Microsoft Azure AZ-801 — Section 3: Secure Windows Server operating system
Section 3: Secure Windows Server operating system
22. Configure and manage exploit protection
I’d now like to spend some time talking about Windows Exploit Protection. This is a feature that’s been around since about 2018. Microsoft started really pushing the defender security capabilities that Windows supports and Exploit Protection is an additional layer of protection that stacks on top of what defender offers in the Windows environment. This is both supported by the server operating systems as well as your Windows client operating systems.
So, to get to the Exploit Protection and make sure that everything is turned on and configured, you can do that by going down to the Start button. Click the settings icon here. Once that loads up, you’re going to go to Update & Security. And then from there, you take a look at the Windows Security area here. We’re going to click on that. And then from there, we’re going to go to App & browser control because the Exploit Protection is going to involve applications as far as managing and securing those. From there, you’ll see it says Exploit Protection is built into Windows 10 (protects also for Windows 11) to protect your device against attacks.
It tells you that, out of the box, your device is already set up with the protection settings that work best for most people. But point being here, we can go in and configure this if we want. So, we’re going to go to Exploit Protection settings and this is where you can turn it on. So, you can see the various features that we have, that are there to help protect us against various threats. And these are related to the operating system. Specifically, if you wanted to turn something off, you could., maybe, there was something that was conflicting with something you were trying to do., maybe, you were developing an application and you needed to disable one of these features because the operating system was preventing something from loading. You could do that. But ultimately these are features that are there to help lock things down and help secure things.
You can also go over here to where it says program settings, and you’ll see there’s already a list of executables that involve the operating system that they’ve overridden for specific things involving Exploit Protection. So, you can look at those, you click on those, and you can click Edit, you can see there is various features here that are there for locking things down as far as different exploits are concerned in the operating system. So, they’ve already overridden, like, for example, they’ve overridden a randomization for images and all of that. You know, this all gets into the fact that hackers love to do things like buffer overflows with memory, they love to inject code into images so that when you open those images, it enables or disable something. You have what’s known as a rootkit, which involves trying to do what’s called privilege escalation. So, there’s various types of threats here that hackers are attempting to perform. And, of course, the point of Exploit Protection is to lock all those things down so that you don’t have to worry about those issues. Of course, in some cases, though, your operating system has executables that it needs to run that Exploit Protection could see as a threat and calls it not to open. And so this is what these overrides are here for.
Now, if there was a program, not just a specific operating system service or something, but a specific program that you wanted to override the Exploit Protection, you could do that here. You could add that program. So, it says add program by name and then choose exact file path. So, you can go either one of those and it’ll point to a sample the file.
Now, one of the neat things about this is, of course, you can probably imagine that. Okay, fine. Well, maybe, I want to configure this for a bunch of servers, or, maybe, I want to configure this for a bunch of clients, but I don’t want to have to sit down one at a time and configure these individually. So, the way you can handle that is you can go right here to where it says export settings. Once you’ve configured the settings the way you want, you can go to export settings and you can save this XML file. So, I’ll just create a little folder here called exploit_protection, and I’m just going to save this little XML file to that folder. Now, what I can do is on my domain controller, I can go to Server Manager, I can go Tools, I can go to Group Policy Management. All right. And then from there, I can create a GPO group policy object. Right? So go here under my domain and then down here to group policy objects. And I’m just going to create a GPO called Exploit Protection. All right. And then I’m going to edit that GPO. So, I’m going to right click and click Edit. And then this is going to be under computer management. So, we’re going to go under computer management, and then we’ll go to policies. We’ll go to Administrative Templates and then Windows components. Expand that out, and then let me just move this over a little bit. Scroll down and we should have right here where it says Windows Defender Exploit Guard. So, we’re just going to click on that or expand that and then go to Exploit Protection. And you have this little policy here where it says, “Use a common set of Exploit Protection settings.” So, we’re going to double click on that. We’re going to go to enable it. And then from there, we can specify the path of the XML. So, in my case, c:/exploit_protection/settings.xml. You can double check that path if we want. All right. So, we’ll go here. So, Exploit Protection and then settings.xml, right? Of course, file extensions are hidden. I can fix that relatively easy by coming over here and just clicking view and then telling it to show the extensions. There it is. Settings on XML. So, we point to that path and there you go. All right. At that point you can have those settings imported into everybody’s machine. All right. So, we’ll click Okay, close out of that. And then we would, of course, drag and drop this over wherever we want this to, whatever we want this to affect. If we just wanted it to affect the entire domain, we could just drag and drop it over the entire domain; if we wanted it over a specific view like, maybe, we just wanted it to affect domain controllers, we could drag and drop it over just domain controllers, right? And then don’t forget, you know, policies don’t take effect immediately in the Windows world. They happen every 90 to 120 minutes. Or you can reboot a machine for them to take effect. Or you can always go and you can run the GPU update command. Right? So, I can go to here, I can say gpupdate/force, hit Enter, and that, of course, will refresh the policies. Remember, on domain controllers, though, they do get refreshed every 5 minutes, whereas everybody else, machines get refreshed every 90 to 220 minutes.
