O que é o Windows Defender Application Control?


Se você não estiver familiarizado com o Controle de aplicativos Windows Defender (WDAC), deixe-me encher-lhe. Não deve ser confundida com a Guarda aplicativo do Windows Defender, uma solução conteinerização para Microsoft Edge que usa Hyper-V para isolar as sessões do navegador, WDAC is one part of Windows Device Guard. Just to add to the confusion, Microsoft uses Windows Device Guard to refer to the use of WDAC and hypervisor-protected code integrity (HVCI) together.

For more information on Windows Defender Application Guard, Vejo Revisiting Application Guard in the Windows 10 abril 2018 Atualizar on Petri.

Windows Device Guard was introduced in Windows 10 as a new, robust application control solution designed to be more flexible than AppLocker. But Microsoft promoted Device Guard along with HVCI and many IT administrators wrongly assumed that the application control part of Device Guard couldn’t be used without HVCI, which has some hardware requirements that many older devices don’t meet.

Ano passado, Microsoft announced that the two technologies that makeup Device Guard had been separated into Windows Defender Application Control, which deals with application whitelisting, and Windows Defender Exploit Guard would handle protecting WDAC using HVCI if required. By separating Device Guard into two distinct technologies, Microsoft hopes that IT administrators will understand that HVCI isn’t required to use WDAC.

Windows Defender Application Control

Application control first appeared in Windows XP as Software Restriction Policies (SRP), but it was not widely adopted because it was difficult to implement. AppLocker in Windows 7 was designed to solve that problem. But AppLocker isn’t without its shortcomings. Not least of which is that its implementation isn’t very robust. Por exemplo, users with administrative privileges can disable AppLocker.

Windows Defender Application Control uses Code Integrity (CI) policies that are implemented by the Windows kernel right from early in the boot sequence before most other OS code starts running. CI policies also extend to kernel mode code, such as drivers and Windows components, unlike AppLocker that can only be used to whitelist user mode code. Administrators can be prevented from tampering with WDAC by digitally signing CI policies. To change a policy, a user would need administrator privilege and access to the organization’s digital signing process.

Exploit Guard, HVCI, Memory Integrity, VBS – Take Your Pick

Além disso, the entire process can be further protected using virtualization-based security (VBS) if your devices meet the necessary hardware requirements. This is enabled using Windows Defender Exploit Guard. Sometimes this is also referred to in Microsoft’s documentation as HVCI. To further muddy the waters, the feature is labeled Memory integrity under Device Security in the Windows Defender Security Center.

Enable HVCI in the Windows Defender Security Center (Image Credit: Russell Smith)

Enable HVCI in the Windows Defender Security Center (Image Credit: Russell Smith)

If you want to enable HVCI using Group Policy or MDM, you need to look for the Turn on Virtualization Based Security setting under Computer Configuration > Modelos Administrativos > Sistema > Guarda dispositivo. For more information on enabling HVCI, consulte o site da Microsoft Aqui. You can find out if your devices support HVCI by downloading the Device Guard and Credential Guard Readiness Tool da Microsoft.

Windows Defender Application Control is a robust application whitelisting technology that when implemented can significantly reduce the risk of being infected by Advanced Persistent Threats (APTs) and zero-day malware. But as it stands, the lack of a centralized GUI management tool is likely to limit uptake. The PowerShell configuration tools also involve a steep learning curve and require a substantial investment in testing. Some drivers might not be compatible with HVCI. Microsoft has more information on this issue Aqui. Organizations interested in deploying WDAC might look to enabling it first on servers where the software portfolio is relatively static.

o post O que é o Windows Defender Application Control? apareceu pela primeira vez Petri.

post relacionado

Deixe uma resposta

Este site usa Akismet para reduzir o spam. Saiba como seus dados comentário é processado.