WDACConfig v0.4.6 - new milestone #345
Draft
+14,800
−4,313
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Introduction of the Modern GUI for WDACConfig
This update marks the release of the initial version of the graphical user interface (GUI) for the WDACConfig module. The application operates as a standalone tool, independent of PowerShell, offering the following key features:
Here is a very early and incomplete preview of the GUI, showcasing its design and layout:
As demonstrated in the preview, several features have already been implemented. The application leverages WebView2, which comes pre-installed with Windows, to facilitate web rendering. I've included two convenient menu items that provide direct access to both WDAC (Windows Defender Application Control) resources from this repository and official Microsoft documentation, ensuring guidance and support are always just two clicks or taps away.
My goal is to implement at least 20% of all of the features in the GUI in version 0.4.6 (current pull request), and more in the future versions.
Let's Talk Security and Threat Model
At this stage, security should be top of mind. Let’s delve into how the recent developments, particularly the introduction of compiled binaries for the GUI, impact the overall security and threat model.
First and foremost, the PowerShell module will always remain available in its uncompiled form. This ensures flexibility for users who prefer or require it.
Additionally, the source code for the new MSIX-packaged WDACConfig application is fully accessible in this repository. Anyone can review the code and explore the complete Visual Studio solution provided, allowing you to easily create the MSIX package on your own.
Tip
Does this alter the threat model? Absolutely not. Here's why: When using the WDACConfig PowerShell module, you inherently grant it Administrator privileges. By doing so, you're already placing a level of trust in the module—demonstrated by running PowerShell as an Administrator and executing one of its cmdlets or commands in the terminal.
The same level of privilege applies to the new WDACConfig application packaged in MSIX format. It will still require Administrator privileges for its operations, as it performs the same functions as the PowerShell version. In fact, 90% of the codebase remains unchanged.
Is using the MSIX package mandatory? Absolutely not. You can continue using the WDACConfig PowerShell module exactly as before—nothing has changed in that regard. The GUI for WDACConfig is simply a part of the development roadmap, and as promised, I'm actively working on it. Personally, this interface will make managing application controls on my systems, and those I manage, much more streamlined and easier.
Important
If you are an enterprise or business, you can have your security team code review the WDACConfig application, and after fully verifying it, code sign it and use it in your environment.
Note
Question: Is the MSIX package pre-signed?
Answer: No.
Question: Can I (as a user) code sign it using my own certificate?
Answer: It's up to you.
If users choose to install it, the process involves generating a self-signed certificate on their device, which is then used to sign the MSIX package before installation.
This approach ensures a high level of security, as the certificate is unique to each device, and no one else has access to it. Furthermore, the certificate contains no private keys, meaning it cannot be used to sign anything else, adding an additional layer of protection.
Here is a quick technical rundown of the Invoke-TacticalMSIXDeployment function that performs all of the required tasks automatically in a matter of seconds. No manual work is needed for the user to perform.
Summary
This is a new milestone in the development of the WDACConfig module. I'm personally learning a lot by doing it and the application I'm making is very useful for my needs and others I work with, by sharing it with the community, I'm hoping it will be useful for you too.
As I've thoroughly explained, the security model remains intact, decisions being made are based on logic and research with security in mind.
If you have any feedback or questions, feel free to share it. I'm always open to suggestions and improvements.