Closed ckuever closed 7 months ago
Hi, check if you can download these files successfully from the affected device by running this command. It will create a folder named "DownloadTestTemp" in the root of the C drive and the downloaded files will be saved in there.
$Directory = New-Item -Path 'C:\' -Name 'DownloadTestTemp' -ItemType 'Directory' -Force
'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/Windows%2011%20v23H2%20Security%20Baseline.zip',
'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/Microsoft%20365%20Apps%20for%20Enterprise%202306.zip',
'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip',
'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/Security-Baselines-X.zip',
'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/Registry.csv',
'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/ProcessMitigations.csv',
'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/EventViewerCustomViews.zip' | ForEach-Object -Begin { $i = 0 } -Process {
[System.Net.WebClient]$WC = New-Object -TypeName System.Net.WebClient
$WC.DownloadFile($_, (Join-Path -Path $Directory -ChildPath "$i.zip"))
$i++
}
yes that is working fully fine
seems to be an issue with constrainedlanguage mode in the Start-FileDownload function within Protect-WindowsSecurity.psm1, if i see that correctly?
maybe any suggestion to fix that?
I have some suggestions and ideas, but try this first please
$Directory = New-Item -Path 'C:\' -Name 'DownloadTestTemp' -ItemType 'Directory' -Force
'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/Windows%2011%20v23H2%20Security%20Baseline.zip',
'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/Microsoft%20365%20Apps%20for%20Enterprise%202306.zip',
'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip',
'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/Security-Baselines-X.zip',
'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/Registry.csv',
'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/ProcessMitigations.csv',
'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/EventViewerCustomViews.zip' | ForEach-Object -Begin { $i = 0 } -Process {
Invoke-RestMethod -Uri $_ -OutFile (Join-Path -Path $Directory -ChildPath "$i.zip")
$i++
}
I think that .NET type i use is not available in constrained language mode
Nevermind, the method you tried is already working,
Well in constrained language mode enforced by WDAC, scripts and modules need to be signed and the root certificate must be installed on the device according to this doc: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/script-enforcement#script-enforcement-overview
So my suggestion is to sign the Harden Windows Security module's files with a self-signed certificate and then run it.
My WDACConfig module creates code signing certificate in 2 seconds, using this cmdlet.
And WDACConfig module itself is signed, but it won't run in your environment unless:
1) you install the root certificate I used to sign the WDACConfig files, which can be found here 2) create a supplemental policy that allows that certificate
yes exactly that we also decided to do, meaning sign the module
yes exactly that we also decided to do, meaning sign the module
Sounds good, let me know how it goes. I'm planning on publishing an article about this topic soon, i will make sure to ping you once it's posted. I'll go ahead and close this issue :)
@ckuever As promised, here is my article on script enforcement and constrained language mode https://github.com/HotCakeX/Harden-Windows-Security/wiki/Script-Enforcement-and-PowerShell-Constrained-Language-Mode-in-WDAC-App-Control-Policies
Hi,
done exactly that way, all files are signed with our code signing cert. I see no WDAC errors, modules are important correctly however no commands are available
have you ever tried your nice modules with script enforcement and in constrained language mode? Or will this simply not work?
Thank you.
Hi,
mabe you can reopen as is added a comment and question
THX,
Christian
From: Violet @.> Sent: Tuesday, April 23, 2024 12:05 PM To: HotCakeX/Harden-Windows-Security @.> Cc: Christian Kuever @.>; Author @.> Subject: Re: [HotCakeX/Harden-Windows-Security] Encountered Error: The required files could not be downloaded, Make sure you have Internet connection. (Issue #243)
Hi, check if you can download these files successfully from the affected device by running this command. It will create a folder named "DownloadTestTemp" in the root of the C drive and the downloaded files will be saved in there.
$Directory = New-Item -Path 'C:\' -Name 'DownloadTestTemp' -ItemType 'Directory' -Force
'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/Windows%2011%20v23H2%20Security%20Baseline.zip', 'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/Microsoft%20365%20Apps%20for%20Enterprise%202306.zip', 'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip', 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/Security-Baselines-X.zip', 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/Registry.csv', 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/ProcessMitigations.csv', 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/EventViewerCustomViews.zip' | ForEach-Object -Begin { $i = 0 } -Process {
[System.Net.WebClient]$WC = New-Object -TypeName System.Net.WebClient
$WC.DownloadFile($_, (Join-Path -Path $Directory -ChildPath "$i.zip"))
$i++
}
— Reply to this email directly, view it on GitHubhttps://github.com/HotCakeX/Harden-Windows-Security/issues/243#issuecomment-2071915496, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIARAJKAVZRHUSCZWZPTIEDY6YW7VAVCNFSM6AAAAABGURH6W6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANZRHEYTKNBZGY. You are receiving this because you authored the thread.Message ID: @.***>
Hello,
anyone else have this problem:
VERBOSE: Running Protect-WindowsSecurity function as part of the Harden-Windows-Security module VERBOSE: Importing the required sub-modules VERBOSE: Checking for updates... VERBOSE: Creating the working directory VERBOSE: Getting the current configurations and preferences of the Microsoft Defender... VERBOSE: Backing up the current Controlled Folder Access allowed apps list in order to restore them at the end VERBOSE: Temporarily adding the currently running PowerShell executables to the Controlled Folder Access allowed apps list VERBOSE: Checking if the OS is Windows Home edition... VERBOSE: Checking if the OS build is equal or greater than the required build... VERBOSE: Checking if Secure Boot is enabled... VERBOSE: Checking if TPM is available and enabled... VERBOSE: Downloading the required files VERBOSE: Skipping downloading the Security-Baselines-X because of local mode. VERBOSE: Skipping downloading the Registry because of local mode. VERBOSE: Skipping downloading the ProcessMitigations because of local mode. VERBOSE: Skipping downloading the EventViewerCustomViews because of local mode. VERBOSE: Finally block is running VERBOSE: Reverting the PowerShell executables and powercfg.exe allow listings in Controlled folder access VERBOSE: Removing the working directory VERBOSE: Disabling progress bars VERBOSE: Restoring the title of the PowerShell back to what it was prior to running the script/module VERBOSE: Setting the execution policy back to what it was prior to running the script/module Encountered Error: The required files could not be downloaded, Make sure you have Internet connection.
as it runs on a secured workstation we enforce powershell in constrained language, is constrainedlanguage mode tested?
We do not see any other issues then this error which is (at least from verbose output)somehow in this lines?
Write-Verbose -Message 'Setting the execution policy back to what it was prior to running the script/module' Set-ExecutionPolicy -ExecutionPolicy "$CurrentExecutionPolicy" -Scope 'Process' -Force
manybe any suggestions?
thanks.