diff --git a/Rationale.md b/Rationale.md index 5b3f3ad6b..791696d17 100644 --- a/Rationale.md +++ b/Rationale.md @@ -161,6 +161,8 @@ Make sure to use Surface products that support [Device Firmware Configuration In * Pluton security chip is included in [Qualcomm Snapdragon ARM CPUs](https://www.qualcomm.com/products/mobile/snapdragon/pcs-and-tablets/snapdragon-x-elite), [AMD](https://blogs.windows.com/windowsexperience/2024/04/16/amds-commercial-ai-pc-portfolio-integrates-microsoft-pluton-includes-microsoft-copilot/) and [Intel CPUs](https://www.theverge.com/2024/6/3/24169115/intel-lunar-lake-architecture-platform-feature-reveal). +* [Copilot+](https://www.microsoft.com/en-us/windows/copilot-plus-pcs) PCs are among [the most secure consumer grade devices](https://blogs.windows.com/windowsexperience/2024/09/27/update-on-recall-security-and-privacy-architecture/). They are secured-core and incorporate the Pluton security chip. +
> [!IMPORTANT]\ diff --git a/Wiki posts/App Control for Business/How To Create an App Control Supplemental Policy.md b/Wiki posts/App Control for Business/How To Create an App Control Supplemental Policy.md index 45ef387b7..7acb7c4b5 100644 --- a/Wiki posts/App Control for Business/How To Create an App Control Supplemental Policy.md +++ b/Wiki posts/App Control for Business/How To Create an App Control Supplemental Policy.md @@ -44,7 +44,57 @@ You can customize the XML file further using different pages and features of the
-### FAQs +## Create a Supplemental Policy for Packaged Apps + +Packaged apps are modern, they use MSIX packages and are easy to manage and authorize in App Control policies because all of the files in a packaged app share the same signing certificate and Package Family Name. + +Use the [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) to create supplemental policies for packaged apps. The policy that you create will not need any changes when the apps are updated since the authorization is based on the `PackageFamilyName` aka `PFN`. + +In the [**Create Supplemental Policy Page**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Create-Supplemental-App-Control-Policy), navigate to the **Package Family Name** section. + +
+ +Package Family Name section + +
+ +
+ +Select the installed apps from the list. The list is automatically populated when you first expand the **Package Family Name** section. If you installed or removed apps, you can use the **Refresh** button to update the list of apps. Use the search bar to easily find the app(s) you are looking for. + +Next enter a name for the supplemental policy and browse for the base policy that this supplemental policy will be associated with. + +
+ +PFN select base policy and packaged apps from the list + +
+ +
+ +Finally press the `Create Supplemental Policy` button to create the supplemental policy. If you toggle the **Deploy after Creation** button the policy will also be deployed on the system and you will be able to view it in the [System Information page](https://github.com/HotCakeX/Harden-Windows-Security/wiki/System-Information). + +
+ +## Create a Supplemental Policy That Allows an Entire Folder + +You can create a supplemental policy that will allow everything inside of a folder to be authorized to run. It is based on wildcard file path. This type of supplemental policy is less secure than ones that are based on file signature, publisher or hash so use it with caution. + +Navigate to the [**Create Supplemental Policy Page**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Create-Supplemental-App-Control-Policy) page in the AppControl Manager and select the **Files and Folders** section. + +
+ +Creating wildcard based folder path supplemental policy + +
+ +
+ +Enter an appropriate policy name. Set the Scan Level to **WildCard Folder Path**, you will notice that the **Browse for Files** section is deactivated in this mode. Use the **Browse for Folders** button to select the folder you want to allow and finally press the **Create Supplemental Policy** button to create the policy. If you toggle the **Deploy after Creation** button, the policy will also be deployed on the system and you will be able to view it in the [System Information page](https://github.com/HotCakeX/Harden-Windows-Security/wiki/System-Information). + +
+ +## FAQs Q: What happens if you create a supplemental policy with the same name as an existing one? diff --git a/Wiki posts/App Control for Business/How to Create an App Control Deny Policy.md b/Wiki posts/App Control for Business/How to Create an App Control Deny Policy.md new file mode 100644 index 000000000..6a397e7f1 --- /dev/null +++ b/Wiki posts/App Control for Business/How to Create an App Control Deny Policy.md @@ -0,0 +1,87 @@ +# How to Create an App Control Deny Policy + +Application Control is based on whitelisting strategy, that means everything that is not allowed in the policy is automatically denied. However, there are times when you might need to only prevent a certain app or file from running, while allowing everything else. This is where the App Control Deny Policy comes in. + +Use the [Create Deny Policy](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Create-Deny-App-Control-Policy) page in the [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) to create a new App Control Deny Policy based on different criteria. + +
