Happy WDAC Wednesday! Application control solutions are very powerful, they are like a gate keeper, and determine what installed applications are allowed to run. Applying tighter controls on endpoints, using application control, requires careful planning to minimise disruption. To support a smoother transition, policies are first deployed in a non-impactful audit mode, allowing organisations to assess potential impact. Enforcement only begins once it’s clear the impact on the business operations will be minimal.
The audit mode advantage
Using audit mode provides a repeatable mechanism of deploying, reviewing, refining and re-deploying your application control policy without unexpectedly blocking applications and impacting business operations. While in audit mode, all scripts and software being executed are evalulated and are flagged if they would be blocked by the policy in enforcement mode. This logging is available locally on Windows devices, within Defender for Endpoint and can optionally be ingested into Sentinel for deeper analysis.
This iterative review process allows impacted applications to be identified, reviewed and decisions made whether they should be allowed to run on endpoints. It can be a time-consuming process, especially in environments where implementing application control significantly tightens software installation and execution. Without application control, users may have been installing applications that may have made them more productive but pose risks to the organisation – such as non-sanctioned cloud file storage solutions from a data loss prevention (DLP) perspective. Other users may have installed non-business related applications, like music streaming services or other unrelated software.
Moving to enforcement
Depending on the complexity and maturity of your organisation the iterative audit mode process is something that could take many weeks or even months. It’s critical to only transition to enforcement mode once the policy is sufficiently complete to minimise disruption to business operations, and when IT support teams sufficiently prepared to support the new normal.
Slow and steady wins the race – IT departments are well versed in releasing user-impacting configuration using staged release rings. However, there are scenarios where the transition from audit to enforcement mode may need to occur in smaller, tightly controlled release groups. Striking the right balance is essential; enforcing new security controls, minimising operational impact and ensuring IT support teams aren’t overwhelmed with support requests due to a rushed rollout.
Deploying application control policies
Diving too deep into the technical details is beyond the scope of this article. However, Application Control for Business policies can be deployed natively using Microsoft Intune, or scripted in other solutions such as Microsoft Endpoint Configuratoin Manager (MECM, formerly SCCM).
What’s next
If you’re familiar with AppLocker and wondering why you should be using Application Control for Business instead then the next #WDACWednesday is for you.