Multiple changes

* Improved the App Control Simulation performance and accuracy by extracting all types of hashes from the XML policy and including them in the simulation instead of just SHA 256. * Improved the performance of the AppControl Manager by replacing a frequently used method with lower-level variation. * When assigning policy path to the [Configure Policy Rule Options](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Configure-Policy-Rule-Options) page, the rule options section is now automatically expanded, instantly showing you the results. * The [Configure Policy Rule Options](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Configure-Policy-Rule-Options) page now handles policy deployments better and will warn you if you try to deploy signed policy by referring you to use the [Deploy App Control Policy page](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Deploy-App-Control-Policy) where you can provide signing information. * The Strict Kernel mode policy templates now have a setting that allow COM objects to be used, just like other built-in templates. * Bumped version to `1.9.4.0` * Improved multiple comments in the code. * Renamed a class's file name to match the class name.
HotCakeX · Feb 28, 2025 · 07e6113 · 07e6113
1 parent e8469c1
commit 07e6113
Show file tree

Hide file tree

Showing 17 changed files with 260 additions and 238 deletions.
diff --git a/AppControl Manager/AppControl Manager.csproj b/AppControl Manager/AppControl Manager.csproj
@@ -79,7 +79,7 @@
     <PublishAot>True</PublishAot>
     <OptimizationPreference>Speed</OptimizationPreference>
     <ErrorReport>send</ErrorReport>
-    <FileVersion>1.9.3.0</FileVersion>
+    <FileVersion>1.9.4.0</FileVersion>
     <AssemblyVersion>$(FileVersion)</AssemblyVersion>
     <NeutralLanguage>en-US</NeutralLanguage>
     <PackageLicenseFile>LICENSE</PackageLicenseFile>

diff --git a/AppControl Manager/Main/AppControlSimulation.cs b/AppControl Manager/Main/AppControlSimulation.cs
@@ -20,6 +20,12 @@ namespace AppControlManager.Main;
 internal static class AppControlSimulation
 {
 
+	// Extensions that are not supported by Authenticode. So if these files are not allowed by hash, they are not allowed at all
+	private static readonly HashSet<string> unsignedExtensions = new(StringComparer.OrdinalIgnoreCase)
+		{
+			".ocx", ".bat", ".bin"
+		};
+
 	/// <summary>
 	/// An Aux method that calls the main method then checks the result to make sure all files are allowed, if they are then returns true, otherwise returns false
 	/// </summary>
@@ -163,13 +169,6 @@ internal static ConcurrentDictionary<string, SimulationOutput> Invoke(
 		// Get the signer information from the XML
 		List<SignerX> SignerInfo = GetSignerInfo.Get(XMLData);
 
-		// Extensions that are not supported by Authenticode. So if these files are not allowed by hash, they are not allowed at all
-		HashSet<string> unsignedExtensions = new(StringComparer.OrdinalIgnoreCase)
-		{
-			".ocx", ".bat", ".bin"
-		};
-
-
 		#region Region FilePath Rule Checking
 		Logger.Write("Checking see if the XML policy has any FilePath rules");
 
@@ -222,10 +221,10 @@ internal static ConcurrentDictionary<string, SimulationOutput> Invoke(
 			Logger.Write("Skipping Security Catalogs in the Simulation.");
 		}
 
-		// Hash Sha256 values of all the file rules based on hash in the supplied xml policy file
-		Logger.Write("Getting the Sha256 Hash values of all the file rules based on hash in the supplied xml policy file");
+		// All Hash values of all the file rules based on hash in the supplied xml policy file
+		Logger.Write("Getting the Hash values of all the file rules based on hash in the supplied xml policy file");
 
-		HashSet<string> SHA256HashesFromXML = [.. GetFileRuleOutput.Get(XMLData).Select(i => i.HashValue)];
+		HashSet<string> AllHashTypesFromXML = GetFileHashes.Get(XMLData);
 
 		Logger.Write("Getting all of the file paths of the files that App Control supports, from the user provided directory");
 
@@ -347,7 +346,7 @@ internal static ConcurrentDictionary<string, SimulationOutput> Invoke(
 					}
 
 					// if the file's hash exists in the XML file then add the file's path to the allowed files and do not check anymore that whether the file is signed or not
-					if (SHA256HashesFromXML.Contains(CurrentFilePathHashSHA256))
+					if (AllHashTypesFromXML.Contains(CurrentFilePathHashSHA256) || AllHashTypesFromXML.Contains(CurrentFilePathHashSHA1))
 					{
 						_ = FinalSimulationResults.TryAdd(CurrentFilePath.FullName,
 							new SimulationOutput(

