Kim Oppalfens
Kim Oppalfens 08.03.2019 10:47 (GMT+2) PowerShell 5.0 and Applocker. When security doesn’t mean security (part 2)

Why do you want to screen .PS1 files yet have the interactive prompt fully open?

There's a multitude of ways to execute PowerShell code that doesn't rely on a PS1 file. If the interactive prompt is open, your system is open. PowerShell -command is not the only way to use the interactive prompt. I could just as easilly send keyboard commands to a machine.

Kim Oppalfens
Kim Oppalfens 07.03.2019 16:12 (GMT+2) PowerShell 5.0 and Applocker. When security doesn’t mean security

The main issue seems to be interactive shells for the people that develop scripts. So why don't you give those a path rule that allows them to run in full language mode? If they are supposed to be able to run anything in interactive mode anyway, there's no protecting them.

You can argue ad nauseum that this isn't a security feature because it can be bypassed. But by that standard, nothing is a security feature or boundary, as just about anything has flaws that allows bypasses. The simple reality is that this stops a ton of automated attacks by attackers that didn't go the extra mile to include an AWL bypass. Your policy building skills can stop some of those bypasses as well.

Enable AWL & Constrained language mode for everyone in your company that never ever runs any code that wouldn't work in constrained language mode. Enable AWL & create a rule to allow full language mode for everyone that does developcode.

As to not adding an allow rule to a user-writable path being a no-no, sure. But if you require an interactive shell that allows anything to run during code devolepment, allowing that or a file in a user-writable path are equally insecure.

Vadims Podāns
Vadims Podāns 05.03.2019 10:49 (GMT+2) Designing CRL Distribution Points and Authority Information Access locations

You can't run pkiview.msc in non-domain envrionments. At least one Enterprise CA must be installed. pkiview.msc automatically builds PKI hierarchy based on certificate chains.

Tim Kuhnell
Tim Kuhnell 05.03.2019 10:40 (GMT+2) Designing CRL Distribution Points and Authority Information Access locations

Hello Vadims, great article. How do you get pkiview.msc to run on the standalone root CA? 

'An Enterprise CA cannot be located.  Verify that an Enterprise CA exists in your forest and is listed in the Enrollment Services container on your domain controller.'

Br, Tim 

 

 

sebus
sebus 02.03.2019 17:31 (GMT+2) Retrieve CNG key container name and unique name

The last chunk of 19 line code does not actually output ContainerName

so jus slot in $keyProv