Basics of deploying AppLocker using Intune

One of the great things about deploying Windows AppLocker via Microsoft Intune is that it supports both Windows 10 Enterprise and Professional. It is also quite straight forward to deploy as I hope the video conveys.

Once you have your base policies, you create a custom Windows 10 device Configuration policy with Intune and deploy it to your device fleet. Once that process is complete you’ll have the same application control you had on a single device but now across as many machines as you wish.

Remember, that Windows AppLocker is free with Windows 10 and easily deployed to machined from the cloud using Microsoft Intune.

Windows Defender Application Control (WDAC) basics

Windows Defender Application Control, like Windows AppLocker is a way to control what executes on your Windows 10 Professional and Enterprise workstation. For more information have a look at this article from Microsoft:

Windows Defender Application Control and AppLocker Overview

You can easily configure WDAC using PowerShell and Microsoft provides a number of example policies that you can use to get started. This video will demonstrate that process on a stand alone Windows 10 Enterprise workstation:

https://www.youtube.com/watch?v=Nj5vBloAWy0

Both WDAC and AppLocker can be used together but the recommendation is use WDAC as it is a more modern approach to whitelisting and has greater security controls and enforcements.

You can also deploy WDAC using Intune and Endpoint Manager which I’ll look to demonstrate in an upcoming article.

So, much like AppLocker, you can use WDAC to prevent executables on your Windows 10 environment. This is a great way to minimise the risk of ransomware and should be part of your defence in depth strategy.

Windows AppLocker basics

Windows AppLocker is an inbuilt component of Windows 10 that allows you to do applications whitelisting. This is really good way to help minimise the chances of ransomware infections.

To use it in stand alone more or or with Group policy you are going to need to use Windows 10 Enterprise. However, you can use a tool like Intune to also manage AppLocker with Windows 10 Professional. For more details see:

Requirements to use AppLocker

The video takes you through the basic setup and operation of Windows AppLocker in a stand alone environment so you can get a feel for how it is configured and works.

In an upcoming post I’ll also details how to configure AppLocker using Intune via Microsoft Endpoint Manager.

CIAOPS Secwerks 1 is now totally virtual

In the face of continued COVID uncertainty locally I have decided to move the whole Secwerks 1 event online. The event will now be conducted fully using Microsoft Teams. Registrations are still open for the event starting on August the 5th, but now spread over 4 half day sessions to lower fatigue levels. You can register now and find a link to more details at:

www.ciaops.com

The event times will be during Thursday and Friday afternoons here in east coast Australia (GMT+10) and may not suit other locations. However, every business that registers will receive a copy of the recordings as well as the training materials. Registration is also now per business not per individual.

The Secwerks event is focused on giving you actionable information around Microsoft 365 as well as best practices, automations and understandings about how to improve the security of these environments. If you manage an Office 365 or Microsoft 365 environment, this, now, virtual event is for you.

I am working hard to add some unique sessions to the agenda and will be confirming those soon. Thanks to those who have already registered for being so accommodating in the face of this unexpected pivot but I look forward to seeing you at the event from the 5th of August 2021.

Security test script walk through video – Update 1

I have made some updates to my free security test script:

https://github.com/directorcia/Office365/blob/master/sec-test.ps1

The main improvement is the inclusion of a menu that allows you to select which test you want to run.

You can use the CTRL and SHIFT key to make multiple selections here.

The video also shows the results when the test script is run on a Windows 10 environment with Trend Micro and a Chrome browser.

Don’t forget to keep checking back for further script updates and improvements.

Windows Print Spooler Remote Code Execution Vulnerability–CVE-2021-34527

Information about this from Microsoft can be found here:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

At the moment one of the work arounds is:

Option 2 – Disable inbound remote printing through Group Policy

You can also configure the settings via Group Policy as follows:

Computer Configuration / Administrative Templates / Printers

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

You must restart the Print Spooler service for the group policy to take effect.

Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

You can also make that settings change via Endpoint Manager and Intune.

You’ll need to ensure you have an Administrative template (ADMX) profile in the Device Configuration profiles. If not, then simply create one.

In that Administrative policy settings do a search for ‘spool’ or the like. You should find the above setting under \printers – Allow Print Spooler to accept client connections, which you should then set to Disable as shown.

if you then save the policy it should be pushed out to all machines. According to the CVE, you’ll also need to restart the spooler service as well. You can do this with the following PowerShell command once the policy has taken effect:

restart-service –name spooler

Perhaps a reboot is easier anyway?

You’ll need to be careful about potential disabling existing printing configurations with shared machines, so it will be best to monitor the impact just in case.

Hopefully, a patch will become available soon for this but even when it does, I think leaving the setting disabled in general is a good idea!

CIAOPS Need to Know Microsoft 365 Webinar – July

laptop-eyes-technology-computer

Last months attempt at using Microsoft Teams Webinars went well and I’ll be continuing to use this going forward. Registration for this month is here:

https://bit.ly/n2k2107

Shortly after this you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite!

This month we’ll dive into email security with Microsoft 365, particularly the best practice configurations for Exchange Online. So please join us for this and all the latest news from the Microsoft Cloud.

You can register for the regular monthly webinar here:

July Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – July 2021
Friday 30th of July 2021
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Security test script walk through video

I’ve create this video to give you a basic walk through of the free security testing PowerShell script I’ve created. You’ll find the script here:

https://github.com/directorcia/Office365/blob/master/sec-test.ps1

In the video you’ll see how to quickly get and run the script as well the results it generates on a stand alone Windows 10 device.

Apart from Windows 10, PowerShell and Word there are no special requirements and it can be used on stand alone, domain or Azure Ad joined, etc. It doesn’t matter. It is designed to help you better evaluate your security posture.