+ +## Create an App Control Deny Policy by Scanning Files and Folders + +In the [Create Deny Policy](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Create-Deny-App-Control-Policy) page, select the **Files and Folders** section to expand it. + +
+ +Deny policy Files and Folders section + +
+ +
+ +* Browse for files and/or folders that you want to be scanned and included in the Deny policy. + +* Select an appropriate name for the Deny policy that will help you recognize it after deployment. + +* The scalability is set to ***2*** by default but you can increase it if the number of files/folders are too many. The higher this number, the faster the scan will be completed and the more system resources will be consumed during the scan phase. + +
+ +Files and Folders deny policy section + +
+ +
+ +Having selected all of the required details, you can now press the **Create Deny Policy button** and wait for the scan to finish. + +All of the files and folders that you selected will be recursively scanned and any App Control compatible files that are found in them will be added to **View detected file details** page at the bottom of the section to show you the exact files that will be included in the deny policy. + +
+ +Files and Folders deny policy section scan results + +
+ +
+ +If you toggle the **Deploy after Creation** button the Deny policy will also be deployed on the system after creation. + +
+ +Files and folders section Deploy button focus + +
+ +
+ +## Create a Deny Policy for Packaged Apps + +Packaged apps are modern, they use MSIX packages and are easy to manage and block/deny in App Control policies because all of the files in a packaged app share the same signing certificate and Package Family Name. + +Use the [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) to create deny policies for packaged apps. The policy that you create will not need any changes when the apps are updated since the denial is based on the `PackageFamilyName` aka `PFN`. + +In order to create this type of deny policy, navigate to the [Create Deny Policy](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Create-Deny-App-Control-Policy) page in the AppControl Manager and expand the **Package Family Name** section. + +
+ +PFN section selecting apps after search + +
+ +
+ +The apps list will be automatically preloaded for you upon expanding the section. You can use the search bar to search for one or more app(s) and then select them. + +Next, enter a suitable name for the Deny policy and finally press the **Create Deny Policy** button. + +The deny policy will be created and if you toggled the **Deploy after Creation** button, it will also be deployed on the system. + +In the screenshots above, we searched for the Photos app, selected it and after deploying that policy, the Photos app will no longer be able to run on the system when we try to launch it. + +
+ +PFN blocked Photos app notice in Windows + +
+ +
diff --git a/Wiki posts/App Control for Business/Introduction.md b/Wiki posts/App Control for Business/Introduction.md index 4a96fcc74..68cf8b9a6 100644 --- a/Wiki posts/App Control for Business/Introduction.md +++ b/Wiki posts/App Control for Business/Introduction.md @@ -129,6 +129,8 @@ If a policy is not deployed in audit mode, it is considered to be in enforced mo * [How To Create and Maintain Strict Kernel‐Mode App Control Policy](https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-To-Create-and-Maintain-Strict-Kernel%E2%80%90Mode-App-Control-Policy) +* [How to Create an App Control Deny Policy](https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-to-Create-an-App-Control-Deny-Policy) + * [Fast and Automatic Microsoft Recommended Driver Block Rules updates](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Fast-and-Automatic-Microsoft-Recommended-Driver-Block-Rules-updates) * [App Control Notes](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-Notes) diff --git a/Wiki posts/AppControl Manager/Create Deny Policy.md b/Wiki posts/AppControl Manager/Create Deny Policy.md index ff0b4b287..2ef63b674 100644 --- a/Wiki posts/AppControl Manager/Create Deny Policy.md +++ b/Wiki posts/AppControl Manager/Create Deny Policy.md @@ -18,6 +18,11 @@ All Deny policies have 2 allow all rules so that anything not denied by them wil
+> [!IMPORTANT]\ +> [How to Create an App Control Deny Policy](https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-to-Create-an-App-Control-Deny-Policy) + +
+ ## Create a Deny Policy by Files or Folders Scan With AppControl Manager, you can easily create a Deny base policy by scanning files or folders. @@ -38,3 +43,19 @@ With AppControl Manager, you can easily create a Deny base policy by scanning fi > Use the ***View Detected File Details*** section to view highly detailed results of the files and folder scans.
