Jump to content
Microsoft Windows Bulletin Board

New enterprise-grade security controls for the Windows Subsystem for Linux


Recommended Posts

Guest Craig Loewen
Posted

The Windows Subsystem for Linux (WSL) has added new enterprise-oriented features that will help you deploy, monitor, and configure WSL safely within your organization’s setting. Virtual Machine-based environments, like WSL, can be difficult to manage security for in enterprise business settings. We’ve listened to your feedback and have developed new features to enhance this specific scenario, enabling any Enterprise to use WSL securely and reliably.

 

WSL has these new capabilities which you can learn more about below:

 

  • Monitor WSL Distros with Microsoft Defender for Endpoint (MDE)
  • Manage WSL and its key security settings via Intune
  • Advanced networking controls for improved configurability and compatibility
  • Windows applications can now integrate with WSL with a WSL plugin

 

 

[HEADING=1]See and monitor all WSL distributions with Microsoft Defender for Endpoint[/HEADING]

 

While WSL helps streamline productivity and boost performance for developers, the containerized environment became a blind spot for security teams – expanding the attack surface and increasing risk. To minimize this risk, security teams need to be able to see and monitor what is running inside of WSL. To achieve this, we are excited to announce the public preview of a new Microsoft Defender for Endpoint plug-in for WSL. This plug-in allows security teams to see and continuously monitor for security events in all running WSL distributions with Defender for Endpoint while minimally impacting performance on developer workloads.

 

[ATTACH=full]42423[/ATTACH] The WSL plug-in for Microsoft Defender for Endpoint gives security teams visibility into all running WSL distributions directly from the Defender portal.

 

Learn more about getting started with WSL support for Defender for Endpoint at the MDE plugin doc page.

 

[HEADING=1]Manage WSL and its key security settings via Intune[/HEADING]

 

Additionally, we’ve added new settings for WSL to Intune that will help you configure access to three key areas: general access to WSL, WSL commands, and WSL settings. These settings are group policy object (GPO) friendly and so can be used by other management tools as well.

 

[ATTACH=full]42424[/ATTACH]

 

By configuring these you will be confident that the right users can access WSL, and that they are using it in a secure manner. Please navigate to the WSL Intune docs to learn more about creating a policy to manage these settings.

 

[HEADING=1]Advanced networking controls for improved configurability and compatibility[/HEADING]

 

These networking features are available on Win11 22H2 and higher.

 

For network admins, we’ve added the “Hyper-V firewall” feature, and turned it on by default on the latest WSL releases. The most important thing that this feature does is ensure that any firewall rules that you have set on Windows now automatically apply to WSL, giving you the same network security story both on Windows and in Linux. Additionally, you can also customize specific firewall settings and rules and have them apply only to WSL. To learn more about this feature and how to get started with it please see the Hyper-V firewall docs page.

 

And for users of WSL, we’ve added new networking features to help improve connectivity inside of an Enterprise environment which often have complicated networking setups consisting of VPNs, proxies, advanced firewall configurations and more. We made these initially available as experimental features in September but have now put them as regular features. Currently only Hyper-V firewall is turned on by default, and the rest you will need to enable manually. Please see the networking docs page to learn more about using mirrored mode networking, DNS tunneling, autoProxy and more!

 

[HEADING=1]WSL plugins[/HEADING]

 

The integration with MDE and WSL was made possible using a new feature: WSL plugins. Windows applications can now integrate with WSL, can specify Linux agents to run in WSL, and the Linux processes can communicate information back to the Windows application. Windows apps can now have a presence inside of WSL, adding use cases for applications like monitoring WSL usage, and more.

 

You can learn more about WSL plugins, and how to get started creating them on the WSL plugins doc page.

 

[HEADING=1]How to get started[/HEADING]

 

We’ve revamped our Enterprise docs page to have a full guide on how you can get started with these new features. Please keep in mind that the new networking features are available on Windows 11 only, while the MDE and Intune support are available on both Windows 10 and Windows 11. Lastly, the MDE plugin is released as a preview, while the networking features and Intune management are generally available.

 

[HEADING=1]Send us your feedback[/HEADING]

 

We hope that these features allow you to fully deploy WSL to your company. We also know that there are likely more capabilities that you would still like to have, and we plan to keep building on this enterprise story for WSL with more integrations with Intune and Azure Active Directory (AAD) in the future. If you have any technical issues or feature requests please file them at the WSL GitHub repository. Happy coding!

 

The post New enterprise-grade security controls for the Windows Subsystem for Linux appeared first on Windows Command Line.

 

Continue reading...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...