Windows Defender Application Control: The enterprise alternative to S-Mode

Microsoft's Windows management tools can lock PCs down to only use trusted software.

Windows 10 May 2019 Update: Everything you need to know Changes are coming to Windows 10 with the release of version 1903 that affect everyday users and IT decision makers. Here's what you need to know.

The problem with computers is software. Not the software you trust, that you use every day to do your work. No, the problem is code you don't know, that comes with a download. It might be malware stealing and damaging data or it might be badly written, consuming resources that are needed for more important tasks.

We can use antivirus and firewalls to protect PCs from known threats, but with an ever-growing amount of malicious code that can only be a rearguard action. So how can we protect our fleets of PCs, while still giving users access to the files and applications they need?

Microsoft's S-Mode in Windows 10 is one approach, locking down install paths so that you can only install trusted and tested code from the Windows Store. With digital signatures for applications, it's possible to ensure that you're installing the correct, safe version of an application. But apps deployed through the Store need to be either UWP or wrapped using the Desktop Bridge. And while you can use private Stores through Intune, it's not always economical to take old existing apps and either rewrite or convert.

Introducing WDAC

That's where Windows Defender Application Control, WDAC, comes in. Instead of allowing everything to run, with all code trusted no matter where it originates, WDAC takes a more deliberate approach to application security, ensuring that only trusted code runs on managed PCs. It's not just a tool for enforcing digital signatures: WDAC goes still further, controlling how key kernel functions operate, restricting the reach and scope of scripting tools like PowerShell, and blocking scripts and installers that don't have a digital signature. You can think of it as an enterprise version of Windows 10 in S Mode -- one that doesn't lock your users out of your own internal apps or from legacy Win32 code.

Previously part of Windows Defender Device Guard, WDAC is supported on Windows 10 Enterprise and on Windows Server 2016 or later. It's managed by Group Policy or via MDM, so you can use tools like Intune to deliver management policies to your users, even if they're outside your firewall.

One of the more useful WDAC features is the ability to control more than applications, adding a way to work with the plug-ins, add-ins, and modules that are used to extend applications. Using this feature, you can ensure that trusted Chrome or Edge extensions can be delivered to browsers, as well as supporting Office add-ins in tools like Outlook or Excel.

Defining WDAC policies

Microsoft provides a series of guidelines to help you define the policies you want to use. Options include controlling all applications, controlling specific applications, controlling either standard Windows apps or UWP apps or both. You can then choose how you want to control apps -- by users, by groups, or by computers. Usefully, WDAC offers an audit option, so you can run it across your fleet of devices and your users in order to see what they're using. The results from a WDAC audit can be used to create a set of policies that best fits how your users work.

SEE: How to build a successful developer career (free PDF) (TechRepublic)  

WDAC is a powerful technology and can quickly lock down a network. It's perhaps best used where your users are task-oriented and don't need to access a lot of applications, especially where they don't have administration rights. That makes it ideal for use in a call centre or for public internet terminals. It's also useful where while users have some admin rights, but they're working with sensitive information. Using WDAC you can limit access to a set of specific applications, and to trusted apps from the Microsoft Store, reducing the risk of users installing malware.

Making WDAC more flexible

The 1903 release of Windows 10 added more features to WDAC, making it more flexible by increasing the types of application that can be protected, as well as additional management features. Policies can be pushed over MDM tools, and deployments won't require a reboot.

One new option is support for file path rules. If you've used the older AppLocker, you'll find this approach familiar, as it allows you to define file paths for apps and executables controlling where executables can run. WDAC goes further by making sure that those paths are only writeable by privileged accounts, reducing the risk of code injection from lower-privilege applications. This rule can be merged with other policies to increase the available protection -- for example, ensuring that only signed code in secured file paths can be run.

It's important to realise that one size does not fit all, and your business is unlikely to be supported by only one policy. Different groups and individual users may need separate policies, and the latest releases of WDAC support this by allowing you to define a base policy for your organisation that can be extended by supplemental policies. Combining base policies with supplemental policies means it's easier to manage smaller-scale supplemental policies at a group level, expanding the base policy rules. It's important to note that it's better to have a smaller base policy than a larger one, as supplemental policies can't reduce the scope of the rules in a base policy.

SEE: Secure your data with two-factor authentication (free PDF) (TechRepublic) 

Windows 10 in S-Mode is a useful first step to delivering application control, locking down systems to Store apps only, with the option of using policy to prevent users removing S-Mode. It's perhaps best thought of as an option for education and for small businesses, as well as for home users, as it requires very little management.

Where you need more control, and have the management resources, then it's far better to switch tools like WDAC. While WDAC requires a lot more work to run successfully, it's a powerful tool to ensure that only trusted software runs in your network. With 96% of malware unsigned, locking down your PC fleet so only whitelisted code runs is a sensible way to protect your network and your data, where you want to limit the applications users can run. If bad code can't run on your PCs and your data is safe, the time spent building a WDAC configuration is time well spent.

Also see