Starting my WDAC adventure

In Norwegian there is a saying; “Kjært barn har mange navn” (A loved child has many names). WDAC is no exception:

• Windows Defender Application Control (WDAC)
• Application Control
• App Control for Business

But don’t confuse this child with the older sibling, “AppLocker”. These siblings can also co-exist on the same system, making me slightly confused… But I guess we’ll get back to that later. Personally I’m going to stick with “WDAC” as the name. Follow me (if you want to) on this journey to figure out how to use WDAC for system hardening.

Why would you want to use WDAC?

Well, system hardening is underrated. If ans attacker breaks into your system they have a lot of tools at hand to go from a user to an administrator (or other malicious action) just in the OS defaults. By using WDAC you can shrink the OS attack surface, block Living-of-the-Land Binaries as well as some other snacks making the attackers life an absolute nightmare.

It’s also a great way to maintain control over what is allowed to be installed on a system, limiting end-user malware installation. TLDR; SOLVE SECURITY AT THE ARCHITECTURE LEVEL I PROMISE YOU WILL NOT REGRET IT 🙂

Going forward

NOTE! My installation of WDAC will be performed with on-prem tooling, expecting non-domain joined (and some domain-joined) servers. Possibly clients, we’ll see. WDAC will be used to create workload specific hardening with maximal security with no “magic exceptions” (ISG/Managed Installer), creating and deploying policies using PowerShell. This blog will also be a place for me to reflect and (hopefully) learn from my mistakes.

Right now it feels like there are a billion things to learn, and here are some of the things I hope to clear up in my future blogs:

• Different deployment methods and WDAC structures based on OS versions (single vs multi-policy)
• Building WDAC policies with WDAC Wizard
• WDAC and AppLocker in perfect harmony? or maybe no?
• Strategy for multi-policy setup
• User or Kernel mode?
• Microsoft Default Block rules?
• Unsigned executables and all that jazz…
  • Manually self-sign every time or manually hash every update?

Stay tuned to get some answers to these burning questions!