1
00:00:01,040 --> 00:00:03,870
In this demonstration, we'll use Group Policy.

2
00:00:03,870 --> 00:00:07,460
I'm going to review how to set security settings for Windows Server

3
00:00:07,460 --> 00:00:10,720
historically, and then we'll layer in some of those cloud services

4
00:00:10,720 --> 00:00:14,210
that we learned about earlier in the module. You're looking at one of

5
00:00:14,210 --> 00:00:16,810
my Windows Server 2022 desktops.

6
00:00:16,810 --> 00:00:18,200
This is a domain controller.

7
00:00:18,200 --> 00:00:22,710
Let me bring up my Group Policy Management MMC console.

8
00:00:22,710 --> 00:00:25,940
Hopefully you're already familiar with Group Policy.

9
00:00:25,940 --> 00:00:29,500
My friend and colleague, Darren Mar‑Elia, has done some really

10
00:00:29,500 --> 00:00:33,180
nice Group Policy courses at Pluralsight, so if you're looking

11
00:00:33,180 --> 00:00:37,230
for remedial action in that regard, I would check out Darren.

12
00:00:37,230 --> 00:00:38,320
But, anyway,

13
00:00:38,320 --> 00:00:42,620
you can see that my domain is called timw.info, and we're looking at the

14
00:00:42,620 --> 00:00:46,730
default domain policy just as a representative example. Security

15
00:00:46,730 --> 00:00:50,130
Filtering is set at the default, which is Authenticated Users, and

16
00:00:50,130 --> 00:00:53,940
that's going to involve both users, groups, and computer accounts that

17
00:00:53,940 --> 00:00:56,040
are authenticated to the domain.

18
00:00:56,040 --> 00:00:59,130
We can right‑click and go to Edit. I already have the Edit

19
00:00:59,130 --> 00:01:03,120
screen up here, and if we follow down the path under

20
00:01:03,120 --> 00:01:06,330
Computer Configuration, Policies, Windows Settings,

21
00:01:06,330 --> 00:01:11,140
Security Settings, Account Policies, we have Password Policy.

22
00:01:11,140 --> 00:01:15,680
So this is the traditional control surface, where we've got password

23
00:01:15,680 --> 00:01:22,200
history; maximum password age, 42 days; and we can either override

24
00:01:22,200 --> 00:01:27,480
or not define the setting simply by unselecting it as the case may

25
00:01:27,480 --> 00:01:30,190
be; minimum password length.

26
00:01:30,190 --> 00:01:33,700
So this is the historical set of controls that

27
00:01:33,700 --> 00:01:36,080
surfaced natively in Group Policy.

28
00:01:36,080 --> 00:01:38,740
Now let's start to layer in, as I said,

29
00:01:38,740 --> 00:01:41,930
some of these more advanced services and functions.

30
00:01:41,930 --> 00:01:46,890
How about Exploit Guard? Remember that? We can find our Exploit Guard

31
00:01:46,890 --> 00:01:51,640
under Administrative Templates, Windows Components, and then I was going

32
00:01:51,640 --> 00:01:56,190
to look for Windows Defender Exploit Guard, and then I remembered it's

33
00:01:56,190 --> 00:01:59,640
Microsoft Defender Exploit Guard.

34
00:01:59,640 --> 00:02:03,180
And there's really just one policy here called Use a common set

35
00:02:03,180 --> 00:02:07,980
of exploit protections so you can keep your configuration

36
00:02:07,980 --> 00:02:11,650
centrally on a UNC path on your network.

37
00:02:11,650 --> 00:02:16,010
It uses, unfortunately, the Extensible Markup Language, and

38
00:02:16,010 --> 00:02:18,720
that's a way to centrally control Exploit Guard.

39
00:02:18,720 --> 00:02:23,440
If we open up the Windows Security settings panel here,

40
00:02:23,440 --> 00:02:28,140
we've got the client side that's available in Windows Client and Windows Server.

41
00:02:28,140 --> 00:02:30,310
If we look at App & browser control,

42
00:02:30,310 --> 00:02:34,660
let me turn that on, and then we can come into App & browser

43
00:02:34,660 --> 00:02:39,110
control, the reputation‑based protection is SmartScreen and then we

44
00:02:39,110 --> 00:02:42,240
have our Exploit protection. And as I said,

45
00:02:42,240 --> 00:02:47,100
the System settings here are all predefined by Microsoft. They're

46
00:02:47,100 --> 00:02:51,620
common hardware‑based vulnerabilities. And then we've got our

47
00:02:51,620 --> 00:02:54,820
Program settings, where we can do overrides,

48
00:02:54,820 --> 00:02:59,020
we can add additional programs to handle that in, so there is some

49
00:02:59,020 --> 00:03:03,640
extensibility to the Exploit Guard functionality.

