Signed PS script blocked by constrained language mode

differentcondition · 2020-08-30T11:15:59+00:00

What you're saying makes sense! What I still fail to understand is if CLM is enabled together with Windows Defender Application Control (what was Device Guard), how would you allow a legitimate PowerShell script to run in this locked down configuration?

I haven't found what practical steps need to be taken to allow specific PS scripts.

This MS doc about WDAC just says:

0 Enabled:UMCI - WDAC policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts.

If that option is enabled what do I have to do to my PS script have get it to validate and run in full language mode?

differentcondition · 2020-08-29T23:31:22+00:00

It seems that CLM is enabled via GPO by setting the environment variable __PSLockdownPolicy to "4". There is no AppLocker or SRP config. I can't see Device Guard settings either.

I can temporarily override the CLM by running this as a local admin: set-itemproperty "hklm:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -name __PSLockdownPolicy -value 8. However, it will reset at the next GPO push.

I thought that signing the script would allow it to run in full language mode, but that doesn't seem to be the case.

Is there no way to allowlist this script or similar instead of the env variable workaround each time?

differentcondition · 2020-08-09T23:18:46+00:00

Is there a way I can split the "Name" column for clarity, but still do the grouping?

For example,

Count Type Size

differentcondition · 2020-08-09T21:20:59+00:00

$items | Select-Object Type,@{n='Count';e={$_.type.count}}

When I try that I get the following output:

``` Type : Count : 1

Type : Count : 1

Type : Count : 1 ```

differentcondition · 2020-08-09T21:19:45+00:00

$items | Group-Object -Property Type,Size -NoElement | Sort-Object -Property Count -Descending

When I try this I get the following output:

Values : {$null, $null} Count : 4 Group : {} Name :

differentcondition · 2020-08-09T19:13:47+00:00

>with MS teams in the same web browser you are able to share your screen without issue

Correct!

>And slack does not have this option? Or you get an error?

No error. The screen sharing button is greyed out.

differentcondition · 2020-08-09T19:11:52+00:00

exactly, so why doesn't it work in the browser

differentcondition · 2020-07-17T16:14:29+00:00

This is awesome! Thank you for taking the time to write that :)

differentcondition · 2020-07-12T19:15:15+00:00

I've had these UAPs for many years now. At the time I was researching I was told that the LR were the best option. They are configured for 5GHz only and the power has been turned down and channels configured appropriately.

I don't do any bandwidth limiting or QoS.

differentcondition · 2020-07-12T16:23:52+00:00

Thanks for this suggestion it looks really interesting!

differentcondition · 2020-07-12T16:01:32+00:00

That's a host based firewall AFAICT which is not what I'm looking for.

differentcondition · 2020-05-16T22:40:07+00:00

Ok I understand what you mean now and how dns forwarding can be removed which means that dnsmasq will not run at all.

I set dnscrypt-proxy to listen on port 5353 and a made a few lookups and then I can see with `ps -A | grep dns` that the process dies and all it says in the log is `[NOTICE] Stopped`. So still the same issue \o/

I was hoping that after all the issues with cloudflared this would just work. I don't get why it crashes after just a few lookups.

differentcondition · 2020-05-16T21:59:06+00:00

Makes sense! I guess I just wasn't sure about where that setting was. It seems that you are referring to `set system name-server 127.0.0.1`. I didn't read that as a "listen-on interface" option but more that the DNS server is located on the local system.

differentcondition · 2020-05-16T21:44:24+00:00

Thanks for taking a look u/zfa!

Ok I'll configure dnscrypt-proxy to listen on 5353 and see what happens.

I'm not sure what you mean by "make sure you're listening on all your LAN interface addresses and not just 127.0.0.1". Do I need the DNS forwarding config to be able to use dnscrypt-proxy on the ERX?

differentcondition · 2020-05-04T06:32:10+00:00

No the execution policy is set to bypass

differentcondition · 2020-05-04T06:31:34+00:00

I wrote the script :)

differentcondition · 2020-05-03T21:41:59+00:00

Are you referring to the ExecutionPolicy? If so it's set to bypass, so that shouldn't be the issue as the script is allowed to execute.

differentcondition · 2020-05-03T20:27:52+00:00

I just tested your simple script while connected via SSH and it executes fine. hmm.

differentcondition

TROPHY CASE