my personal blog about systemcenter

Building a secure workstation one step at a time Part1

Been trying to spend more time on device security and have been using device guard to lock down a admin workstation and servers

I am follow the examples from Matt’s post on merging baseline with new policy’s

If you dont follow @mattifestation Matt Graeber start now his work published on device guard is gold


Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\explorer.exe) attempted to load \Device\HarddiskVolume4\Source\PUTTY.EXE that did not meet the Enterprise signing level requirements.

So i wanted to add putty to my base policy

$Putty = Get-SystemDriver -ScanPath ‘C:\Source’ –UserPEs

New-CIPolicy -FilePath Putty.xml -DriverFiles $Putty -Level HASH -UserPEs

$MasterRuleXml = ‘FinalPolicy.xml’

$PuttyRules = New-CIPolicyRule -DriverFiles $Putty -Level Publisher

Merge-CIPolicy -OutputFilePath FinalPolicy_Merged.xml -PolicyPaths $MasterRuleXml -Rules $PuttyRules

ConvertFrom-CIPolicy -XmlFilePath .\FinalPolicy_Merged.xml -BinaryFilePath SIPolicy.p7b

Following the example on Matt’s blog post i wanted to try to add putty just on a file hash level , this will lock the policy down to this version only adding overhead when new released are out , but since putty isnt updated that often i will continue with file hash

It seems that going forward config manager can help with this , going to be exiting to see

This end up with the following xml that can will be merged into our policy file and applied at next reboot

<?xml version=”1.0″ encoding=”utf-8″?>
<SiPolicy xmlns=”urn:schemas-microsoft-com:sipolicy”>
       <Option>Enabled:Unsigned System Integrity Policy</Option>
       <Option>Enabled:Audit Mode</Option>
       <Option>Enabled:Advanced Boot Options Menu</Option>
       <Option>Required:Enforce Store Applications</Option>
   <EKUs />
   <!–File Rules–>
     <Allow ID=”ID_ALLOW_A_1″ FriendlyName=”C:\Source\PUTTY.EXE Hash Sha1″ Hash=”AB51FE77E5DB6A1979EEB6DFA6957613945F5562″ />
     <Allow ID=”ID_ALLOW_A_2″ FriendlyName=”C:\Source\PUTTY.EXE Hash Sha256″ Hash=”03EE66107D104F8ACA6E376D8B274ADF0D671A4D44F0549B6D83B775C0B21AAB” />
     <Allow ID=”ID_ALLOW_A_3″ FriendlyName=”C:\Source\PUTTY.EXE Hash Page Sha1″ Hash=”736A707BFBB80DFE3EE4259DF8BCD078B505BB4A” />
     <Allow ID=”ID_ALLOW_A_4″ FriendlyName=”C:\Source\PUTTY.EXE Hash Page Sha256″ Hash=”0843BA10DA94FC68065EA9B1FD53857106194E458FBF203948628A0EB3C539E3″ />
   <Signers />
   <!–Driver Signing Scenarios–>
     <SigningScenario Value=”131″ ID=”ID_SIGNINGSCENARIO_DRIVERS_1″ FriendlyName=”Auto generated policy on 05-07-2017″>
       <ProductSigners />
     <SigningScenario Value=”12″ ID=”ID_SIGNINGSCENARIO_WINDOWS” FriendlyName=”Auto generated policy on 05-07-2017″>
           <FileRuleRef RuleID=”ID_ALLOW_A_1″ />
           <FileRuleRef RuleID=”ID_ALLOW_A_2″ />
           <FileRuleRef RuleID=”ID_ALLOW_A_3″ />
           <FileRuleRef RuleID=”ID_ALLOW_A_4″ />
   <UpdatePolicySigners />
   <CiSigners />

So after reboot and policy applied


We now have a working putty


But since the author certificate wasnt whitelisted we cant run other tools , this was meant as a example on filehash vs certificate not due to lack of trust from Simon Tatham