50
00:03:03,640 --> 00:03:05,220
What about App Control,

51
00:03:05,220 --> 00:03:08,180
Defender App Control? Let's see if I can find that in here.

52
00:03:08,180 --> 00:03:12,100
So, again, we've got Computer Configuration, Administrative

53
00:03:12,100 --> 00:03:17,190
Templates, and then we go under System, Device Guard.

54
00:03:17,190 --> 00:03:19,910
And, again, we have that naming theme that I keep

55
00:03:19,910 --> 00:03:23,380
mentioning, the product naming. Device Guard is what this

56
00:03:23,380 --> 00:03:25,880
capability was originally called.

57
00:03:25,880 --> 00:03:31,970
And we've got Deploy Windows Defender Application Control right here, and in

58
00:03:31,970 --> 00:03:37,380
order to put this into effect, we'll need to have a policy file. Then

59
00:03:37,380 --> 00:03:41,840
creating these assets, the XML for exploit protection,

60
00:03:41,840 --> 00:03:46,680
the Code Integrity Policy file for Application Control, that level of

61
00:03:46,680 --> 00:03:51,470
granularity is outside the scope of the exam, but as usual,

62
00:03:51,470 --> 00:03:54,140
you'll want to set up the Microsoft docs,

63
00:03:54,140 --> 00:03:54,550
in other words,

64
00:03:54,550 --> 00:03:59,330
you want to query the Microsoft docs to set yourself up with those step‑by‑step

65
00:03:59,330 --> 00:04:04,140
instructions to use this in the real world. For the purpose of AZ‑801, it's

66
00:04:04,140 --> 00:04:10,320
sufficient that you understand what Defender Application Control does and where

67
00:04:10,320 --> 00:04:13,370
the basic controls are, and as you can see,

68
00:04:13,370 --> 00:04:17,040
it's natively in Windows Server Group Policy.

69
00:04:17,040 --> 00:04:19,840
And then as far as Credential Guard,

70
00:04:19,840 --> 00:04:24,030
the one that requires the virtualization‑based security,

71
00:04:24,030 --> 00:04:27,810
it's actually in the same Group Policy path that's under Device

72
00:04:27,810 --> 00:04:32,240
Guard, Turn On Virtualization Based Security.

73
00:04:32,240 --> 00:04:33,000
And, again,

74
00:04:33,000 --> 00:04:36,520
this is going to require that you've got platform or

75
00:04:36,520 --> 00:04:41,740
motherboard‑based support in hardware for things like Secure Boot,

76
00:04:41,740 --> 00:04:46,480
virtualization, extensions on your processors,

77
00:04:46,480 --> 00:04:48,940
UEFI firmware, and so on.

78
00:04:48,940 --> 00:04:53,240
So this is where you can start the path of configuring Credential

79
00:04:53,240 --> 00:04:58,470
Guard protection on your machine, okay? So that is a bit of the old

80
00:04:58,470 --> 00:05:02,720
and the new school just with typical Group Policy‑based management

81
00:05:02,720 --> 00:05:06,340
controls in Windows Server 2022.

82
00:05:06,340 --> 00:05:10,370
Now, let's take a look in more detail at the SmartScreen filter,

83
00:05:10,370 --> 00:05:12,250
which is on by default.

84
00:05:12,250 --> 00:05:16,610
You saw that we can get to its controls within the Windows

85
00:05:16,610 --> 00:05:20,130
Security app, but how does it actually manifest itself by

86
00:05:20,130 --> 00:05:23,440
default from an end user's point of view?

87
00:05:23,440 --> 00:05:29,640
Well, the end user will find as they're using a browser like Edge, in particular,

88
00:05:29,640 --> 00:05:32,980
I'm going to do a search for eicar test file.

89
00:05:32,980 --> 00:05:37,590
This is a really nice way to test that your anti‑malware and your

90
00:05:37,590 --> 00:05:41,840
vulnerability clients are actually working the way they should.

91
00:05:41,840 --> 00:05:46,580
And I'm just going to attempt to bring down a .com file here. And you can see

92
00:05:46,580 --> 00:05:52,190
that SmartScreen has launched into action here and reported reputationally

93
00:05:52,190 --> 00:05:57,160
that that file is unsafe. And you can continue to the site, so that would be

94
00:05:57,160 --> 00:05:59,030
an override that the user could do.

95
00:05:59,030 --> 00:06:02,460
This involves a lot of user and administrator training it seems

96
00:06:02,460 --> 00:06:05,540
to me. And if a user attempts to download,

97
00:06:05,540 --> 00:06:08,860
say, a ZIP file that contains a malicious file,

98
00:06:08,860 --> 00:06:16,000
you can see that by default Edge marks that ZIP as unsafe and refuses to download it, alright?