If you want to verify that a GPU has actually taken effect, you can always run the gpresults /h c:/report.html. All right. And that’ll just generate a little report that you can view through your web browser. Go here to the C drive and we can open up this little report. And this would allow us to verify that the GPO has actually taken effect. Right. So, we’ll go here. Show all. Scroll down. And we can see if our GPO has taken effect. There it is. Exploit Protection is enabled. So, it did take effect. All right.
And that is how you configured Exploit Protection on a large scale as well as if you wanted to configure it on a single computer basis. All right. And there are PowerShell commands that you can also use for Exploit Protection as well. So, if you wanted to try to script it out, you can use there are PowerShell commands that you can look at that will actually do that for you.
23. Configure and manage Windows Defender Application Control
I’d like to go over the concept now of WDAC, also known as Windows Defender Application Control. Now, application control is not really a new concept and for many-many years we have needed that capability of controlling what applications a user can open on their machine and servers are no different.
So, you want to think about this from a client standpoint, but in this case we also want to think about it from a server standpoint. We have different admins that are working with our servers, and admins make mistakes too. In some cases, they’ll run stuff that we shouldn’t be running on a server. I had a client even installed a finance piece of software on a server that really shouldn’t have been installed and it ended up opening up a back door and hackers were able to connect in and do ransomware. That’s a good example of what I’m saying here. So, we do need to be able to police what can be installed on a server.
I want to show you a couple of things here. First off we’re on NYC-DC1 on my example here, and if I open up my web browser and just go to Google and just search for the keywords, let’s see, configure Microsoft Defender Application Control. If you search any of those keywords, you should be able to locate… Actually, let me change the keywords. Let’s do WDAC versus AppLocker. That’s actually better keyword. So, let’s search those keywords. There is a nice little article right here – WDAC and AppLocker overview.
So, we’re going to click on that. And again, my goal here is to show you how you can find these same types of documents in the real world. When you’re looking for stuff this comes in handy to look at the official documentation because one of the things that people get confused on is the difference between Windows Defender Application Control versus AppLocker. AppLocker has been around for years, ever since Windows 7 came out. And so, there is a little confusion when should we use one or the other. Actually, the two can work together. All right. But if you look here it tells you Windows Defender Application Control, the rules that you can define with it will control things like the attributes of codesigning certificates used to sign an app and binaries. So, you can choose to allow something to be ran if it’s digitally signed. You have you can even have rules that can be applied based on the reputation of an app. Microsoft has what’s called the NTLMligence Security Graph, and they can make decisions on whether or not an app is trustworthy and that can go into a database. Of course, they can link to all this. You then have certain paths where files are located on whether or not they can be ran based on where they’re located at. And then also the process that launches the app or the binary program that’s being ran here. So, those are some of the things to think about.
Of course, the confusing thing here is when do you use one or the other? Again, we’ve had AppLocker since Windows 7 came out. And, of course, the Windows Defender Application Control guard scenario is a little bit newer, right? So, if you look here with AppLocker, you can still use AppLocker. This is still available. We can tell that you can create rules based on codesigning certificates. Then, you can choose specific binary files themselves, executables, whatever they are, and then also the paths that can be allowed. All right.
But if you go down here, there’s a great piece of information. Choose when to use WDAC or AppLocker. So, they tell you here, in some cases, AppLocker may be more appropriate technology for your organization. AppLocker is best when… Well, first off, the rule of thumb is this. WDAC is great for sending out an overall blanket of policies of things, maybe, you definitely don’t want to allow or you definitely do want to allow. And then AppLocker is more fine grained. All right. So, in other words, when you want to be a little bit more specific that’s when it’s good to use AppLocker and to kind of mix AppLocker with the serve.
