You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
I'm going to embark upon a terrifying experiment to see how well Windows 10 works if I only allow it to execute only what I need. Wish me luck!
So I just bought a Surface Laptop. I'm doing a fresh Win 10 Ent install. I will deploy a default-deny all DG policy in audit mode and then build a policy using only FilePublisher (for user mode) and WHQLFilePublisher (for kernel) rules. It should just work, right?
WHQLFilePublisher kernel rules _should_ work on pure MS hardware and considering their requirement for WHQL-signed drivers starting with 1607.https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/driver-signing-changes-in-windows-10-version-1607/ …
To clarify this experiment, I use Device Guard all the time but I allow anything Windows or Store-signed to run and blacklist abusable binaries as needed. This experiment will involve strictly whitelisting the set of files needed to run the OS and run a few apps.
First update: I started by only whitelisting drivers. Laptop won’t boot now in enforcement mode and there is no event log entry to indicate what was prevented from loading.
I’m going to diff the list of loaded drivers not in enforcement mode against the list of drivers in my code integrity policy...
33 drivers loaded that weren’t logged in the event log while in audit mode with my deny-all CI policy. New-CIPolicy doesn’t parse event entries w/ “\Device\HarddiskVolume” in the path. DG event log integration for auditing pretty much sucks.
Individually whitelisted the 33 drivers as well. Still won’t boot. Put back in audit mode, no audit events. I suspect it won’t boot due to a HAL extension or ELAM driver not loading. This is crap that I need to figure this out blind.
I was hopeful when I used NtQuerySystemInformation w/ SystemModuleInformation to capture a few extra kernel modules to whitelist. Still won’t boot. Next on my list: early boot logging with an ETW AutoLogger.
I need an adult like @zacbrown or @MSwannMSFT. I set up an autologger session using the kernel provider but I’m getting no ETL file trace after reboot. Either of you have experience with early boot tracing?
Alright. I set “Enable Boot Logging” in the Advanced Start Menu and the list of all drivers from ntbtlog.txt. I whitelist all of them with WHQLFilePublisher and FilePublisher as a fallback. Still not booting and no CodeIntegrity logs. Help @j3ffr3y1974!
This is amazing. I whitelisted some additional files from the "Automatic Repair" logs (SrtTrail.txt). I no longer automatically enter "Automatic Repair" at boot but now I'm in this purgatory where I'm permanently stuck on the Microsoft boot logo.
Woah. WTF. My laptop boots now. Let me figure out exactly what I did to stop the bleeding. I'm running Device Guard in driver (no user mode rules yet) enforcement mode where I whitelist each file individually.
My Device Guard driver enforcement policy that finally allows my Surface Laptop to boot - https://gist.github.com/mattifestation/72fe5c0eb36598186b995c5781d4198b …. I'll begin writing up all the details then will blog about my experience. User mode rules next! Now pardon me while I go cry in a pillow.
The Microsoft-Windows-Kernel-Boot event log will log failed kernel module loads when the CodeIntegrity doesn't catch them. Presumably, this will happen prior to CI loading?pic.twitter.com/yx5q59yQHr
I'm looking forward to culling your process and doing it myself. Thanks for blazing the trail.
Great! I can't say this process was fun but I'm learning constantly. To be clear, this is the least trusting and most difficult methodology to apply that, in theory, still allows the OS to update.
At what point do you just install Linux? The experiment isn't lost on me but... :)
Point me to your blog post or someone else’s that you’ve applied that allows me to apply the same methodology on Linux and I will totally try it. It would be awesome for such a methodology to be successfully on Linux, OS X, or Windows IMO.
There’s Tomoyo Linux which lets you run in “learning mode” then turn it into security constraints. But I don’t know of a from scratch way. I’ll look more tomorrow. https://en.wikipedia.org/wiki/Tomoyo_Linux …
Cool! Keep me updated as you find others.
So there's the standard Linux MAC wikipedia page, but I think besides learning SELinux from scratch you could play with intel's clearlinux containers which might be easier than a whole system:https://clearlinux.org/blogs/announcing-intel%C2%AE-clear-containers-30 …
Thanks for the pointer!
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
