-
-
Save mattifestation/cb48b34a1c668822bbc93b165185ad33 to your computer and use it in GitHub Desktop.
<?xml version="1.0"?> | |
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
<VersionEx>10.0.0.0</VersionEx> | |
<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID> | |
<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID> | |
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
<Rules> | |
<Rule> | |
<Option>Enabled:UMCI</Option> | |
</Rule> | |
<Rule> | |
<Option>Required:WHQL</Option> | |
</Rule> | |
<Rule> | |
<Option>Enabled:Dynamic Code Security</Option> | |
</Rule> | |
<Rule> | |
<Option>Enabled:Advanced Boot Options Menu</Option> | |
</Rule> | |
<Rule> | |
<Option>Enabled:Inherit Default Policy</Option> | |
</Rule> | |
<Rule> | |
<Option>Required:Enforce Store Applications</Option> | |
</Rule> | |
<Rule> | |
<Option>Enabled:Update Policy No Reboot</Option> | |
</Rule> | |
<Rule> | |
<Option>Disabled:Flight Signing</Option> | |
</Rule> | |
<Rule> | |
<Option>Enabled:Unsigned System Integrity Policy</Option> | |
</Rule> | |
</Rules> | |
<EKUs> | |
<EKU ID="ID_EKU_WINDOWS" Value="010A2B0601040182370A0306" FriendlyName="Windows System Component Verification" /> | |
<EKU ID="ID_EKU_WHQL" Value="010A2B0601040182370A0305" FriendlyName="Windows Hardware Driver Verification" /> | |
<EKU ID="ID_EKU_ELAM" Value="010A2B0601040182373D0401" FriendlyName="Early Launch Antimalware Driver" /> | |
<EKU ID="ID_EKU_HAL_EXT" Value="010A2B0601040182373D0501" FriendlyName="HAL Extension" /> | |
<EKU ID="ID_EKU_RT_EXT" Value="010A2B0601040182370A0315" FriendlyName="Windows RT Verification" /> | |
<EKU ID="ID_EKU_STORE" Value="010A2B0601040182374C0301" FriendlyName="Windows Store" /> | |
<EKU ID="ID_EKU_DCODEGEN" Value="010A2B0601040182374C0501" FriendlyName="Dynamic Code Generator" /> | |
<EKU ID="ID_EKU_AM" Value="010A2B0601040182374C0B01" FriendlyName="AntiMalware EKU -1.3.6.1.4.1.311.76.11.1" /> | |
</EKUs> | |
<FileRules> | |
<Deny ID="ID_DENY_D_0001" FileName="bash.exe" /> | |
<Deny ID="ID_DENY_D_0002" FileName="CDB.Exe" /> | |
<Deny ID="ID_DENY_D_0003" FileName="cmd.Exe" /> | |
<Deny ID="ID_DENY_D_0004" FileName="cscript.exe" /> | |
<Deny ID="ID_DENY_D_0005" FileName="csi.Exe" /> | |
<Deny ID="ID_DENY_D_0006" FileName="dnx.Exe" /> | |
<Deny ID="ID_DENY_D_0007" FileName="fsi.exe" /> | |
<Deny ID="ID_DENY_D_0008" FileName="hh.exe" /> | |
<Deny ID="ID_DENY_D_0009" FileName="infdefaultinstall.exe" /> | |
<Deny ID="ID_DENY_D_000A" FileName="kd.Exe" /> | |
<Deny ID="ID_DENY_D_000B" FileName="lxrun.exe" /> | |
<Deny ID="ID_DENY_D_000C" FileName="lxssmanager.dll" /> | |
<Deny ID="ID_DENY_D_000D" FileName="lxssmanager.exe" /> | |
<Deny ID="ID_DENY_D_000E" FileName="Microsoft.Workflow.Compiler.exe" /> | |
<Deny ID="ID_DENY_D_000F" FileName="MSBuild.Exe" /> | |
<Deny ID="ID_DENY_D_0010" FileName="mshta.exe" /> | |
<Deny ID="ID_DENY_D_0011" FileName="ntsd.Exe" /> | |
<Deny ID="ID_DENY_D_0012" FileName="powershellcustomhost.exe" /> | |
<Deny ID="ID_DENY_D_0013" FileName="rcsi.Exe" /> | |
<Deny ID="ID_DENY_D_0014" FileName="reg.exe" /> | |
<Deny ID="ID_DENY_D_0015" FileName="regedit.exe" /> | |
<Deny ID="ID_DENY_D_0016" FileName="regedt32.exe" /> | |
<Deny ID="ID_DENY_D_0017" FileName="regini.exe" /> | |
<Deny ID="ID_DENY_D_0018" FileName="runscripthelper.exe" /> | |
<Deny ID="ID_DENY_D_0019" FileName="samlock.exe" /> | |
<Deny ID="ID_DENY_D_001A" FileName="wbemtest.exe" /> | |
<Deny ID="ID_DENY_D_001B" FileName="windbg.Exe" /> | |
<Deny ID="ID_DENY_D_001C" FileName="wmic.exe" /> | |
<Deny ID="ID_DENY_D_001D" FileName="wscript.exe" /> | |
<Deny ID="ID_DENY_D_001E" FileName="wsl.exe" /> | |
<Deny ID="ID_DENY_D_001F" FileName="wslconfig.exe" /> | |
<Deny ID="ID_DENY_D_0020" FileName="wslhost.exe" /> | |
<Deny ID="ID_DENY_D_0021" FileName="MSBuild.dll" /> | |
<Deny ID="ID_DENY_D_0022" FileName="dotnet.exe" /> | |
<Deny ID="ID_DENY_D_0023" FileName="Microsoft.Build.dll" /> | |
<Deny ID="ID_DENY_D_0024" FileName="Microsoft.Build.Framework.dll" /> | |
<!-- Win 10 1909 - Will require periodic updating --> | |
<!-- To block all previous versions, take the current version and subtract by one --> | |
<Deny ID="ID_DENY_D_0025" FileName="msxml3.dll" MinimumFileVersion ="8.110.18362.238"/> | |
<Deny ID="ID_DENY_D_0026" FileName="msxml6.dll" MinimumFileVersion ="6.30.18362.417"/> | |
<Deny ID="ID_DENY_D_0027" FileName="jscript9.dll" MinimumFileVersion ="11.00.18362.0"/> | |
</FileRules> | |
<Signers> | |
<Signer Name="MincryptKnownRootMicrosoftDMDRoot2005" ID="ID_SIGNER_DRM"> | |
<CertRoot Type="Wellknown" Value="0C" /> | |
</Signer> | |
<Signer Name="MincryptKnownRootMicrosoftProductRoot2010" ID="ID_SIGNER_DCODEGEN"> | |
<CertRoot Type="Wellknown" Value="06" /> | |
<CertEKU ID="ID_EKU_DCODEGEN" /> | |
</Signer> | |
<Signer Name="MincryptKnownRootMicrosoftStandardRoot2011" ID="ID_SIGNER_AM"> | |
<CertRoot Type="Wellknown" Value="07" /> | |
<CertEKU ID="ID_EKU_AM" /> | |
</Signer> | |
<Signer Name="Microsoft Product Root 2010 Windows EKU" ID="ID_SIGNER_WINDOWS_PRODUCTION"> | |
<CertRoot Type="Wellknown" Value="06" /> | |
<CertEKU ID="ID_EKU_WINDOWS" /> | |
</Signer> | |
<Signer Name="Microsoft Product Root 2010 ELAM EKU" ID="ID_SIGNER_ELAM_PRODUCTION"> | |
<CertRoot Type="Wellknown" Value="06" /> | |
<CertEKU ID="ID_EKU_ELAM" /> | |
</Signer> | |
<Signer Name="Microsoft Product Root 2010 HAL EKU" ID="ID_SIGNER_HAL_PRODUCTION"> | |
<CertRoot Type="Wellknown" Value="06" /> | |
<CertEKU ID="ID_EKU_HAL_EXT" /> | |
</Signer> | |
<Signer Name="Microsoft Product Root 2010 WHQL EKU" ID="ID_SIGNER_WHQL_SHA2"> | |
<CertRoot Type="Wellknown" Value="06" /> | |
<CertEKU ID="ID_EKU_WHQL" /> | |
</Signer> | |
<Signer Name="Microsoft Product Root WHQL EKU SHA1" ID="ID_SIGNER_WHQL_SHA1"> | |
<CertRoot Type="Wellknown" Value="05" /> | |
<CertEKU ID="ID_EKU_WHQL" /> | |
</Signer> | |
<Signer Name="Microsoft Product Root WHQL EKU MD5" ID="ID_SIGNER_WHQL_MD5"> | |
<CertRoot Type="Wellknown" Value="04" /> | |
<CertEKU ID="ID_EKU_WHQL" /> | |
</Signer> | |
<Signer Name="Signer 16" ID="ID_SIGNER_STORE"> | |
<CertRoot Type="TBS" Value="FC9EDE3DCCA09186B2D3BF9B738A2050CB1A554DA2DCADB55F3F72EE17721378" /> | |
<CertEKU ID="ID_EKU_STORE" /> | |
</Signer> | |
<Signer Name="Microsoft Product Root 2010 RT EKU" ID="ID_SIGNER_RT_PRODUCTION"> | |
<CertRoot Type="Wellknown" Value="06" /> | |
<CertEKU ID="ID_EKU_RT_EXT" /> | |
</Signer> | |
<Signer Name="Microsoft Standard Root 2001 RT EKU" ID="ID_SIGNER_RT_STANDARD"> | |
<CertRoot Type="Wellknown" Value="07" /> | |
<CertEKU ID="ID_EKU_RT_EXT" /> | |
</Signer> | |
<Signer Name="Microsoft Windows PCA 2010" ID="ID_SIGNER_MSFT_PCA_2010_AM"> | |
<CertRoot Type="TBS" Value="90C9669670E75989159E6EEF69625EB6AD17CBA6209ED56F5665D55450A05212" /> | |
<CertEKU ID="ID_EKU_AM" /> | |
</Signer> | |
</Signers> | |
<SigningScenarios> | |
<SigningScenario ID="ID_SIGNINGSCENARIO_DRIVERS_1" Value="131"> | |
<ProductSigners> | |
<AllowedSigners> | |
<AllowedSigner SignerId="ID_SIGNER_WINDOWS_PRODUCTION" /> | |
<AllowedSigner SignerId="ID_SIGNER_ELAM_PRODUCTION" /> | |
<AllowedSigner SignerId="ID_SIGNER_HAL_PRODUCTION" /> | |
<AllowedSigner SignerId="ID_SIGNER_WHQL_SHA2" /> | |
<AllowedSigner SignerId="ID_SIGNER_WHQL_SHA1" /> | |
<AllowedSigner SignerId="ID_SIGNER_WHQL_MD5" /> | |
<AllowedSigner SignerId="ID_SIGNER_MSFT_PCA_2010_AM" /> | |
</AllowedSigners> | |
</ProductSigners> | |
<TestSigners /> | |
<TestSigningSigners /> | |
</SigningScenario> | |
<SigningScenario ID="ID_SIGNINGSCENARIO_WINDOWS" Value="12"> | |
<ProductSigners> | |
<AllowedSigners> | |
<AllowedSigner SignerId="ID_SIGNER_WINDOWS_PRODUCTION" /> | |
<AllowedSigner SignerId="ID_SIGNER_ELAM_PRODUCTION" /> | |
<AllowedSigner SignerId="ID_SIGNER_HAL_PRODUCTION" /> | |
<AllowedSigner SignerId="ID_SIGNER_WHQL_SHA2" /> | |
<AllowedSigner SignerId="ID_SIGNER_WHQL_SHA1" /> | |
<AllowedSigner SignerId="ID_SIGNER_WHQL_MD5" /> | |
<AllowedSigner SignerId="ID_SIGNER_STORE" /> | |
<AllowedSigner SignerId="ID_SIGNER_RT_PRODUCTION" /> | |
<AllowedSigner SignerId="ID_SIGNER_DRM" /> | |
<AllowedSigner SignerId="ID_SIGNER_DCODEGEN" /> | |
<AllowedSigner SignerId="ID_SIGNER_AM" /> | |
<AllowedSigner SignerId="ID_SIGNER_RT_STANDARD" /> | |
<AllowedSigner SignerId="ID_SIGNER_MSFT_PCA_2010_AM" /> | |
</AllowedSigners> | |
<FileRulesRef> | |
<FileRuleRef RuleID="ID_DENY_D_0001" /> | |
<FileRuleRef RuleID="ID_DENY_D_0002" /> | |
<FileRuleRef RuleID="ID_DENY_D_0003" /> | |
<FileRuleRef RuleID="ID_DENY_D_0004" /> | |
<FileRuleRef RuleID="ID_DENY_D_0005" /> | |
<FileRuleRef RuleID="ID_DENY_D_0006" /> | |
<FileRuleRef RuleID="ID_DENY_D_0007" /> | |
<FileRuleRef RuleID="ID_DENY_D_0008" /> | |
<FileRuleRef RuleID="ID_DENY_D_0009" /> | |
<FileRuleRef RuleID="ID_DENY_D_000A" /> | |
<FileRuleRef RuleID="ID_DENY_D_000B" /> | |
<FileRuleRef RuleID="ID_DENY_D_000C" /> | |
<FileRuleRef RuleID="ID_DENY_D_000D" /> | |
<FileRuleRef RuleID="ID_DENY_D_000E" /> | |
<FileRuleRef RuleID="ID_DENY_D_000F" /> | |
<FileRuleRef RuleID="ID_DENY_D_0010" /> | |
<FileRuleRef RuleID="ID_DENY_D_0011" /> | |
<FileRuleRef RuleID="ID_DENY_D_0012" /> | |
<FileRuleRef RuleID="ID_DENY_D_0013" /> | |
<FileRuleRef RuleID="ID_DENY_D_0014" /> | |
<FileRuleRef RuleID="ID_DENY_D_0015" /> | |
<FileRuleRef RuleID="ID_DENY_D_0016" /> | |
<FileRuleRef RuleID="ID_DENY_D_0017" /> | |
<FileRuleRef RuleID="ID_DENY_D_0018" /> | |
<FileRuleRef RuleID="ID_DENY_D_0019" /> | |
<FileRuleRef RuleID="ID_DENY_D_001A" /> | |
<FileRuleRef RuleID="ID_DENY_D_001B" /> | |
<FileRuleRef RuleID="ID_DENY_D_001C" /> | |
<FileRuleRef RuleID="ID_DENY_D_001D" /> | |
<FileRuleRef RuleID="ID_DENY_D_001E" /> | |
<FileRuleRef RuleID="ID_DENY_D_001F" /> | |
<FileRuleRef RuleID="ID_DENY_D_0020" /> | |
<FileRuleRef RuleID="ID_DENY_D_0021" /> | |
<FileRuleRef RuleID="ID_DENY_D_0022" /> | |
<FileRuleRef RuleID="ID_DENY_D_0023" /> | |
<FileRuleRef RuleID="ID_DENY_D_0024" /> | |
<FileRuleRef RuleID="ID_DENY_D_0025" /> | |
<FileRuleRef RuleID="ID_DENY_D_0026" /> | |
<FileRuleRef RuleID="ID_DENY_D_0027" /> | |
</FileRulesRef> | |
</ProductSigners> | |
<TestSigners /> | |
<TestSigningSigners /> | |
</SigningScenario> | |
</SigningScenarios> | |
<UpdatePolicySigners /> | |
<CiSigners> | |
<CiSigner SignerId="ID_SIGNER_STORE" /> | |
</CiSigners> | |
<Settings> | |
<Setting Provider="PolicyInfo" Key="Information" ValueName="Name"> | |
<Value> | |
<String>Surface_Lockdown_Policy</String> | |
</Value> | |
</Setting> | |
<Setting Provider="PolicyInfo" Key="Information" ValueName="Id"> | |
<Value> | |
<String>12_24_2019</String> | |
</Value> | |
</Setting> | |
</Settings> | |
</SiPolicy> |
Hello, @mianubaid. WDAC doesn't work with .bat
files by design. AppLocker can be used to audit/block .bat
execution, however. Just note that .bat
blocking is a weak mitigation and easy to bypass. You would at least benefit from execution attempts being logged.
Thank @mattifestation. I already deployed WDAC + AppLocker Script rule collection to cover blocking of cmd/bat files. Just checking if there is a way so that we can only rely on WDAC to achieve this.
From Microsoft: "WDAC doesn't directly control code run via the Windows Command Processor (cmd.exe), including .bat/.cmd script files. However, anything that such a batch script tries to run is subject to WDAC control. If you don't need to run cmd.exe, it's recommended to block it outright or allow it only by exception based on the calling process." The last line which says only allow it by exception based on calling process makes me think that we can limit but not sure how?
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/script-enforcement
Thanks again for your reply.
Hi @mattifestation, could you please provide your advice on blocking batch files as per my experience of working with WDAC, I cannot see an option to block [.bat] files. We can block cmd completely but that what we don't want. The idea is to at least block batch files within standard user profile.
Any idea to implement the above will be much appreciated.