WDACConfig v0.4.6 - new milestone

[HotCakeX]

Introduction of the Modern GUI for WDACConfig

This update marks the release of the initial version of the graphical user interface (GUI) for the WDACConfig module. The application operates as a standalone tool, independent of PowerShell. It is called AppControl Manager and it offers the following key features:

• Built using WinUI3 / XAML / C#.
• Built using the latest .NET.
• Powered by the WinAppSDK (formerly Project Reunion).
• Packaged with the modern MSIX format.
• Incorporates the Mica material design for backgrounds.
• Adopts the Windows 11 Fluent design system.
• Fast execution and startup time.
• 0 required dependency.
• 0 Third-party library or file used.
• 0 Telemetry or data collection.
• 0 Windows Registry changes.
• 100% clean uninstallation.
• 100% open-source and free to use.

How To Install the AppControl Manager app

Use the following PowerShell command for Automated Installation

A familiar installation method, just like the Harden Windows Security module. Nothing else is needed to be done.

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

Here is a preview of it

As demonstrated in the preview, several features have already been implemented. The application leverages WebView2, which comes pre-installed with Windows, to facilitate web rendering. I've included two convenient menu items that provide direct access to both App Control resources from this repository and official Microsoft documentation, ensuring guidance and support are always just two clicks or taps away.

Features Implemented So Far

• Creating, configuring and deploying AllowMicrosoft policy
• Creating, configuring and deploying SignedAndReputable policy (based on ISG)
• Creating and deploying Microsoft recommended driver block rules
• Creating and deploying Microsoft recommended user-mode block rules
• Checking for secure policy settings on the system
• Getting the Code Integrity hashes of the files (Authenticode hash and Page hash)
• Adding/Changing/Removing User Configurations
• Configure policy rule options
• View deployed policies on the system (with filtering search)
• Remove unsigned policies from the system
• Quick access to App Control resources and documentations right within the app

More features will come very quickly in the near future.

Let's Talk Security and Threat Model

At this stage, security should be top of mind. Let's delve into how the recent developments, particularly the introduction of compiled binaries for the GUI, impact the overall security and threat model.

First and foremost, the PowerShell module will always remain available in its uncompiled form. This ensures flexibility for users who prefer or require it.

Additionally, the source code for the new MSIX-packaged AppControl Manager is fully accessible in this repository. Anyone can review the code and explore the complete Visual Studio solution provided, allowing you to easily create the MSIX package on your own.

Tip

Does this alter the threat model? Absolutely not. Here's why: When using the WDACConfig PowerShell module, you inherently grant it Administrator privileges. By doing so, you're already placing a level of trust in the module—demonstrated by running PowerShell as an Administrator and executing one of its cmdlets or commands in the terminal.

The same level of privilege applies to the new AppControl Manager application packaged in MSIX format. It will still require Administrator privileges for its operations, as it performs the same functions as the PowerShell version. In fact, 90% of the codebase remains unchanged.

Is using the MSIX package mandatory? Absolutely not. You can continue using the WDACConfig PowerShell module exactly as before—nothing has changed in that regard. The AppControl Manager application is simply a part of the development roadmap, and as promised, I'm actively working on it. Personally, this interface will make managing application controls on my systems, and those I manage, much more streamlined and easier.

Important

If you are an enterprise or business, you can have your security team code review the AppControl Manager application, and after fully verifying it, code sign it and use it in your environment.

Note

Question: Is the MSIX package pre-signed?
Answer: No.

Question: Can I (as a user) code sign it using my own certificate?
Answer: It's up to you.

If users choose to install it, the process involves generating a self-signed certificate on their device, which is then used to sign the MSIX package before installation.

This approach ensures a high level of security, as the certificate is unique to each device, and no one else has access to it. Furthermore, the certificate contains no private keys, meaning it cannot be used to sign anything else, adding an additional layer of protection.

Here is a quick technical rundown of the AppControl function that performs all of the required tasks automatically in a matter of seconds. No manual work is needed for the user to perform.

The script installs the AppControl Manager MSIX package on the system.

It does so by securely generating a unique self-signed certificate on the user's system and then using it to sign the MSIX package.

Everything happens locally and no certificate comes from outside of the device.

The certificate is added to the Local Machine's Trust Root Certification Authorities Store with only public keys, ensuring no private key exists to be used to sign anything else.

Its existence with public key is needed so that you can use the AppControl Manager app; without it the app will not launch as it will be considered untrusted by the system.

The 2 files, AppControlManager.dll and AppControlManager.exe inside of the MSIX app installation folder will be added to the Attack Surface Reduction rules exclusion list if they don't already exist in there, so the app will work properly.

The script creates a new directory in the TEMP directory for its operations and it will be deleted at the end of the script.

The script checks for the existence of any previous self-signed certificates generated by it and will remove them if it detects any, guaranteeing no unnecessary leftover remains on the user's system.

Summary

This is a new milestone in the development of the WDACConfig module. I'm personally learning a lot by doing it and the application I'm making is very useful for my needs and others I work with, by sharing it with the community, I'm hoping it will be useful for you too.

As I've thoroughly explained, the security model remains intact, decisions being made are based on logic and research with security in mind.

If you have any feedback or questions, feel free to share it. I'm always open to suggestions and improvements.

---

Other Changes

• Changed the wording in all of the documents and codes to replace "Windows Defender Application Control" with "App Control" or "App Control for Business". This aligns the documentations with the Microsoft's as they also made the same changes to their documentations.

• Updated the URLs for the Microsoft recommended block rules to point to the correct ones.

• The Set-CiRuleOptions cmdlet has been removed. You can fully configure a policy in real-time using the new AppControl Manager. I received lots of feedbacks from users that the module and its cmdlets are too advanced or the learning curve is high, that's why the AppControl Manager, which has a full featured GUI, makes everything easier to use and there is essentially no learning curve for that.

• Systematic reduction of PowerShell code and transitioning to modern C# code for improved interoperability and robustness which also unlocks many new possibilities.

• Improved startup speed of the WDACConfig module and all its cmdlets.

• WDAC Simulation has become significantly faster.

• The WDACConfig module now automatically creates log files and stores them in the secure location inside of the WDACConfig folder in Program files. The size of that folder never gets bigger than 100MB due to the checks implemented, if it does, the folder is automatically emptied. You will be able to modify this limit in the settings in a future update.