Windows Defender Application Control
This section describes the design decisions associated with Windows Defender Application Control on Windows 10 and 11 endpoints configured according to guidance in ASD's Blueprint for Secure Cloud.
Estimated reading time: 3 minutes
Application control is a crucial line of defence for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. ASD frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.).
Windows Defender Application Control (WDAC) helps mitigate these types of security threats by restricting the applications that users can run and the code that runs in the System Core (kernel). WDAC policies also:
- Enforce Constrained Language mode for Windows PowerShell.
- Enforce the use of drivers signed by Windows Hardware Quality labs and produced by partners who have an Extended Verification certificate.
- Block unsigned and unapproved scripts, MSIs, Universal Windows Store Applications, and .NET applications.
To reduce management overhead, WDAC enables the use of managed installers; such as Microsoft Endpoint Configuration Manager. When configured, items deployed via the managed installer are added into the allow list.
When deploying WDAC it is important that it is deployed utilising audit mode prior to enforcement.
Design Decisions
| Decision Point | Design Decision | Justification |
|---|---|---|
| Application Whitelisting Product | WDAC | Microsoft recommended product for application control and aligns with ASD’s Essential Eight. |
| User Mode Code Integrity | Enabled | Restricts both kernel-mode and user-mode binaries. To align with ASD’s Hardening Microsoft Windows 10 version 21H1 Workstations guidance. |
| Windows Hardware Quality Labs Signing | Required | Blocks the execution of legacy drivers and ensures drivers have passed Windows Hardware Certification Testing. |
| Flight Signing | Disabled | Restricts the use of non production release binaries. Flightroot-signed binaries will not be trusted. |
| Unsigned System Integrity Policy | Organisation Decision | The use of signed policies prevent administrative tampering and kernel mode exploit access. However, it does increase the administrative overhead associated with management and updating of policies. There is no current ASD guidance on the configuration of signed integrity polices. |
| EV Signers | Required | Blocks the execution of drivers created by a partner without a Extended Verification (EV) certificate. |
| Advanced Boot Options Menu | Disabled | Restricts access to the advanced boot options menu. |
| Boot Audit on Failure | Enabled | Enables investigation when a driver fails on boot. |
| Script Enforcement | Enabled | Restricts PowerShell scripts and interactive sessions to constrained language mode. This aligns with ASD’s Securing PowerShell in the Enterprise guidance. |
| Enforce Store Applications | Enabled | Enforces WDAC policies on Universal Windows applications. |
| Update Policy No Reboot | Enabled | Ensures new policies can be applied without reboot. |
| Allow Supplemental Policies | Intune deployed: Enabled; Group Policy deployed: Disabled | Supplemental polices enable policies to be targeted to users/groups. This is however not supported when policies are deployed by Group Policy. |
| Dynamic Code Security | Enabled | Enforces WDAC policies on .NET applications and dynamically-loaded libraries. |
| Managed Installer | Enabled | Allow lists applications deployed using a managed installer such as Microsoft Endpoint Configuration Manager. |
| Hypervisor-protected code integrity | Enabled | To align with the ASD’s Hardening Microsoft Windows 10 version 21H1 Workstations guidance. |
| Application Control method | A combination of publisher certificate and path rules and will be used. | Controlled via Intune for cloud managed devices and Group policy for hybrid devices. |
| Microsoft Block Rules | Configured | To align with ASD’s Hardening Microsoft Windows 10 version 21H1 Workstations guidance. The latest Microsoft recommended block rules for Windows and Drivers are available online at Microsoft. |
| Intelligent Security Graph connection | Disabled | The Intelligent Security Graph connection allows applications to be run if they are deemed as good and there is no explicit block rule configured. |
| Blocking of browsers and email clients for administrators | Configured via AppLocker blocklist | To provide technical controls to prevent administrators from accessing internet content or emails. |
Related information
Security & Governance
Design
- None identified
Configuration
References
- None identified