search

HotCakeX / Harden-Windows-Security

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
https://hotcakex.github.io
MIT License
1.87k stars 148 forks source link

[Bug]: `New-SupplementalWDACConfig -Certificates` throws XML error "The element 'AllowedSigners' in namespace 'urn:schemas-microsoft-com:sipolicy' has incomplete content" #412

Closed denisbrodbeck closed 1 day ago

denisbrodbeck commented 5 days ago

Tools category

WDACConfig Module

Does Your System Meet The Requirements?

Is your Windows Installation Genuine?

Did You Read The Frequently Asked Questions?

Please Explain The Bug

Hi @HotCakeX,

thank you very, very much for your tremendous amount of work securing the windows OS landscape. I'm using some of your collected wisdom to protect my clients successfully. The official docs on WDAC are not very insightful and good tutorials for WDAC are scarce, so thank you😀

I'm having trouble creating supplemental policies from existing certificates.

In this example I'm using the WireGuard Authenticode Cert (extracted from the original MSI) and want to add this cert to a new supplemental policy. Happens both on Win 11 23H2 en-us (VM) and Win 11 24H2 de-de (fresh install).

New-WDACConfig -PolicyType AllowMicrosoft -EnableScriptEnforcement
New-SupplementalWDACConfig -Certificates -CertificatePaths "C:\MDM\8BC932FDFF15B892E8364C49B383210810E4709D.cer" -SuppPolicyName 'TrustedPublishers' -PolicyPath "C:\Program Files\WDACConfig\AllowMicrosoft.xml" -SigningScenario UserMode

> The file 'SupplementalPolicy TrustedPublishers.xml' has been saved in 'C:\Program Files\WDACConfig'
> The file 'SupplementalPolicy TrustedPublishers.cip' has been saved in 'C:\Program Files\WDACConfig'
> Exception: Exception calling "Set" with "5" argument(s): "Validation error in C:\Program Files\WDACConfig\StagingArea\New-SupplementalWDACConfig\SupplementalPolicy TrustedPublishers.xml: Validation error in C:\Program 
Files\WDACConfig\StagingArea\New-SupplementalWDACConfig\SupplementalPolicy TrustedPublishers.xml: The element 'AllowedSigners' in namespace 'urn:schemas-microsoft-com:sipolicy' has incomplete content. List of
possible elements expected: 'AllowedSigner' in namespace 'urn:schemas-microsoft-com:sipolicy'."

This results in an error (see attached error details field).

I did encounter similar errors before, when building my WDAC policies using only the official powershell commands.

Certain operations using the WDAC commands made the resulting XML invalid and further operations couldn't continue until the XML was manually fixed:

# Using a copy of latest user mode block list
$fileUserModeBlockList = 'C:\MDM\usermodeblocklist.xml'
# Remove 'allow all rules' from user mode block policy
# Remove 'allow all rules' from user mode block policy
Remove-CIPolicyRule -FilePath $fileUserModeBlockList -Id "ID_ALLOW_A_1"
Remove-CIPolicyRule -FilePath $fileUserModeBlockList -Id "ID_ALLOW_A_2"
# Fix broken XML (from previous step)
$xmlDoc = [xml](Get-Content $fileUserModeBlockList)
$xmlDoc.SiPolicy.SigningScenarios.ChildNodes | Where-Object { $_.ID -eq 'ID_SIGNINGSCENARIO_WINDOWS' } | ForEach-Object { [void]$_.ChildNodes.RemoveAll() }
$xmlDoc.Save((Resolve-Path $fileUserModeBlockList))
...
[further operations]
...

Is this issue something that you can reproduce or maybe I am using your tools wrong?

Greetings Denis

Error Details

PS C:\Users\it> Get-Error | fl *

Exception             : System.Management.Automation.MethodInvocationException: Exception calling "Set" with "5" argument(s): "Validation error in C:\Program
                        Files\WDACConfig\StagingArea\New-SupplementalWDACConfig\SupplementalPolicy Trusted Publishers.xml: Validation error in C:\Program
                        Files\WDACConfig\StagingArea\New-SupplementalWDACConfig\SupplementalPolicy Trusted Publishers.xml: The element 'AllowedSigners' in namespace 'urn:schemas-microsoft-com:sipolicy'
                        has incomplete content. List of possible elements expected: 'AllowedSigner' in namespace 'urn:schemas-microsoft-com:sipolicy'."
                         ---> System.InvalidOperationException: Validation error in C:\Program Files\WDACConfig\StagingArea\New-SupplementalWDACConfig\SupplementalPolicy Trusted Publishers.xml: Validation
                        error in C:\Program Files\WDACConfig\StagingArea\New-SupplementalWDACConfig\SupplementalPolicy Trusted Publishers.xml: The element 'AllowedSigners' in namespace
                        'urn:schemas-microsoft-com:sipolicy' has incomplete content. List of possible elements expected: 'AllowedSigner' in namespace 'urn:schemas-microsoft-com:sipolicy'.
                           at WDACConfig.CiPolicyTest.TestCiPolicy(String xmlFilePath, String cipFilePath)
                           at WDACConfig.SetCiPolicyInfo.Set(String filePath, Nullable`1 resetPolicyID, String policyName, String basePolicyID, String basePolicyToSupplementPath)
                           at CallSite.Target(Closure, CallSite, Type, FileInfo, Boolean, String, Object, Object)
                           --- End of inner exception stack trace ---
                           at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
                           at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
                           at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
                           at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
TargetObject          :
CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
FullyQualifiedErrorId : InvalidOperationException
ErrorDetails          :
InvocationInfo        : System.Management.Automation.InvocationInfo
ScriptStackTrace      : at New-SupplementalWDACConfig<Process>, C:\Program Files\PowerShell\Modules\WDACConfig\0.4.9\Core\New-SupplementalWDACConfig.psm1: line 336
                        at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo : {}
HotCakeX commented 5 days ago

Hi, Thank you very much, very glad to know i was helpful ^^

The New-SupplementalWDACConfig function uses the built-in cmdlets from the Windows PowerShell ConfigCI module. As you mentioned, those cmdlets can generate bad policies with missing elements (happened to me too), policies that aren't valid based on the code integrity schema, so you are not using the tool wrong.

As you've probably noticed, I've been moving the WDACConfig to the new AppControl Manager. This process started less than 2 months ago. The new app uses its own modernized logic for policy creation, file scan and so on.

Here is the landing page for the AppControl Manager: https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager

It has many features implemented so far but does not have the same exact features that the New-SupplementalWDACConfig function offers.

Since you reported that you're experiencing an issue, i'm going to prioritize implementing supplemental policy creation just like the New-SupplementalWDACConfig offers and you can expect it to arrive in AppControl Manager in about 2 to 3 days. Hope that's okay.

HotCakeX commented 1 day ago

Hi, the feature is now added to the AppControl Manager: https://github.com/HotCakeX/Harden-Windows-Security/releases/tag/AppControlManager.v.1.5.0.0