Website under construction

Deploy configurable code Integrity policy

Download 13,37 Mb.

Pdf ko'rish

bet	97/131
Sana	27.03.2022
Hajmi	13,37 Mb.
	#512480

1 ... 93 94 95 96 97 98 99 100 ... 131

Bog'liq
9780735697744 Introducing Windows Server 2016 pdf

General server usage
Create code Integrity policy for general server usage

Deploy configurable code Integrity policy
Historically, most malware has been unsigned. Simply by deploying code integrity policies,
organizations can get immediate protection against unsigned malware, which is estimated to be
responsible for the vast majority of current attacks. By using code integrity policies, an enterprise can
also select exactly which binaries are allowed to run in both User mode and Kernel mode. When
completely enforced, it will load only specific applications or software with specific signatures. This
feature alone fundamentally changes security in an enterprise.
You can run configurable code integrity independent of HVCI, thus making it available to devices that
don’t meet the HVCI hardware requirements.
Configurable code integrity policy offers a wide range of options to allow administrators to define the
level of control of what software to trust on a server, ranging from allowing software signed by
reputable publishers (e.g., Microsoft) to a specific file match hash.
It is recommended that you always first deploy code integrity policies in audit mode, which makes it
possible for you to review the binaries fail to load under the policy. You can then adjust the policy
before changing the code integrity policy to enforcement mode.
In this document, we illustrate two common types of code integrity policies: one for general server
usage, and another one for locked down servers:

General server usage Servers that run a variety of workloads, expected to have new software
installed from time to time, flexible in that for which they are used.

Locked down servers Servers that run a specific workload, critical in their reliability, such as
Hyper-V host or domain controllers.
Create code Integrity policy for general server usage
To create the code integrity policy, you can begin by building a reference server on their standard
hardware, and then install all of the software that their servers are known to run. Then, run the
following cmdlet:
New-CIPolicy -Level Publisher -Fallback Hash -UserPEs -FilePath C:\CI\Publisher.xml
More info For details of the level parameter, go to
https://technet.microsoft.com/en-
us/itpro/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules#code-
integrity-file-rule-levels
.
This cmdlet creates the policy by scanning the files on the server, and extracts the publisher
information from the files and adds it to the policy. The policy is created in auditing mode. Under
audit mode, files that are not covered by the CI policy will be able to load; however, they will be
logged in the Microsoft\Windows\CodeIntegrity event log channel. Administrators can audit the logs
to detect any security attacks.

111
CHAPTER 4 | Security and identity
As part of normal operations, they will get software updates or perhaps add software from the same
software providers. Because the "Publisher" remains the same on those updates and software, there is
no need to update the code integrity policy.
You can deploy the same code integrity policy to servers in the same category and running the same
hardware.

Download 13,37 Mb.

Do'stlaringiz bilan baham:

1 ... 93 94 95 96 97 98 99 100 ... 131