Presentation is loading. Please wait.

Presentation is loading. Please wait.

12/4/2018 10:37 PM Deploying and Managing Windows Defender Application Control in the Real World Nazmus Sakib © 2014 Microsoft Corporation. All rights.

Published byMartina Krüger Modified over 6 years ago

Similar presentations

Presentation on theme: "12/4/2018 10:37 PM Deploying and Managing Windows Defender Application Control in the Real World Nazmus Sakib © 2014 Microsoft Corporation. All rights."— Presentation transcript:

1 12/4/ :37 PM Deploying and Managing Windows Defender Application Control in the Real World Nazmus Sakib © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 “There are two kinds of companies, those who’ve been hacked, and those who don’t know they’ve been hacked.” -James Comey, Former FBI Director Median number of days attackers are present on a victims network before detection 200+ Days after detection to full recovery 80 Impact of lost productivity and growth $3Trillion Average cost of a data breach (15% YoY increase) $3.5Million Microsoft Confidential

3 12/4/ :37 PM “Application Whitelisting is the most effective strategy” – Australian Signals Directorate © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Whitelisting is Hard… IT codesigning is not pervasive
Microsoft Ignite 2015 12/4/ :37 PM Whitelisting is Hard… IT codesigning is not pervasive Best option for strong app identity and integrity validation Decentralized LOB app development Lack of code signing expertise Enterprises don’t want to (and shouldn’t) blindly trust all software from an ISV, even if signed Too darned many existing LOB apps © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 12/4/ :37 PM Windows Defender Application Control (Re-)Introducing Whitelisting in Windows 10 Enterprise-grade application and software whitelist capabilities leveraging Windows code integrity Sets a single, machine policy for the enterprise Continue to use AppLocker for user/role-specific policies and managing .bat/.cmd Windows Script Host, MSIs, PowerShell operates in constrained language mode Formerly “configurable code integrity” © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 12/4/ :37 PM Device Guard Overview A Combination of Security Technologies in Windows 10 Device Guard primarily consists of two security technologies Application control – application whitelisting with an enterprise defined policy Virtualization based security for the Windows kernel – enforce code integrity protections even if a vulnerability allows unauthorized kernel mode memory access Each of the above can be deployed independently © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 Windows 10 Whitelisting: The Road So Far…
Anniversary Update (RS1) New: DG/CG HW Readiness Tool; HVCI compatibility now required for all RS certified drivers; Managed Installer preview feature w/ SCCM Reduce/Remove Deployment Blockers Scenario focus: same as Threshold Threshold New: Virtualization-based security; Powershell-based policy authoring; PackageInspector; DG signing service (TH2); GP native management; support for MDM Challenges: Confused messaging; high manageability cost + lack of management tool support Initial Release Scenario focus: tightly managed/restricted devices (e.g. ATMs, medical devices, PoS, secure admin workstations) New: New config CI option enables automatic authorization powered by ISG; WDATP Shields-up Cloud-driven Application Execution Control Scenario focus: Lightly-managed enterprise Creators Update (RS2) Fall Creators Update (RS3) New: Managed Installer official feature release; SCCM 1706 native management for config CI; Per-app allow/deny rules (aka EMET ASR-style rules); Windows 10 S Simplified Whitelist Management Scenario focus: Managed environments

8 12/4/ :37 PM Simplified Whitelisting Cloud-powered whitelists – Coming in Fall Creators Update! Allow “known good” code as identified by Microsoft Intelligent Security Graph Automatically authorize app executables based on positive reputation Complements explicit allow/deny rules in the policy and managed installer Automatically re-validate reputation on reboots Ideal for SMB; “lightly-managed”; or environments with less mature codesigning/IT app control processes Intune/SCCM integration coming soon © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Simplified Whitelisting in Intune
12/4/ :37 PM Simplified Whitelisting in Intune © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Simplified Whitelisting in Intune
12/4/ :37 PM Simplified Whitelisting in Intune © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Cloud-Powered Whitelisting
Nazmus Sakib

12 Auto-authorize “Managed” apps Managed Installer – Available in Creators Update (1703)
Automatically allow software installed by your IT app deployment solution (e.g. SCCM) “Windows Works” starter policy included in Windows Managed installer AppLocker rule + configurable CI policy option Ideal for SMB and Enterprise; “fully-managed” environments with mature IT app lifecycle management SCCM integration available since 1706 release

13 SCCM as a Managed Installer
Nazmus Sakib

14 Explicit Policy – Most Secure Approach Adopting Code Signing
12/4/ :37 PM Explicit Policy – Most Secure Approach Adopting Code Signing Integrate codesigning with LOB app development – OR – app deployment workflows Create catalogs for “legacy” and ISV apps with Windows 10’s Package Inspector tool No need to repackage/rebuild apps Easily deployed with SCCM Device Guard signing in the Windows Store for Business Download default Device Guard configurable CI policy Catalog signing with enterprise-specific, unique keys © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Managing Custom App Control Policies
12/4/ :37 PM Managing Custom App Control Policies Powershell cmdlets simplify policy creation Windows example policies c:\Windows\schemas\CodeIntegrity\ExamplePolicies Recommended block list Deploy via SCCM or GP Signed policy to protect against admin tampering © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Where is WDAC Applicable
There are different types of device workloads in an enterprise Workloads vary on: Security stance – what security requirements need to be met given how the device is used? Manageability – how much time/expertise can be spent on managing a device? Application variability – how much churn is there in the set of applications that need to run on a device?  Depending on how these 3 constraints need to be balanced different combinations of the WDAC policy capabilities can be used 