For example, I might create a policy, a GPO group policy object that deploys the Windows Defender Application Control policy out that says, “Hey, allow this or don’t allow this for everyone, for the entire domain, or, maybe, just for all of my servers, or, maybe, just all of my clients.” And then with AppLocker, I’ll deploy an AppLocker policy that denies specific things. For example, there might be the sales department. And I want to deny or I want to allow specific applications just for the sales department, and that’s when AppLocker is going to be really-really good. All right.
So, they tell you here, you know, you could use AppLocker best when you have a mixed Windows operating system environment, need to apply the same policy controls to Windows 10 earlier operating systems. You need to apply different policies for different users or groups. So, that’s where I was going with that. And then you don’t want to enforce application files such as DLLs or drivers. All right. So, best practice. You should enforce WDAC at the most restrictive level possible for your organization and then use AppLocker to fine-tune the restrictions. And that’s what you want to remember. All right. That’s sort of the key, that’s the general key on using both. All right.
So, let’s jump in now and take a look at how we can implement this. Okay. So, now what I’m going to do is I’m going to jump over to my Windows 11 virtual machine because I’m going to be installing a thing called the WDAC Pro File Policy Wizard. And you can’t install that on server directly. So, we need our client operating system for this.
So, I’m going to open up my web browser on my Windows 11 box here. We’ll just do a quick search for WDASiPolicy Wizard and we’re going to look for this link right here. It says webapp-wdac-wizard-azurewebsites.net. I’m going to go ahead and click on that now. And then from there we’re going to click to Download the Installer. So, it’s going to go ahead and download that. And then, of course, once that’s done download, we’re going to go ahead and open up the file. All right. And then from there… All right, publisher, there it is. Launch when ready. That’s fine. We can do update. It needs to be updated. So, go ahead and let that run through real quick. Once that’s done updating, I’m going to go to Policy Creator here. And then it asks me if I’m creating a multiple policy format, create a base or a supplemental policy for Windows 10, version 1903 and above up to 32 bit. Keep in mind this tool is ever changing. So, depending upon when you’re watching this video, it may look a little different, but it’s an ongoing battle with me updating my videos because I can update them week after week, but they still change things week after week. But anyway, you’ll see that right here. And then you’ve also got single policy format, create a policy to be deployed on any Windows 11 device, including server 2016 and 2019. And if you do a multiple policy, they got the base policy. We’ll just do a single policy format. And so we’ll go there. We’ll click Next. And then it says, “You are doing the Default Windows Mode?” Default Windows Mode authorizes Windows Operating System components, Store applications, Office 365, OneDrive, Teams. Then you’ve got “Allow Microsoft Mode”. It authorizes Windows Operating System, Store, Office 365, OneDrive, the WHQL signed kernel drivers, All Microsoft signed applications. Or, you can do “Signed and Reputable Mode” authorizations, which is Windows Operating Systems, Store applications, Office 365, OneDrive, Teams, signed kernel drivers, all that fun stuff. All right.
So, I’m going to go with this first one right here. And it says, “Okay.” So, it’s going to create me a policy based on that using this policy template. All right. I’m just going to call this MyTemplateDemo. All right. That’ll be the policy name and then the file name which is asking me where do I want to store this file. And by default, you’ll see it’s going to want to store it right there in the Documents folder. But I’m actually going to just go down here to the C drive and I’m just going to create a folder called wdac and I’m going to call this MyPolicyDemo. XML. So, we’ll hit Save, and we’re going to go ahead and click Next. All right.
So, from there we have the ability to turn on and off these various things. All right. So, Advanced Boot Options, Allow Supplemental Policies, and you can always click Learn more and if there’s any individual ones here you want to look at specifically. But if I want to turn certain things on or off, I can do that. Then it says, “Do you want to run this policy in audit mode? Turning on audit mode will not enforce the policy. We recommend first running Audit for prior enforcement.” This is just going to log it. And I’m actually going to turn audit mode off here. Okay.
So, then we’ll click Next. And so. All right, here is the list of signing rules that’s going to go ahead and put in there. So, all of these different things here are going to be allowed currently. And I’m going to click Next. All right. And then I’m just waiting on that to finish loading. There it goes. Building your WDASiPolicy. All right. Now, obviously, you can get really-really customizable and all that but we don’t have to get that deep here. That’s not what you really need to know here. You need to know what this is, and you know what the policy is, and all that but we don’t have to get so deep into building customization into it. So, from there it’s generated an output file and there is my output file right there, this SiPolicy.p7b.
