Netherlands: Software

Introductie Windows Server 2016

Issue link:

Contents of this Issue


Page 118 of 173

109 C H A P T E R 5 | Security validate anything above the presented signature by going online or checking local root stores. RootCertificate Currently unsupported. WHQL Trusts binaries if they have been validated and signed by WHQL. This is primarily for kernel binaries. WHQLPublisher This is a combination of the WHQL and the CN on the leaf certificate and is primarily for kernel binaries. WHQLFilePublisher Specifies that the binaries are validated and signed by WHQL, with a specific publisher (WHQLPublisher), and that the binary is the specified version or newer. This is primarily for kernel binaries. Building a golden image Now, let's look at an example of building a golden image policy from a reference machine. It is important to note that you need to ensure that this is a freshly built machine, free of malware and viruses. From an elevated Windows PowerShell prompt, type the following information to begin preparing for the initial scan: $CIPolicyPath= "C:\Temp" $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml" $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin" These commands set up to store the output of a scan we will initialize in this next code example: New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt The UserPEs option automatically turns on User Mode Code Integrity; this will scan the machine on the level PcaCertificate. New-CIPolicy has various other parameters, which you can find at The next step is to convert this into a binary format for later use. The follow code performs this step: ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin If you check on the temp drive where we specified, you will see the .bin file and the .xml file from the scan. Save these to a secure location for later use. More info For some basic information on how to get started with Code Integrity policies as well as further information about creating an audit policy and deploying it via Group Policy, go to Credential Guard Credential Guard isolates secrets using virtualization-based technologies so that only privileged systems can access them. Credential Guard offers the following features: Hardware security This increases the security of derived domain credentials by taking advantage of platform security features, including, Secure Boot and virtualization. Virtualization-based security Windows services that manage derived domain credentials and other secrets run in a protected environment that is isolated from the running operating system.

Articles in this issue

Links on this page

Archives of this issue

view archives of Netherlands: Software - Introductie Windows Server 2016