Netherlands: Software

Introductie Windows Server 2016

Issue link:

Contents of this Issue


Page 116 of 173

107 C H A P T E R 5 | Security fun or as a common application. Now, end users will not be able to execute the potentially dangerous code. You can configure Code Integrity policies individually on machines based on specific needs or you can baseline a machine and capture a golden image and use that as the base from which you deploy each additional machine. You can have only one Code Integrity policy per machine, which is stored in C:\Windows\System32\ CodeIntegrity. This means that you might need to implement multiple policies depending on your application requirements. For example, you might have a policy that covers machines in the finance department, a separate one for the engineering department, and so on. The simplest method for most organization's is to create a core application policy based on your software catalog and then where specific additions are needed, you can merge a policy that includes the new software into that specific machine(s). Code Integrity policies comprise several components, two of which are of particular interest: policy rules and file rules. Policy rules can have a variety of options as detailed in the following table: Rule option Description 0 Enabled:UMCI Code Integrity policies restrict both kernel-mode and user-mode binaries. By default, only kernel- mode binaries are restricted. Turning on this rule option validates user-mode executables and scripts. 1 Enabled:Boot Menu Protection This option is not currently supported. 2 Required:WHQL By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL)–signed are allowed to run. Turning on this rule requires that every driver is WHQL-signed and removes legacy driver support. Going forward, every new Windows 10–compatible driver must be WHQL certified. 3 Enabled:Audit Mode (Default) Allows binaries to run outside of the Code Integrity policy but logs each occurrence in the CodeIntegrity event log, which you can use to update the existing policy before enforcement. To enforce a Code Integrity policy, remove this option. 4 Disabled:Flight Signing If turned on, Code Integrity policies will not trust flightroot-signed binaries. You would use this would for scenarios in which organizations want to run only released binaries, not flighted builds. 5 Enabled:Inherent Default Policy This option is not currently supported. 6 Enabled:Unsigned System Integrity Policy (Default) Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to make future policy modifications possible. 7 Allowed:Debug Policy Augmented This option is not currently supported. 8 Required:EV Signers In addition to requiring that drivers be WHQL- signed, this rule requires that they must have been submitted by a partner that has an Extended Verification (EV) certificate. All future Windows 10 and later drivers will meet this requirement. 9 Enabled:Advanced Boot Options Menu The F8 prestartup menu is turned off by default for

Articles in this issue

Archives of this issue

view archives of Netherlands: Software - Introductie Windows Server 2016