Table of Contents

Harden Windows with Windows Defender Application Control WDAC

Notes:

  • Windows Server 2016/2019 or anything before version 1903 only support a single legacy policy at a time.
  • Windows Server Core edition supports WDAC but some components that depend on AppLocker won’t work
  • Please read the Recommended Reading before implementing or even testing.

A list of scripts and tools this collection utilizes:

Additional configurations were considered from:

Explanation:

XML vs. BIN:

  • Simply put, the “XML” policies are for applying to a machine locally and the “BIN” files are for enforcing them with either Group Policy or Microsoft Intune . While you can use XML, BIN, or CIP policies in a local deployment, generally speaking you should stick to XML where possible and especially so while auditing or troubleshooting.

Policy Descriptions:

  • Default Policies:
    • The “Default” policies use only the default features available in the WDAC-Toolkit.
  • Recommended Policies:
    • The “Recommended” policies use the default features as well as Microsoft’s recommended blocks and driver block rules.
  • Audit Policies:
    • The “Audit” policies, just log exceptions to the rules. This is for testing in your environment, so that you may modify the policies, at will, to fit your environments needs.
  • Enforced Policies:
    • The “Enforced” policies will not allow any exceptions to the rules, applications, drivers, dlls, etc. will be blocked if they do not comply.

Available Policies:

  • XML:
    • Audit Only:
      • WDAC_V1_Default_Audit_{version}.xml
      • WDAC_V1_Recommended_Audit_{version}.xml
    • Enforced:
      • WDAC_V1_Default_Enforced_{version}.xml
      • WDAC_V1_Recommended_Enforced_{version}.xml
  • BIN:
    • Audit Only:
      • WDAC_V1_Default_Audit_{version}.bin
      • WDAC_V1_Recommended_Audit_{version}.bin
    • Enforced:
      • WDAC_V1_Default_Enforced_{version}.bin
      • WDAC_V1_Recommended_Enforced_{version}.bin
  • CIP:
    • Audit Only:
      • WDAC_V1_Default_Audit\{uid}.cip
      • WDAC_V1_Recommended_Audit\{uid}.cip
    • Enforced:
      • WDAC_V1_Default_Enforced\{uid}.cip
      • WDAC_V1_Recommended_Enforced\{uid}.cip

Update the following line in the script to use the policy that you desire locally:

$PolicyPath = "C:\temp\Windows Defender\CIP\WDAC_V1_Recommended_Enforced\*.cip"
#https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script
ForEach ($Policy in (Get-ChildItem -Recurse $PolicyPath).Fullname) {
  $PolicyBinary = "$Policy"
  $DestinationFolder = $env:windir+"\System32\CodeIntegrity\CIPolicies\Active\"
  $RefreshPolicyTool = "./Files/EXECUTABLES/RefreshPolicy(AMD64).exe"
  Copy-Item -Path $PolicyBinary -Destination $DestinationFolder -Force
  & $RefreshPolicyTool
}

Alternatively, you may use Group Policy or Microsoft Intune to enforce the WDAC policies.

Auditing:

You can view the WDAC event logs in event viewer under:

Applications and Services Logs\Microsoft\Windows\CodeIntegrity\Operational

How to run the script:

Manual Install:

If manually downloaded, the script must be launched from an administrative powershell in the directory containing all the files from the GitHub Repository

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Get-ChildItem -Recurse *.ps1 | Unblock-File
.\sos-wdachardening.ps1