Application Approval/control in a managed environment. (3/3)
Intro
Had another Twitter thread last night expressing my belief that without Application Control keeping environments secure, defenders are fighting a loosing battle. It's time we level the playing field. I'll follow up this 3 part series with plenty more, whereby the next one is probably about making the case for Application Control based on the InfoSec news of this summer. But first, let's finish off this series.
So far, we've talked about our vision around Open vs Closed devices and talked about some numbers around the threat landscape to help make the case for Application Approval.
This post will be about tackling the perception that Application Control is extremely hard to implement and maintain. I'd like to make the case that implementing Application Control has the potential to save / buy you time. There's a couple of ground rules though that you have to keep in mind while starting an Application Control project.
When you've identified a department or set of servers like that, implementing Application Control doesn't have to be all that hard. The main feature that backs up this statement are Managed Installers. Module 5 in the training we're developing around Windows Defender Application Control.
Managed installers
The Managed installers feature of #wdac allows an admin to define a process that can install applications and make these applications trusted by Application Control in one go. Remember the first article where we defined Open & Closed devices? Windows Defender Application control allows you to turn a Windows device into a Closed device. The problem with that setup is that the Windows store isn't extensive enough for most organizations to allow them to only consume applications from the store. That's where Managed Installers come in, they turn MEMCM or Intune into a second store you can use to deliver trusted applications.
领英推荐
There's still a couple of caveats to consider, but this feature vastly reduces the amount of effort needed of your implementation.
It's also the main reason why OSCC has been telling its customers to enable the Managed Installer functionality, by putting Windows Defender Application Control in audit mode today. The trust is only defined when the Managed Installer was already defined prior to the Systems Management tool installing the software. That sentence is bold is often forgotten when people see a demonstration of Managed Installers.
Now think for a minute what that statement means to your environment. Installing a device from scratch and making sure the software becomes trusted is made quite a bit easier in this way. Your devices that have already been deployed however will need other mechanisms to have their software trusted. (There's a reason our training consists of 9 other modules besides Managed Installers.) This equally means that enabling this now will minimize the amount of devices you deploy with applications that can't rely on Managed Installers.
So stop building even more backlog and enable this great feature today by defining the process and building a WDAC audit policy.
Best regards,
Kim