17 Where is WDAC Applicable
Fixed workloads Security stance Manageability Application variability Tightly managed Very well-defined software and hardware configurations Low churn No user or standard user only Explicit rules Managed Installer ISG integration Signed policy OFF ON

18 Where is WDAC Applicable
Corporate fully managed Security stance Manageability Application variability Tightly managed Well-defined hardware configurations Managed software only Ideally standard user only Explicit rules Managed Installer ISG integration Signed policy OFF ON

19 Where is WDAC Applicable
Corporate lightly managed Security stance Manageability Application variability Multiple and varied hardware configurations User can install “unmanaged” software Standard or Admin users Explicit rules Managed Installer ISG integration Signed policy OFF ON

20 Where is WDAC Applicable
BYOD Security stance Manageability Application variability Personally owned devices Highly-variable hardware and software Consider “Audit” mode deployment Explicit rules Managed Installer ISG integration Signed policy OFF ON

21 Windows 10 S Compositionally identical to Windows 10 Pro enables seamless “Switch to Pro” experience Code integrity enforces SKU “lockdown” policy identical to “Windows Works” plus additional explicit blocks Components that interpret/execute arbitrary code or otherwise enable bypass of code integrity policy Components that enable automation/weaponization of bypasses and are not required for MDM management Store app recommendations and curated driver store help deliver safer, more reliable user experiences

22 Where is WDAC Applicable
Security stance Manageability Application variability Tightly managed Well-defined software and hardware configurations Low churn with only Store app support Explicit rules Managed Installer ISG integration Signed policy OFF ON

23 Links & Resources Microsoft Virtual Academy session on Device Guard - hammer-on-malware-with-windows-10-device-guard-16926 Managing Device Guard with SCCM blog - windows-10-device-guard-with-configuration-manager/ SCCM as a Managed Installer blog - managed-installer-with-win10/ Device Guard Discussion – Device Guard deployment guide - Device Guard and Credential Guard Readiness Tool - Device Guard signing in Business Store Portal - Ignite 2016 Device Guard session - Windows 10 Device Guard Overview en Français - Windows-10-Device-Guard

24 12/4/ :37 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "12/4/2018 10:37 PM Deploying and Managing Windows Defender Application Control in the Real World Nazmus Sakib © 2014 Microsoft Corporation. All rights."

Similar presentations

Windows 8: Windows To Go Overview Zvezdan PavkovicTanya Koval Senior ConsultantArchitect WCL333.

Windows 8: Windows To Go Overview Zvezdan PavkovicTanya Koval Senior ConsultantArchitect WCL333.
Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,

Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,
Are cybersecurity threats keeping you up at night? Your people go everywhere with devices, do the apps and data they need go with them? Can you adopt.

Are cybersecurity threats keeping you up at night? Your people go everywhere with devices, do the apps and data they need go with them? Can you adopt.
Paul Cooke - CISSP Director Microsoft Session Code: CLI322.

Paul Cooke - CISSP Director Microsoft Session Code: CLI322.
11/12/2017 12:06 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

11/12/ :06 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Microsoft Virtual Academy

Microsoft Virtual Academy
Windows 10 in einem Bio Reservoire

Windows 10 in einem Bio Reservoire
Deployment Planning Services

Deployment Planning Services
Microsoft Dynamics 365 for Operations Roadmap Deployment Scenarios

Microsoft Dynamics 365 for Operations Roadmap Deployment Scenarios
Microsoft 2016 5/8/2018 6:50 AM BRK2125 Evaluate compatibility in Windows 10 and WaaS using telemetry driven insights Marc-Andrea Klimaschewski Program.

Microsoft /8/2018 6:50 AM BRK2125 Evaluate compatibility in Windows 10 and WaaS using telemetry driven insights Marc-Andrea Klimaschewski Program.
5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.

5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.
The changing of the guard

The changing of the guard
Windows Server 2016 Secure IaaS Microsoft Build /1/2018 4:00 AM

Windows Server 2016 Secure IaaS Microsoft Build /1/2018 4:00 AM
Hybrid Management and Security

Hybrid Management and Security
Manage Windows devices in the complex hybrid cloud world of today

Manage Windows devices in the complex hybrid cloud world of today
Cloud-First, Modern Windows Management and Security

Cloud-First, Modern Windows Management and Security
6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Rottem @AmitaiTechie Senior Program Manager,

6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Senior Program Manager,
Deployment Planning Services

Deployment Planning Services
Best practices to secure Windows 10 with already included features

Best practices to secure Windows 10 with already included features
6/25/2018 11:13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.

6/25/ :13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.

Similar presentations

Ads by Google