-
Notifications
You must be signed in to change notification settings - Fork 161
Rethinking Trust: Advanced Security Measures for High‐Stakes Systems
A file or program bearing a valid digital signature should never be considered inherently secure. While it would be ideal if verifying a signature could conclusively indicate safety, the reality is far more nuanced and complex. A digital signature is an excellent preventive measure, but when it comes to exploiting or infiltrating high-value targets, numerous techniques exist to circumvent this layer of defense. Also, the security of a digital signature is only as strong as the integrity and vigilance of the individual responsible for safeguarding it.
In recent years, many certificate authorities have implemented stricter policies requiring individuals requesting a code-signing certificate to store it within a Hardware Security Module (HSM). This specialized device provides an added layer of physical security for cryptographic keys. However, like any piece of hardware, an HSM can still be stolen, making the physical security of the device—where it is stored, whether it's kept in a high-grade safe, and the security of the person's residence—critical factors in preventing unauthorized access.
Equally important is the security of the code-signing process itself. Does the certificate holder use a dedicated, isolated environment exclusively for signing? Is it meticulously maintained to be free from malware and potential compromises? Or do they insert the HSM into a system that also serves daily, multipurpose functions? In the latter scenario, where the same device is used for browsing the internet or downloading software, the risk of infection rises dramatically. A malware infection on this system could allow malicious software to access private keys from the HSM during the signing process, effectively bypassing the HSM's intended protection. From the outside, as users, we have no practical way to verify or scrutinize these practices. We are fundamentally in the dark about whether an organization or individual has taken rigorous precautions or if they are following minimal security protocols. This lack of transparency introduces an additional layer of risk; users are left trusting in a process they cannot observe or evaluate.
Another vital aspect to consider is the trustworthiness of the individual applying for the certificate. If the applicant is a malicious actor, the signature itself becomes a tool for potential harm. Unfortunately, most certificate authorities issuing code-signing or Extended Validation (EV) certificates do not conduct extensive vetting of applicants. Factors such as an applicant's criminal history, associations, travel history, or broader trustworthiness are seldom, if ever, scrutinized. This lack of rigorous background checks leaves the door open for bad actors to obtain certificates under the guise of legitimacy, turning a critical security feature into a potential vulnerability.
This article was created by me to address these vulnerabilities directly. Windows Defender Application Control (WDAC) or Application Control for Business exists precisely for this reason—it transforms the security paradigm for both attackers and defenders by embracing a real zero-trust approach. Zero trust removes assumptions from the equation, requiring that every executable be explicitly validated before being allowed to run.
In environments with highly sensitive devices or workspaces, relying solely on certificate authorities to secure your systems can be dangerously misguided. Trusting that a certificate authority has conducted rigorous due diligence when issuing code-signing certificates is a risky assumption. App Control provides a critical alternative: it enables you to define your own standards of trust, rather than leaving the responsibility in the hands of external entities who may have different criteria for assessing reliability.
Application Control is empowering. It places the control squarely in your hands, allowing you to determine precisely which files, applications, or processes are authorized to execute on your device. By leveraging this approach, you gain comprehensive oversight and a new level of security confidence, knowing that only files meeting your strict criteria are permitted to run. In an era where threats are increasingly sophisticated, this individualized control over your digital environment is not only prudent but essential.
Exercise extreme caution with programs granted administrator privileges on your system. The User Account Control (UAC) prompt that appears, requesting permission, is more than a minor screen—it serves as a critical security checkpoint. If you inadvertently grant a malicious program administrator access, reversing the damage can be extraordinarily challenging.
When administrator privileges are granted, the program gains more than a one-time permission; it can establish persistent access by embedding itself deeply into the system. Malicious programs can create "hooks", allowing them to access your device and resources on demand. They might configure scheduled tasks to ensure persistence, execute commands with SYSTEM-level privileges, modify registry keys to enable startup scripts, or establish Windows services to maintain their foothold.
