But this creates a significant risk of introducing new faults. Scan the whole device and create a new policy.There are several ways you could update the policy: Let’s say you have a new application and it is blocked by current WDAC policy. Maintain a strict workflow for testing and deploying a policy update.Use the WDAC Wizard for creating the base policy and applying updates.finance, or Assistive Technology, applications Use Supplemental policies for discrete areas of the business e.g.Use “snippets” to extend the existing policies (snippets are policies created from a single application, and merged with the main policy).Use file path rules so that most administratively installed applications are allowed anyway.I think the right approach is to use WDAC, but with a process in place to make it relatively quick and safe to update. Imagine doing that for 30 or 50,000 devices! If it cannot boot, the only solution is to re-image the device. A mistake in a WDAC policy might cause Windows not to boot. A mistake in an AppLocker policy might cause some processes not to run. The same name might be used in multiple different certificates with different thumbprints. It is the same subject name regardless of the certificate used to sign. AppLocker uses the Subject Name of a certificate to identify a signed file. WDAC XML files are also text files, but it is not practical to edit them manually. AppLocker XML files are simple text files that you can edit manually. It should not take a month to develop and test application control rules.ĪppLocker is much easier and less risky to update than WDAC. They should be able to install it, and it should run. Let’s say we are coming up for year-end, and the finance team have an update to one of the applications they use. An example would be a piece of finance software. There should not be a long delay while IT staff rejig the rules to allow it to run. If a new piece of software is introduced, it should either just run, or not run. Software that is illegitimate should not run, with a message about the reason. Software that is legitimate should just run. In my view, application control should be transparent to the user. If we require MFA to log on to a device, the risk of a malicious user is much lower than if we do not. For example, if we do not allow a user to have local administrator privileges on a device, the exposure to malware is much lower than if we do. And it needs to be part of a holistic approach. The most secure desktop is one that cannot be used. But it needs to be a part of a productive work environment. What could those reasons be?Ĭyber security is important, of course. So, in a Microsoft environment (Windows 10/11 desktop, 365 Apps, Intune, SharePoint etc.) we should assume we would use WDAC unless there are reasons not to. You can read about the differences here: Overview. WDAC is the newer technology, and a significant advance on AppLocker. But the more important matter is what best meets the requirement. As technicians, we can sometimes get too interested in what technology is best, or what is newest. This is a short piece on the question of whether to use AppLocker or Windows Defender Application Control (WDAC) for application control on a Windows desktop.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |