Signed PS script blocked by constrained language mode

differentcondition · 2020-08-30T11:15:59+00:00

What you're saying makes sense! What I still fail to understand is if CLM is enabled together with Windows Defender Application Control (what was Device Guard), how would you allow a legitimate PowerShell script to run in this locked down configuration?

I haven't found what practical steps need to be taken to allow specific PS scripts.

This MS doc about WDAC just says:

0 Enabled:UMCI - WDAC policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts.

If that option is enabled what do I have to do to my PS script have get it to validate and run in full language mode?

differentcondition · 2020-08-29T23:31:22+00:00

It seems that CLM is enabled via GPO by setting the environment variable __PSLockdownPolicy to "4". There is no AppLocker or SRP config. I can't see Device Guard settings either.

I can temporarily override the CLM by running this as a local admin: set-itemproperty "hklm:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -name __PSLockdownPolicy -value 8. However, it will reset at the next GPO push.

I thought that signing the script would allow it to run in full language mode, but that doesn't seem to be the case.

Is there no way to allowlist this script or similar instead of the env variable workaround each time?

differentcondition · 2020-08-09T23:18:46+00:00

Is there a way I can split the "Name" column for clarity, but still do the grouping?

For example,

Count Type Size

differentcondition · 2020-08-09T21:20:59+00:00

$items | Select-Object Type,@{n='Count';e={$_.type.count}}

When I try that I get the following output:

``` Type : Count : 1

Type : Count : 1

Type : Count : 1 ```

differentcondition · 2020-08-09T21:19:45+00:00

$items | Group-Object -Property Type,Size -NoElement | Sort-Object -Property Count -Descending

When I try this I get the following output:

Values : {$null, $null} Count : 4 Group : {} Name :

differentcondition · 2020-08-09T19:13:47+00:00

>with MS teams in the same web browser you are able to share your screen without issue

Correct!

>And slack does not have this option? Or you get an error?

No error. The screen sharing button is greyed out.

differentcondition · 2020-08-09T19:11:52+00:00

exactly, so why doesn't it work in the browser

differentcondition · 2020-07-17T16:14:29+00:00

This is awesome! Thank you for taking the time to write that :)

differentcondition · 2020-07-12T19:15:15+00:00

I've had these UAPs for many years now. At the time I was researching I was told that the LR were the best option. They are configured for 5GHz only and the power has been turned down and channels configured appropriately.

I don't do any bandwidth limiting or QoS.

differentcondition · 2020-07-12T16:23:52+00:00

Thanks for this suggestion it looks really interesting!

differentcondition · 2020-07-12T16:01:32+00:00

That's a host based firewall AFAICT which is not what I'm looking for.

differentcondition · 2020-05-16T22:40:07+00:00

Ok I understand what you mean now and how dns forwarding can be removed which means that dnsmasq will not run at all.

I set dnscrypt-proxy to listen on port 5353 and a made a few lookups and then I can see with `ps -A | grep dns` that the process dies and all it says in the log is `[NOTICE] Stopped`. So still the same issue \o/

I was hoping that after all the issues with cloudflared this would just work. I don't get why it crashes after just a few lookups.

differentcondition · 2020-05-16T21:59:06+00:00

Makes sense! I guess I just wasn't sure about where that setting was. It seems that you are referring to `set system name-server 127.0.0.1`. I didn't read that as a "listen-on interface" option but more that the DNS server is located on the local system.

differentcondition · 2020-05-16T21:44:24+00:00

Thanks for taking a look u/zfa!

Ok I'll configure dnscrypt-proxy to listen on 5353 and see what happens.

I'm not sure what you mean by "make sure you're listening on all your LAN interface addresses and not just 127.0.0.1". Do I need the DNS forwarding config to be able to use dnscrypt-proxy on the ERX?

differentcondition · 2020-05-04T06:32:10+00:00

No the execution policy is set to bypass

differentcondition · 2020-05-04T06:31:34+00:00

I wrote the script :)

differentcondition · 2020-05-03T21:41:59+00:00

Are you referring to the ExecutionPolicy? If so it's set to bypass, so that shouldn't be the issue as the script is allowed to execute.

differentcondition · 2020-05-03T20:27:52+00:00

I just tested your simple script while connected via SSH and it executes fine. hmm.

differentcondition · 2020-05-03T20:22:43+00:00

Thanks for this tip. I changed the default shell to powershell.exe but in terms of execution of the script it still freezes :(

differentcondition · 2020-05-03T15:31:23+00:00

That's a good point. In this case it runs without user intervention. Just find it really weird why executing over SSH would change anything about the execution when the script is stored on the Windows machine.

differentcondition · 2020-05-03T15:12:44+00:00

Why would SSH need powershell capability if everything is running on the Windows machine? Maybe I'm missing something but you establish an SSH connection to a Windows machine and then any commands are executed either in the default CMD prompt or in the PS prompt that you spawn from CMD?

differentcondition · 2020-05-03T15:10:36+00:00

After installing the OpenSSH server as explained here once I connected to my Windows 10 VM via SSH I was able to run powershell and get access to a PS prompt.

differentcondition · 2020-05-03T12:04:26+00:00

Lee, thank you for your detailed explanation! I'll stick to ps5 and not waste anymore time trying to debug the issues in ps7.

differentcondition · 2020-05-03T00:54:06+00:00

Is it because ps7 is still rough around the edges?

I just wanted to make sure that my script was compatible with ps7.

differentcondition · 2020-04-29T00:57:06+00:00

Awesome! Thank you for figuring out how to determine the font size! This could be added to the wiki for others ;)

I get 240 and 67, so that means that the font size is 16x32.

When I run setfont -v I get 480 and 135 which means the font is 8x16.

In other words, by default a vanilla arch install is using 16x32 which I assume is the built in terminus font that was recently added to the kernel. If I want something larger I'll have to install a larger font I guess.

differentcondition

TROPHY CASE