Forum Discussion
2 factor for allowing unsigned apps to be installed?
Hi everyone,
I'm just looking for your ideas on dealing with unsigned applications.
We can't trust EDR/AV to do everything and yet there are times we want to allow users to install unsigned applications.
I believe the middle ground in some cases is to allow the application to be installed but only if an authenticator method is used.
Although this won't eliminate all malicious activity it would prevent a specific category of attacks from happening.
It would also be so much easier to track malicious activity by flagging that device as high risk and tracking post-behavior for x hours.
**So my question is:** Can anyone recommend a clear method/procedure for allowing unsigned apps to be installed but only with an authenticator app method?
Or can WDAC be configured to allow apps to be installed with an authenticator?
Thanks.
- Perhaps use the consent settings instead?
https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings
- Perhaps use the consent settings instead?
https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings- SocInABoxIron Contributor
That's a neat idea, thanks Christian,
I assume that when a user self-authorized installation of an unsigned app that it will be logged somewhere so I'll look into that.I also recently read that if a kernel level drive is loaded it will do such with a specific local admin account (SID 1-5-18 - local admin) so if that's true then I can also track unauthorized SIDs loading drivers.
https://synzack.github.io/Blinding-EDR-On-Windows/
Thanks!