Device Guard and Code Integrity Policies

Windows 10 Enterprise, Education, and Windows Server 2016 include Device Guard.  Device Guard is kind of like AppLocker, but is a more advanced form of whitelisting.  You create a Code Integrity policy that tells the OS what software and device drivers are allowed to run.  All of the software that you allow must be either digitally signed, or you can create a FileCatalog with PowerShell that tells the OS exactly what files are allowed to run, and if any software attempts to execute that is not listed in the Code Integrity Policy, it will be blocked.  That is basically how it works, but i am going to now go through what it takes to enable device guard, and to create policies, and also how to audit first to make sure you aren’t going to block yourself from running any essential applications or services.  Device Guard is a pretty complicated subject, and if you are not sure how to implement it in an enterprise or corporate environment, you should hire a security consultant to help you out.

Here’s some code to get you started with a simple Code Integrity policy
# To create a Base Code Integrity Policy from a Golden Computer:
# First we set up the variables CIPolicyPath, InitialCIPolicy and CIPolicyBin

$CIPolicyPath=$env:userprofile+’\Desktop\’

$InitialCIPolicy=$CIPolicyPath+’InitialScan.xml’

$CIPolicyBin=$CIPolicyPath+’DeviceGuardPolicy.bin’
# Now we will create a New CodeIntegrity Policy
New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt

<# Notes: When you specify the -UserPEs parameter (to include user mode executables in the scan), rule option 0 Enabled:UMCI is automatically added to the code integrity policy. In contrast, if you do not specify -UserPEs, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option 0 Enabled:UMCI, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. You can add the -Fallback parameter to catch any applications not discovered using the primary file rule level specified by the -Level parameter. For more information about file rule level options, see Code integrity file rule levels in “Deploy code integrity policies: policy rules and file rules.” To specify that the code integrity policy scan only a specific drive, include the -ScanPath parameter followed by a path. Without this parameter, the entire system is scanned. The preceding example includes 3> CIPolicylog.txt, which redirects warning messages to a text file, CIPolicylog.txt.
#>
# Use ConvertFrom-CIPolicy to convert the XML to binary format!
ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin

# After you complete these steps, the Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security.

# NOTE: Note We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see Merge code integrity policies.

After the computer is scanned, there should be a deviceguard.bin file created on your desktop. In order to deploy this policy, you need to move this file to the C:\Windows\system32\CodeIntegrity directory, and renamed to SIPolicy.p7b.
You then need to restart the computer to enter Device Guard Audit mode. Deploy your code integrity policy

Restart the reference system for the code integrity policy to take effect.

Use the system as you normally would, and monitor code integrity events in the event log. While in audit mode, any exception to the deployed code integrity policy will be logged in the Applications and Services Logs\Microsoft\Windows\CodeIntegrity\Operational event log.
:

Paypal donate button can be used to get technical help as well.

First, you need to click on the $0.00 and change it to the amount you want to donate. Then, once you fill in the dollar amount, you can then choose to donate with paypal, or with a credit card. Thank you for your help. Once you donate, I may contact you to thank you and offer my services, if you choose to leave a contact method, but this is not required. I am available for both hardware and software services, please inquire for more info.





We are currently creating docker containers, and nodejs applications, but just inquire with your needs, we do it all. Thanks Again.

Sincerely, James

Windows 10 Creators Update 1703 includes a new tool to convert MBR disks to GPT disks

So I am working on converting a Windows 10 1703 installation that is installed on a MBR disk, and have been looking for the best way to convert it to a GPT disk, so that secure boot, credential guard, and device guard can be enabled. As you may or may not already know, if Windows 10 is installed on an MBR (Master Boot Record) disk, you can not take advantage of all the latest advances in security. Thankfully, Microsoft has included a tool called MBR2GPT.exe in the Windows\system32 directory. Although this tool is really supposed to be used from a PreInstallation Environment like WinPE, it can be used from inside a Windows 10 1703 Build 15063 installation if you use the command line switch /AllowFullOS.

However, it is not as easy to convert as one may think, especially if your first hard disk already has multiple partitions. This is a problem that I am working on fixing. I learned that running the command
MBR2GPT /validate /disk:0 /allowfullos
errors out for me and when I find the setuperr.log in the Windows directory, it says that the disk has too many partitions to convert to GPT. The log said this:
2017-04-02 17:29:34, Error ValidateLayout: Too many MBR partitions found, no room to create EFI system partition.
2017-04-02 17:29:34, Error Disk layout validation failed for disk 0
ValidateLayout: Too many MBR partitions found, no room to create EFI system partition.
Error Disk layout validation failed for disk 0

Therefore, I am going to have to blow away some partitions before converting this disk. This disk is an SSD with four partitions, but I have tried this from WinPE environment with a Disk that has only 2 partitions and it works. The problem with my SSD drive is that it has an MSR partition in the front, then the Windows C volume, then a Recovery partition, and then an HP Tools partition that I installed from an HP update for the BIOS.

Update: I went back and forth with the reader that commented below, via email and wanted to document how he fixed his problem so it could help someone else in the future. His first comment was :

I am getting an error when trying to do the validation:
ValidateLayout: Wrong boot partition count, expected 1 but found 0.

He then emailed me back and said that his OS Drive was on the first Physical Disk, but his boot partition aka system partition was on the second disk.

