my personal blog about systemcenter

Building a secure workstation one step at a time Part1

Been trying to spend more time on device security and have been using device guard to lock down a admin workstation and servers

I am follow the examples from Matt’s post on merging baseline with new policy’s

http://www.exploit-monday.com/2016/12/updating-device-guard-code-integrity.html

If you dont follow @mattifestation Matt Graeber start now his work published on device guard is gold

image

Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\explorer.exe) attempted to load \Device\HarddiskVolume4\Source\PUTTY.EXE that did not meet the Enterprise signing level requirements.

So i wanted to add putty to my base policy

$Putty = Get-SystemDriver -ScanPath ‘C:\Source’ –UserPEs

New-CIPolicy -FilePath Putty.xml -DriverFiles $Putty -Level HASH -UserPEs

$MasterRuleXml = ‘FinalPolicy.xml’

$PuttyRules = New-CIPolicyRule -DriverFiles $Putty -Level Publisher

Merge-CIPolicy -OutputFilePath FinalPolicy_Merged.xml -PolicyPaths $MasterRuleXml -Rules $PuttyRules

ConvertFrom-CIPolicy -XmlFilePath .\FinalPolicy_Merged.xml -BinaryFilePath SIPolicy.p7b

Following the example on Matt’s blog post i wanted to try to add putty just on a file hash level , this will lock the policy down to this version only adding overhead when new released are out , but since putty isnt updated that often i will continue with file hash

It seems that going forward config manager can help with this , going to be exiting to see

This end up with the following xml that can will be merged into our policy file and applied at next reboot

<?xml version=”1.0″ encoding=”utf-8″?>
<SiPolicy xmlns=”urn:schemas-microsoft-com:sipolicy”>
   <VersionEx>10.0.0.0</VersionEx>
   <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
   <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
   <Rules>
     <Rule>
       <Option>Enabled:Unsigned System Integrity Policy</Option>
     </Rule>
     <Rule>
       <Option>Enabled:Audit Mode</Option>
     </Rule>
     <Rule>
       <Option>Enabled:Advanced Boot Options Menu</Option>
     </Rule>
     <Rule>
       <Option>Required:Enforce Store Applications</Option>
     </Rule>
     <Rule>
       <Option>Enabled:UMCI</Option>
     </Rule>
   </Rules>
   <!–EKUS–>
   <EKUs />
   <!–File Rules–>
   <FileRules>
     <Allow ID=”ID_ALLOW_A_1″ FriendlyName=”C:\Source\PUTTY.EXE Hash Sha1″ Hash=”AB51FE77E5DB6A1979EEB6DFA6957613945F5562″ />
     <Allow ID=”ID_ALLOW_A_2″ FriendlyName=”C:\Source\PUTTY.EXE Hash Sha256″ Hash=”03EE66107D104F8ACA6E376D8B274ADF0D671A4D44F0549B6D83B775C0B21AAB” />
     <Allow ID=”ID_ALLOW_A_3″ FriendlyName=”C:\Source\PUTTY.EXE Hash Page Sha1″ Hash=”736A707BFBB80DFE3EE4259DF8BCD078B505BB4A” />
     <Allow ID=”ID_ALLOW_A_4″ FriendlyName=”C:\Source\PUTTY.EXE Hash Page Sha256″ Hash=”0843BA10DA94FC68065EA9B1FD53857106194E458FBF203948628A0EB3C539E3″ />
   </FileRules>
   <!–Signers–>
   <Signers />
   <!–Driver Signing Scenarios–>
   <SigningScenarios>
     <SigningScenario Value=”131″ ID=”ID_SIGNINGSCENARIO_DRIVERS_1″ FriendlyName=”Auto generated policy on 05-07-2017″>
       <ProductSigners />
     </SigningScenario>
     <SigningScenario Value=”12″ ID=”ID_SIGNINGSCENARIO_WINDOWS” FriendlyName=”Auto generated policy on 05-07-2017″>
       <ProductSigners>
         <FileRulesRef>
           <FileRuleRef RuleID=”ID_ALLOW_A_1″ />
           <FileRuleRef RuleID=”ID_ALLOW_A_2″ />
           <FileRuleRef RuleID=”ID_ALLOW_A_3″ />
           <FileRuleRef RuleID=”ID_ALLOW_A_4″ />
         </FileRulesRef>
       </ProductSigners>
     </SigningScenario>
   </SigningScenarios>
   <UpdatePolicySigners />
   <CiSigners />
   <HvciOptions>0</HvciOptions>
</SiPolicy>

So after reboot and policy applied

image

We now have a working putty

image

But since the author certificate wasnt whitelisted we cant run other tools , this was meant as a example on filehash vs certificate not due to lack of trust from Simon Tatham