Take, for example, the legitimate use case of the Steam game client. Upon installation and initial launch, Steam requests administrator privileges to set up a necessary service that has very high privileges. Although it doesn't ask for elevated permissions again with subsequent launches, this is because it has created that service during the initial setup that allows it to run with elevated privileges even after restarts or shutdowns. While Steam's case is benign, malware can exploit the same mechanisms and others for far more harmful purposes, achieving ongoing control over your device.
In conclusion, Digital signatures are a strong security standard for most use cases, but in high-risk, high-value environments, they are merely not enough. In those situations where the stakes are highest, Application Control is the most effective way to ensure that only trusted, authorized executables are allowed to run. By defining your own standards of trust, you can protect your systems from the most sophisticated threats. Also, exercise caution when granting administrator privileges to programs, as this can lead to persistent access and it's not a one-time permission.
- Create AppControl Policy
- Create Supplemental Policy
- System Information
- Configure Policy Rule Options
- Simulation
- Allow New Apps
- Build New Certificate
- Create Policy From Event Logs
- Create Policy From MDE Advanced Hunting
- Merge App Control Policies
- Deploy App Control Policy
- Get Code Integrity Hashes
- Get Secure Policy Settings
- Update
- Introduction
- App Control for Lightly Managed Devices
- App Control for Fully managed device - Variant 1
- App Control for Fully managed device - Variant 2
- App Control for Fully managed device - Variant 3
- App Control for Fully managed device - Variant 4
- App Control Notes
- How to Create and Deploy a Signed App Control Policy
- Fast and Automatic Microsoft Recommended Driver Block Rules updates
- App Control policy for BYOVD Kernel mode only protection
- EKUs in App Control for Business Policies
- App Control Rule Levels Comparison and Guide
- Script Enforcement and PowerShell Constrained Language Mode in App Control Policies
- How to Use Microsoft Defender for Endpoint Advanced Hunting With App Control
- App Control Frequently Asked Questions (FAQs)
- New-WDACConfig
- New-SupplementalWDACConfig
- Remove-WDACConfig
- Edit-WDACConfig
- Edit-SignedWDACConfig
- Deploy-SignedWDACConfig
- Confirm-WDACConfig
- New-DenyWDACConfig
- Set-CommonWDACConfig
- New-KernelModeWDACConfig
- Get-CommonWDACConfig
- Remove-CommonWDACConfig
- Assert-WDACConfigIntegrity
- Test-CiPolicy
- Get-CiFileHashes
- Get-CIPolicySetting
- Create Bootable USB flash drive with no 3rd party tools
- Event Viewer
- Group Policy
- How to compact your OS and free up extra space
- Hyper V
- Overrides for Microsoft Security Baseline
- Git GitHub Desktop and Mandatory ASLR
- Signed and Verified commits with GitHub desktop
- About TLS, DNS, Encryption and OPSEC concepts
- Things to do when clean installing Windows
- Comparison of security benchmarks
- BitLocker, TPM and Pluton | What Are They and How Do They Work
- How to Detect Changes in User and Local Machine Certificate Stores in Real Time Using PowerShell
- Cloning Personal and Enterprise Repositories Using GitHub Desktop
- Only a Small Portion of The Windows OS Security Apparatus
- Rethinking Trust: Advanced Security Measures for High‐Stakes Systems
- Clean Source principle, Azure and Privileged Access Workstations
- How to Securely Connect to Azure VMs and Use RDP
- Basic PowerShell tricks and notes
- Basic PowerShell tricks and notes Part 2
- Basic PowerShell tricks and notes Part 3
- Basic PowerShell tricks and notes Part 4
- Basic PowerShell tricks and notes Part 5
- How To Access All Stream Outputs From Thread Jobs In PowerShell In Real Time
- PowerShell Best Practices To Follow When Coding
- How To Asynchronously Access All Stream Outputs From Background Jobs In PowerShell
- Powershell Dynamic Parameters and How to Add Them to the Get‐Help Syntax
- RunSpaces In PowerShell
- How To Use Reflection And Prevent Using Internal & Private C# Methods in PowerShell