My next message to him was:

“Do you have any room to make another partition on the first drive?
I would try to shrink the OS Drive by like 500 mb, then create a new partition on the first drive, using FAT32 of 500mb, there is a way to label it MSR with diskpart, then try to copy the system files directly to that drive, but leave the system from the second disk in tact, so it will still boot, not sure if you can copy the boot files, but you can always try an in-place upgrade so you don’t lose any files. You want the MBR2GPT tool to think that the boot drive is on the first partition. You want the first drive to have two or three partitions, the FAT32 one where you copy the system and boot files over, the OS, and the Recovery drive if you need it. I don’t think I ever had the boot drive on another physical disk, but I have had to recreate the boot drive on my OS disk, and I used the macrium reflect rescue CD to rebuild the boot (System Drive for me). It makes it very easy, so I think it is possible. Let me know if you have any more questions.
Good luck
James

So he then tried this and came back and said :
That did the trick!
I created a new 500 mb partition using NTFS, copied the files from the old system partition. Ran mbr2gpt and everything works 🙂

Thank you so much !

Now I am not sure if secure boot will work now, because secure boot can be a little tricky to get going, but he was able to convert the first drive to GPT by shrinking the OS making a new partition on the OS Drive and copying the boot system partition from drive 2 to drive one. If anyone else has this problem in the future, try this… As far as getting secure boot enabled, that may just work, or it may require some more configuration. Hit me up if you need help with this.

Creating Dockerfiles to be built with Docker for Windows Community Edition.

Creating a Dockerfile is remarkably easy. A Dockerfile is basically a text file, that is used with Docker to build a container from a Docker image.  You usually start by creating a text file named Dockerfile in a new directory. You don’t want to put a Dockerfile in the root of the C drive for example, because every file and folder below the Dockerfile will get packaged into the built container.

First line of a Dockerfile usually is just a comment starting with a pound # sign.

Then you tell Docker what image to use when creating the container like this:

FROM ubuntu:15.04

Next you add a MAINTAINER which is your name and/or email address

MAINTAINER Name name@email.com

Now we start the next line with a RUN command, that tells the container the first command to run. For example,

RUN apt-get update && /bin/bash

After the RUN command, you can then use EXPOSE 80,443 to open firewall ports 80 and 443,

there are a few different commands we can use here, but the last command will be CMD

This CMD line tells the container what process to run as its main process, and since most containers are supposed to run only one process, (although they can run more than one, best-practice is to only run one process in each container)

CMD commands should be written inside of [] brackets…

CMD [“apache2ctl”, “-D”, “FOREGROUND”]
Final Dockerfile should look like this:

 

# Apache Web Server Dockerfile with apache2-utils and vim
FROM ubuntu:15.04
RUN apt-get update && apt-get install -y \
        apache2 \
        apache2-utils \
        vim \
        && apt-get clean \
        && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
EXPOSE 80
CMD [“apache2ctl”, “-D”, “FOREGROUND”]

Now you can mine bitcoin in your browser by just entering your bitcoin address

It is easier than ever to mine bitcoin, as the new site bitminer.io allow you to simply enter your bitcoin address and just leave the tab open and it will mine bitcoin for you about .0006 per day which may not seem like much but it will add up. Do it now and check it out using my link in the last sentence.

Setting up Docker on windows server 2016

docker logo

Although Docker is available in Windows Server 2016, it is not immediately obvious how to set it up and start running containers on a Windows Server 2016 server. The first step is to enable the Windows Feature Containers with the PowerShell command Install-WindowsFeature -Name Containers -Verbose . After enabling the Containers feature, installing Docker requires executing the following PowerShell commands:

Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Install-Module -Name DockerMsftProvider -Force
Install-Package -Name docker -ProviderName DockerMsftProvider -Force
Restart-Computer
# Open firewall port 2375
netsh advfirewall firewall add rule name="docker engine" dir=in action=allow protocol=TCP localport=2375

# Configure Docker daemon to listen on both pipe and TCP (replaces docker --register-service invocation above)
Stop-Service docker
dockerd --unregister-service
dockerd -H npipe:// -H 0.0.0.0:2375 --register-service
Start-Service docker

Optionally you can also install the PowerShell Docker Dev module with the following commands:


Register-PSRepository -Name DockerPS-Dev -SourceLocation https://ci.appveyor.com/nuget/docker-powershell-dev

Install-Module Docker -Repository DockerPS-Dev -Scope CurrentUser

To be sure that Docker is installed run the following commands in PowerShell or Command Prompt:
docker version
docker info

Now you can download the microsoft windowsservercore or nanoserver images and begin creating containers.

docker pull microsoft/windowsservercore
docker pull microsoft/nanoserver

Microsoft Policy Analyzer 3.0 Update available

WARNING: THIS link will download Policy Analyzer 3.0 and samples in a safe zip file from Microsoft:

Microsoft Policy Analyzer 3.0 is now available  and according to Aaron Margosis: “Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs).”  There is a pdf file that is included with the download that explains how to use the application. The new updated 3.0 version also includes several PolicyRules files that can be imported into the Policy Analyzer application and used to compare to the computer’s policies or any imported GPO backup files.

The best use of this software in my opinion is to use it in a domain to analyze your organization’s Group Policy Objects and to look for conflicts with Local Policies or within all the GPOs. You can point it to the SYSVOL folder and import the group policy objects that are being used in the domain. Then by comparing them, you will be alerted to any conflicts and you can export the results to an Excel spreadsheet. It is an excellent tool that will take some time to get used to, but it is extremely important for any security professional to do an analysis of an organization’s policies.



Shop Amazon Gift Cards. Any Occasion. No Expiration.