Device Guard and Code Integrity Policies

Windows 10 Enterprise, Education, and Windows Server 2016 include Device Guard.  Device Guard is kind of like AppLocker, but is a more advanced form of whitelisting.  You create a Code Integrity policy that tells the OS what software and device drivers are allowed to run.  All of the software that you allow must be either digitally signed, or you can create a FileCatalog with PowerShell that tells the OS exactly what files are allowed to run, and if any software attempts to execute that is not listed in the Code Integrity Policy, it will be blocked.  That is basically how it works, but i am going to now go through what it takes to enable device guard, and to create policies, and also how to audit first to make sure you aren’t going to block yourself from running any essential applications or services.  Device Guard is a pretty complicated subject, and if you are not sure how to implement it in an enterprise or corporate environment, you should hire a security consultant to help you out.

Here’s some code to get you started with a simple Code Integrity policy
# To create a Base Code Integrity Policy from a Golden Computer:
# First we set up the variables CIPolicyPath, InitialCIPolicy and CIPolicyBin



# Now we will create a New CodeIntegrity Policy
New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt

<# Notes: When you specify the -UserPEs parameter (to include user mode executables in the scan), rule option 0 Enabled:UMCI is automatically added to the code integrity policy. In contrast, if you do not specify -UserPEs, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option 0 Enabled:UMCI, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. You can add the -Fallback parameter to catch any applications not discovered using the primary file rule level specified by the -Level parameter. For more information about file rule level options, see Code integrity file rule levels in “Deploy code integrity policies: policy rules and file rules.” To specify that the code integrity policy scan only a specific drive, include the -ScanPath parameter followed by a path. Without this parameter, the entire system is scanned. The preceding example includes 3> CIPolicylog.txt, which redirects warning messages to a text file, CIPolicylog.txt.
# Use ConvertFrom-CIPolicy to convert the XML to binary format!
ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin

# After you complete these steps, the Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security.

# NOTE: Note We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see Merge code integrity policies.

After the computer is scanned, there should be a deviceguard.bin file created on your desktop. In order to deploy this policy, you need to move this file to the C:\Windows\system32\CodeIntegrity directory, and renamed to SIPolicy.p7b.
You then need to restart the computer to enter Device Guard Audit mode. Deploy your code integrity policy

Restart the reference system for the code integrity policy to take effect.

Use the system as you normally would, and monitor code integrity events in the event log. While in audit mode, any exception to the deployed code integrity policy will be logged in the Applications and Services Logs\Microsoft\Windows\CodeIntegrity\Operational event log.

Now you can mine bitcoin in your browser by just entering your bitcoin address

It is easier than ever to mine bitcoin, as the new site allow you to simply enter your bitcoin address and just leave the tab open and it will mine bitcoin for you about .0006 per day which may not seem like much but it will add up. Do it now and check it out using my link in the last sentence.

Obvious tip for web site admins…

Don’t use admin as the username to login to your website. Reason: Bots on the internet are constantly scanning the net and 95% of the time will automatically attempt to log in to your website using admin as the username. If you block any logins using admin, then you will block these attempts to hack your webserver.

Disabling the windows firewall will block inbound Remote Desktop connections

WindowsPlatform_120If you disable the Windows Firewall, you will no longer be able to remote desktop into the machine, you will not see the machine on your network, and you will really not be able to do anything with it. It does no good, from a management perspective to disable the windows firewall. Try it and see. Disable the windows firewall and then try to connect to that host with Remote Desktop, (mstsc.exe). It will not work, it will even show the error that says that Remote desktop is not enabled, even though it is. As soon as you start the windows firewall service with an exception for port 3389, the rdp session will commence. You wont be able to ping the server either, the point is, DO not disable the windows firewall, unless you feel like troubleshooting network connections for awhile. Just leave the firewall enabled and configure the rules. I Never disable the windows firewall no matter what.

Always install SQL Server Logs on separate hard drive, Not on C drive.

When installing Configuration Manager, the most important tip I could give would be to make sure you install the SQL Server logs on a different drive than the database files. You really should install the SQL Server database Data files on D drive, the Logs on E drive. and then put SQL Backups on F drive. If this is not done, there may be several problems that will occur in Configuration Manager. For example, a common error is Management Point is not responding to HTTP requests. This error will manifest itself all the time if your SQL Server data and Logs are on the same drive. Another problem that I have seen on servers with SQL Server Data files and Logs on same drive is the Application Catalog will not function correctly. If you install SQL Server correctly, and do not install database files, SQL logs, or SQL backup on the C (system Drive), then there is a good chance that Configuration Manager will run successfully in the green for months. This tip is from personal experiences.