+ +## Create a Deny Policy Based on Package Family Names + +You can create Deny policies for the installed packaged apps. This is useful for only blocking specific apps that are installed on the system. + +### Configuration Details + +* **Policy Name**: Enter a name for the Deny policy. + +* **Package Family Names**: In this section, you can view the list of all installed apps. Use the search bar to looking for a specific app and after finding them, click/tap on them to select them. + + * Use the "Select All" and "Remove Selections" buttons to select/deselect all apps currently available in the list. + + * Use the Refresh button to refresh the list of installed apps in case you removed/installed any apps after the list was loaded. + +
diff --git a/Wiki posts/AppControl Manager/Create Supplemental Policy.md b/Wiki posts/AppControl Manager/Create Supplemental Policy.md index 3c398aede..907ebd120 100644 --- a/Wiki posts/AppControl Manager/Create Supplemental Policy.md +++ b/Wiki posts/AppControl Manager/Create Supplemental Policy.md @@ -14,6 +14,11 @@ Use [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wik
+> [!IMPORTANT]\ +> [How To Create an App Control Supplemental Policy](https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-To-Create-an-App-Control-Supplemental-Policy) + +
+ ## Create a Supplemental Policy by Files or Folders Scan With AppControl Manager, you can easily create a supplemental policy by scanning files or folders. If an application or file is being blocked by Application Control, use this feature to scan its files or installation directory. This process enables you to generate a supplemental policy that ensures the application or file can run seamlessly on your system. @@ -82,3 +87,21 @@ This supplemental policy can be created only for Kernel-mode files/drivers, typi * **Base Policy File**: Browse for the path to the base policy XML file that this Supplemental policy will be expanding.
+ +## Create a Supplemental Policy Based on Package Family Names + +You can create Supplemental policies for the installed packaged apps. These are modern apps packaged in MSIX files, such as the AppControl Manager itself, or many of the apps installed from the Microsoft Store. + +### Configuration Details + +* **Policy Name**: Enter a name for the Supplemental policy. + +* **Base Policy File**: Browse for the path to the base policy XML file that this Supplemental policy will be expanding. + +* **Package Family Names**: In this section, you can view the list of all installed apps. Use the search bar to looking for a specific app and after finding them, click/tap on them to select them. + + * Use the "Select All" and "Remove Selections" buttons to select/deselect all apps currently available in the list. + + * Use the Refresh button to refresh the list of installed apps in case you removed/installed any apps after the list was loaded. + +
diff --git a/Wiki posts/Home Index.md b/Wiki posts/Home Index.md index 70287c633..ac040f420 100644 --- a/Wiki posts/Home Index.md +++ b/Wiki posts/Home Index.md @@ -38,6 +38,7 @@ - [Introduction](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Introduction) - [How To Generate Audit Logs via App Control Policies](https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-To-Generate-Audit-Logs-via-App-Control-Policies) - [How To Create an App Control Supplemental Policy](https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-To-Create-an-App-Control-Supplemental-Policy) +- [How to Create an App Control Deny Policy](https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-to-Create-an-App-Control-Deny-Policy) - [The Strength of Signed App Control Policies](https://github.com/HotCakeX/Harden-Windows-Security/wiki/The-Strength-of-Signed-App-Control-Policies) - [How To Upload App Control Policies To Intune Using AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-To-Upload-App-Control-Policies-To-Intune-Using-AppControl-Manager) - [How To Create and Maintain Strict Kernel‐Mode App Control Policy](https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-To-Create-and-Maintain-Strict-Kernel%E2%80%90Mode-App-Control-Policy)