After Windows Defender Application Control (WDAC, formerly known as Code Integrity) was released in Windows Server 2016, I wrote a blog post on it, it was a very effective way to do application whitelisting, and get secure! When engaging with customers to get their feedback and help deploy WDAC, the consistent feedback has been “it’s great, but it’s too hard to deploy it.” We listened, and created a few default policies, which balance the security and operational management effort. Those policies are stored under “C:WindowsschemasCodeIntegrityExamplePolicies” on any Windows OS post 1709 release. I recommend two policies for Windows Server: AllowMicrosoft:
↧