-behavior) WDAC policy. +2. First apply the [Harden Windows Security module](https://github.com/HotCakeX/Harden-Windows-Security) *(All categories of it)* and then use the [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) to deploy a suitable [Signed](https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-to-Create-and-Deploy-a-Signed-WDAC-Policy-Windows-Defender-Application-Control#system-behavior) App Control policy.