HotCakeX / Harden-Windows-Security

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
https://hotcakex.github.io
MIT License
1.87k stars 148 forks source link

Encountered Error: The required files could not be downloaded, Make sure you have Internet connection. #243

Closed ckuever closed 7 months ago

ckuever commented 7 months ago

Hello,

anyone else have this problem:

VERBOSE: Running Protect-WindowsSecurity function as part of the Harden-Windows-Security module VERBOSE: Importing the required sub-modules VERBOSE: Checking for updates... VERBOSE: Creating the working directory VERBOSE: Getting the current configurations and preferences of the Microsoft Defender... VERBOSE: Backing up the current Controlled Folder Access allowed apps list in order to restore them at the end VERBOSE: Temporarily adding the currently running PowerShell executables to the Controlled Folder Access allowed apps list VERBOSE: Checking if the OS is Windows Home edition... VERBOSE: Checking if the OS build is equal or greater than the required build... VERBOSE: Checking if Secure Boot is enabled... VERBOSE: Checking if TPM is available and enabled... VERBOSE: Downloading the required files VERBOSE: Skipping downloading the Security-Baselines-X because of local mode. VERBOSE: Skipping downloading the Registry because of local mode. VERBOSE: Skipping downloading the ProcessMitigations because of local mode. VERBOSE: Skipping downloading the EventViewerCustomViews because of local mode. VERBOSE: Finally block is running VERBOSE: Reverting the PowerShell executables and powercfg.exe allow listings in Controlled folder access VERBOSE: Removing the working directory VERBOSE: Disabling progress bars VERBOSE: Restoring the title of the PowerShell back to what it was prior to running the script/module VERBOSE: Setting the execution policy back to what it was prior to running the script/module Encountered Error: The required files could not be downloaded, Make sure you have Internet connection.

as it runs on a secured workstation we enforce powershell in constrained language, is constrainedlanguage mode tested?

We do not see any other issues then this error which is (at least from verbose output)somehow in this lines?

Write-Verbose -Message 'Setting the execution policy back to what it was prior to running the script/module' Set-ExecutionPolicy -ExecutionPolicy "$CurrentExecutionPolicy" -Scope 'Process' -Force

manybe any suggestions?

thanks.

HotCakeX commented 7 months ago

Hi, check if you can download these files successfully from the affected device by running this command. It will create a folder named "DownloadTestTemp" in the root of the C drive and the downloaded files will be saved in there.

$Directory = New-Item -Path 'C:\' -Name 'DownloadTestTemp' -ItemType 'Directory' -Force

'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/Windows%2011%20v23H2%20Security%20Baseline.zip',
'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/Microsoft%20365%20Apps%20for%20Enterprise%202306.zip',
'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip',
'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/Security-Baselines-X.zip',
'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/Registry.csv',
'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/ProcessMitigations.csv',
'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/EventViewerCustomViews.zip' | ForEach-Object -Begin { $i = 0 } -Process {

    [System.Net.WebClient]$WC = New-Object -TypeName System.Net.WebClient
    $WC.DownloadFile($_, (Join-Path -Path $Directory -ChildPath "$i.zip"))
    $i++
}
ckuever commented 7 months ago

yes that is working fully fine

seems to be an issue with constrainedlanguage mode in the Start-FileDownload function within Protect-WindowsSecurity.psm1, if i see that correctly?

maybe any suggestion to fix that?

HotCakeX commented 7 months ago

I have some suggestions and ideas, but try this first please

$Directory = New-Item -Path 'C:\' -Name 'DownloadTestTemp' -ItemType 'Directory' -Force

'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/Windows%2011%20v23H2%20Security%20Baseline.zip',
'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/Microsoft%20365%20Apps%20for%20Enterprise%202306.zip',
'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip',
'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/Security-Baselines-X.zip',
'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/Registry.csv',
'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/ProcessMitigations.csv',
'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/EventViewerCustomViews.zip' | ForEach-Object -Begin { $i = 0 } -Process {

    Invoke-RestMethod -Uri $_ -OutFile (Join-Path -Path $Directory -ChildPath "$i.zip")
    $i++
}

I think that .NET type i use is not available in constrained language mode

HotCakeX commented 7 months ago

Nevermind, the method you tried is already working,

Well in constrained language mode enforced by WDAC, scripts and modules need to be signed and the root certificate must be installed on the device according to this doc: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/script-enforcement#script-enforcement-overview

So my suggestion is to sign the Harden Windows Security module's files with a self-signed certificate and then run it.

My WDACConfig module creates code signing certificate in 2 seconds, using this cmdlet.

And WDACConfig module itself is signed, but it won't run in your environment unless:

1) you install the root certificate I used to sign the WDACConfig files, which can be found here 2) create a supplemental policy that allows that certificate

ckuever commented 7 months ago

yes exactly that we also decided to do, meaning sign the module

HotCakeX commented 7 months ago

yes exactly that we also decided to do, meaning sign the module

Sounds good, let me know how it goes. I'm planning on publishing an article about this topic soon, i will make sure to ping you once it's posted. I'll go ahead and close this issue :)

HotCakeX commented 7 months ago

@ckuever As promised, here is my article on script enforcement and constrained language mode https://github.com/HotCakeX/Harden-Windows-Security/wiki/Script-Enforcement-and-PowerShell-Constrained-Language-Mode-in-WDAC-App-Control-Policies

ckuever commented 5 months ago

Hi,

done exactly that way, all files are signed with our code signing cert. I see no WDAC errors, modules are important correctly however no commands are available

image

have you ever tried your nice modules with script enforcement and in constrained language mode? Or will this simply not work?

Thank you.

ckuever commented 5 months ago

Hi,

mabe you can reopen as is added a comment and question

THX,

Christian


From: Violet @.> Sent: Tuesday, April 23, 2024 12:05 PM To: HotCakeX/Harden-Windows-Security @.> Cc: Christian Kuever @.>; Author @.> Subject: Re: [HotCakeX/Harden-Windows-Security] Encountered Error: The required files could not be downloaded, Make sure you have Internet connection. (Issue #243)

Hi, check if you can download these files successfully from the affected device by running this command. It will create a folder named "DownloadTestTemp" in the root of the C drive and the downloaded files will be saved in there.

$Directory = New-Item -Path 'C:\' -Name 'DownloadTestTemp' -ItemType 'Directory' -Force

'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/Windows%2011%20v23H2%20Security%20Baseline.zip', 'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/Microsoft%20365%20Apps%20for%20Enterprise%202306.zip', 'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip', 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/Security-Baselines-X.zip', 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/Registry.csv', 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/ProcessMitigations.csv', 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security%20Module/Main%20files/Resources/EventViewerCustomViews.zip' | ForEach-Object -Begin { $i = 0 } -Process {

[System.Net.WebClient]$WC = New-Object -TypeName System.Net.WebClient
$WC.DownloadFile($_, (Join-Path -Path $Directory -ChildPath "$i.zip"))
$i++

}

— Reply to this email directly, view it on GitHubhttps://github.com/HotCakeX/Harden-Windows-Security/issues/243#issuecomment-2071915496, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIARAJKAVZRHUSCZWZPTIEDY6YW7VAVCNFSM6AAAAABGURH6W6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANZRHEYTKNBZGY. You are receiving this because you authored the thread.Message ID: @.***>