A few settings in Windows or Office 365 can prevent users from installing applications that pose cybersecurity risks on their devices. Easy to activate and cost-free, they provide a great service.
Attackers know how to manage and monitor our systems better than we do when analyzing the best way to access our networks. Ever smarter, they have found a way to deploy malware in our networks through a process called sideloading or “sideloading” of trapping malicious code into an application offered from a trusted source such as the Microsoft Store. Sophos a recently published a post on his blog regarding an attack that attempted to trick publisher staff with a targeted email and then used sideloading to install a custom app hosted on the Microsoft Store (now retired). The app allegedly installed malware and ransomware in a network. We’ve also seen attackers use third-party Office 365 apps to gain access to a network and steal key information. So what options do you have for blocking and defending yourself against sideloading attacks?
First, training end users is a critical way to keep your network secure. A sufficiently paranoid employee will often stop, think and click on something, and send the offending email to support for review. It is also recommended to run phishing simulations to see if employees are aware of phishing.
Block sideloading attacks using Intune
You can block the download by using Group Policy, registry settings, or Intune settings. In Intune, you can set a Windows 10 device restriction policy by doing the following:
– Create the profile in the Microsoft Endpoint Manager Administration Center;
– Select in the order “Peripherals”, “Configuration profiles” and “Create a profile”;
– In “Platform”, choose “Windows 10 and later versions”;
– In the “Profile” section, select “Device restrictions” or select “Templates” then “Device restrictions”;
– Select “Create”;
– In “Basics”, enter a descriptive name for the policy as well as a description of the policy so that you can follow the setting;
– Select “Next”;
– Check the parameters in “Configuration parameters”;
– Select “Next”;
– Define Scope tags to better identify the platform you manage and track where you set policy;
– Select “Next”;
– Choose Assignments to select the users or groups who will receive this policy.
– Select “Next” then “Review and create”;
– Choose to limit access to the Microsoft Store;
– Select “Install trusted applications” and choose “Block” from the options below to prevent the installation of non-Microsoft applications on Windows 10 and 11. Not configured (default): Intune does not modify or update update this parameter;
– Block: Prevents side loading. Non-Microsoft Store apps cannot be installed;
– Allow: allow side loading. Non-Microsoft Store apps can be installed.
Block sideloading attacks using Group Policy
You can also follow these steps in Group Policy to block sideloading attacks. Select in order: “Computer Configuration”, “Administrative Templates”, “Windows Components” and “Application Package Deployment”. Then select and deactivate these two settings:
– Authorize the development of Windows Store applications and their installation from an integrated development environment (IDE);
– Allow all trusted apps to install.
Disabling these policies ensures that no malicious sideloading applications can be infiltrated into the platform. It also means that no legitimate Microsoft Store apps can be installed, so you may need to turn it on and off if necessary.
Block sideloading attacks using a registry key
To block the download via a registry key, change the local machine to HKEY, then find the settings under Software, Policies, Microsoft, Windows, and App. Use a DWORD value of “0” to block side loading.
Registry Hive HKEY_LOCAL_MACHINE
Registry Path SoftwarePoliciesMicrosoftWindowsAppx
Value Name AllowAllTrustedApps
Value Type REG_DWORD
Enabled Value 1
Disabled Value 0
Preventing sideloading attacks in Office 365
We have also seen reports that third-party Office 365 applications have been used to gain more rights over the network or steal information over a network. I highly recommend reviewing the policy setting for “Manage user consent to apps in Microsoft 365” and configure an administrator approval flow so that any user who requests access to an app or authorizes by inadvertent access to a third-party application must go through a user approval process.
In the administration center, select in order: “Settings”, “Organization settings”, “Services page”, “User consent to applications” and “Enable or disable user consent. user “. You may wish to delegate approval rights for such requests to certain users. Although approval can come from a global administrator, this may not be possible in a larger network. Approvals can also be passed to a cloud application administrator or an application administrator.
To configure approval rights, follow these steps:
– Log in to the Azure portal as a global administrator.
– Select “All services” at the top of the left navigation menu. In the Azure Active Directory Extension filter search box, type “Azure Active Directory”.
– Select the Azure Active Directory item. From the navigation menu, select “Enterprise Applications”. Under “Manage”, select “User settings”. Under “Administrator Consent Requests”, set “Users can request administrator consent for applications that they cannot consent” to “Yes”.
– Select users to review administrator consent requests for this workflow from a set of users who have the roles of Global Administrator, Cloud Application Administrator, or Application Administrator. You must designate at least one reviewer before you can activate the workflow. These users must have at least an Application Administrator role before the role can take effect; just selecting usernames will not raise them to the right.
Selected users will receive email notifications for requests. You’ll want to enable or disable email notifications to reviewers when a request is made. Selected users will receive request expiration reminders. Enable or disable reminder email notifications to reviewers when a request is about to expire. Finally, set the number of days after which a consent request expires. The user in the administrative review role should be trained to respond to these approval processes within a reasonable timeframe. Attackers know that users often install applications. Make sure your network settings protect your network from such ingress processes. Next, “patch” your humans and train them to be more aware of these attack techniques.