Now, let’s see how we can apply this little policy here. So, we’re going to go right click the Start button and go Windows terminal as an admin. All right. And I’m just going to open up the integrated scripting environment for PowerShell, just to kind of show you what the script would be if you just wanted to apply this to this machine right out of the gates here. So, here we are. And I’m going to type this command ConvertFrom-CIPolicy -xmlFilePath. And then the path will be the c:\wdac\MyPolicyDemo.xml. So, that’s our XML file. All right. And then we’ll say -BinaryFilePath and that’ll be c:\wdac\SiPolicy.p7b. So, that is going to apply that. So, we’re going to go ahead and just run that. All right. And it says it’s been applied now. That’s how we would just apply that to this one machine if we wanted to.
Now, what I’m going to do is I’m going to copy the policy over to a domain controller and show you how we could apply this to our servers and our domain and all of that. All right. So, I can go over here to my File Explorer and we’ll go to the C drive and WDAC. And there is our file right there, this SiPolicy. So, we’re just going to copy that. All right. So, make a copy of it, right? And then I’m going to go \\nyc-dc1\c$. All right. And so from there, I’m just going to create a folder on the C drive called wdac, and I’m going to paste it on our domain controller, okay? So, we’ll just paste that over. And then we’ll just verify that it’s there. There it is, right there. And now we’re going to jump over to our domain controller. Okay, so here we are on our domain Controller NYC-DC1. We’ll go to File Explorer, go to our C drive, and there’s that folder right there. There’s the SiPolicy. It’s going to right click that and go to Properties and I’m going to go to Sharing and Advanced Sharing. We’ll say Share this Folder. All right. Permissions, everyone has read, okay. From there, we’re going to go to Server Manager, we’re going to go to the Tools menu and we’re going to open up the Group Policy Object Editor, our Group Policy Management, which is going to be good. It’s going to let us get into group Policy Object Editor All right. I already have a GPO that I have created earlier. I’m going to get rid of that though, and create a new one for this video. So, we’ll just call this WDAC Deployment. Of course, you could name it anything you want. And then we’re going to go ahead and right click and edit that.
Now, we’ll go right here under Computer Configuration, expand out Policies, Administrative Templates, and then go to System. And you will see Device Guard right there. And then there is a policy called Deploy Windows Defender Application Control. So, we’re going to double click on that. We’re going to click Enable. And this is where we put the path in, which is going to be the \\nyc-dc1\wdac\. And if you look, let’s go back to the file. Verify the name of it. SiPolicy.p7b. Right. So, let’s just copy that name. All right. And we will paste that in. So, there it is. All right. Now, we’ll click. Okay. All right. And at that point, we have attached that to the domain. So, the only thing that has to really happen now is any computer that’s going to receive the policy, they just have to refresh their policies, which of course can take up to 90 to 220 minutes, which you can also run gpupdate /force and all of that. And it’ll obviously happen a lot quicker. Of course, domain controllers do refresh their policies every 5 minutes. So, domain controllers get their policies refreshed quicker. But other machines, it’s 90 to 220 minutes. All right. And so that is how we can apply these Application Control Policies out to the domain.
Now, just as a side note, extra credit, if you will, if we edit this and we go under Policies and we go under a Windows Settings and then go Security Settings. Scroll down a little bit and we have Application Control Policies. This is where AppLocker lives. I’m not getting into this thoroughly in this video, but this is where you could create AppLocker rules, if you wanted to, executable rules, Windows Install rules. So, you can be a little bit more fine grained about what you’re applying there. But hopefully now that helps you understand the idea of creating a custom WDAC policy and how we can apply it not just to one computer, but to all the computers in our domain, including our servers.
One last thing I want to mention on this, it’s fine if you want to try it out and then try downloading some software and running it like some EXE files or something on the machine. But I do recommend that you remove it because some of the activities that we may be doing during the course, you could end up stopping yourself from being able to install certain things. So, I would actually recommend just getting rid of this after you play around. If you want to play around with it, fine. If you don’t, that’s fine too. But if you do want to play around with it after you’ve done playing around with downloading files and running them and stuff like that, after the policies have refreshed and seeing if you can run them, then I would delete it if I were you. So, that’s my recommendation.