diff --git a/AppControl Manager/Main/BasePolicyCreator.cs b/AppControl Manager/Main/BasePolicyCreator.cs
@@ -390,7 +390,7 @@ internal static void GetDriversBlockRules(string StagingArea)
 	/// <param name="RequireEVSigners"></param>
 	/// <param name="EnableScriptEnforcement"></param>
 	/// <param name="TestMode"></param>
-	internal static void BuildAllowMSFT(string StagingArea, bool IsAudit, ulong? LogSize, bool deploy, bool RequireEVSigners, bool EnableScriptEnforcement, bool TestMode, bool? deployAppControlSupplementalPolicy, string? PolicyIDToUse = null, bool DeployMicrosoftRecommendedBlockRules = true)
+	internal static void BuildAllowMSFT(string StagingArea, bool IsAudit, ulong? LogSize, bool deploy, bool RequireEVSigners, bool EnableScriptEnforcement, bool TestMode, bool deployAppControlSupplementalPolicy, string? PolicyIDToUse, bool DeployMicrosoftRecommendedBlockRules)
 	{
 
 		string policyName;
@@ -431,8 +431,7 @@ internal static void BuildAllowMSFT(string StagingArea, bool IsAudit, ulong? Log
 			policyID = PolicyIDToUse;
 		}
 
-
-		if (deployAppControlSupplementalPolicy == true)
+		if (deployAppControlSupplementalPolicy)
 		{
 			// Supply the policy ID of the policy being deployed to this method
 			SupplementalForSelf.Deploy(StagingArea, policyID);
@@ -448,7 +447,6 @@ internal static void BuildAllowMSFT(string StagingArea, bool IsAudit, ulong? Log
 			ScriptEnforcement: EnableScriptEnforcement,
 			TestMode: TestMode);
 
-
 		if (deploy)
 		{
 			Logger.Write("Converting the policy file to .CIP binary");
@@ -460,7 +458,6 @@ internal static void BuildAllowMSFT(string StagingArea, bool IsAudit, ulong? Log
 
 		File.Copy(tempPolicyPath, finalPolicyPath, true);
 
-
 		// Assign the created policy path to the Sidebar if condition is met
 		MainWindow.Instance.AssignToSidebar(finalPolicyPath);
 	}
@@ -476,7 +473,7 @@ internal static void BuildAllowMSFT(string StagingArea, bool IsAudit, ulong? Log
 	/// <param name="RequireEVSigners"></param>
 	/// <param name="EnableScriptEnforcement"></param>
 	/// <param name="TestMode"></param>
-	internal static void BuildDefaultWindows(string StagingArea, bool IsAudit, ulong? LogSize, bool deploy, bool RequireEVSigners, bool EnableScriptEnforcement, bool TestMode, bool? deployAppControlSupplementalPolicy, string? PolicyIDToUse = null, bool DeployMicrosoftRecommendedBlockRules = true)
+	internal static void BuildDefaultWindows(string StagingArea, bool IsAudit, ulong? LogSize, bool deploy, bool RequireEVSigners, bool EnableScriptEnforcement, bool TestMode, bool deployAppControlSupplementalPolicy, string? PolicyIDToUse, bool DeployMicrosoftRecommendedBlockRules)
 	{
 
 		string policyName;
@@ -518,8 +515,7 @@ internal static void BuildDefaultWindows(string StagingArea, bool IsAudit, ulong
 			policyID = PolicyIDToUse;
 		}
 
-
-		if (deployAppControlSupplementalPolicy == true)
+		if (deployAppControlSupplementalPolicy)
 		{
 			// Supply the policy ID of the policy being deployed to this method
 			SupplementalForSelf.Deploy(StagingArea, policyID);
@@ -535,7 +531,6 @@ internal static void BuildDefaultWindows(string StagingArea, bool IsAudit, ulong
 			ScriptEnforcement: EnableScriptEnforcement,
 			TestMode: TestMode);
 
-
 		if (deploy)
 		{
 			Logger.Write("Converting the policy file to .CIP binary");
@@ -547,7 +542,6 @@ internal static void BuildDefaultWindows(string StagingArea, bool IsAudit, ulong
 
 		File.Copy(tempPolicyPath, finalPolicyPath, true);
 
-
 		// Assign the created policy path to the Sidebar if condition is met
 		MainWindow.Instance.AssignToSidebar(finalPolicyPath);
 	}
@@ -658,7 +652,7 @@ internal static void GetBlockRules(string StagingArea, bool deploy)
 	/// <param name="RequireEVSigners"></param>
 	/// <param name="EnableScriptEnforcement"></param>
 	/// <param name="TestMode"></param>
-	internal static void BuildSignedAndReputable(string StagingArea, bool IsAudit, ulong? LogSize, bool deploy, bool RequireEVSigners, bool EnableScriptEnforcement, bool TestMode, bool? deployAppControlSupplementalPolicy, string? PolicyIDToUse = null, bool DeployMicrosoftRecommendedBlockRules = true)
+	internal static void BuildSignedAndReputable(string StagingArea, bool IsAudit, ulong? LogSize, bool deploy, bool RequireEVSigners, bool EnableScriptEnforcement, bool TestMode, bool deployAppControlSupplementalPolicy, string? PolicyIDToUse, bool DeployMicrosoftRecommendedBlockRules)
 	{
 
 		string policyName;
@@ -710,15 +704,14 @@ internal static void BuildSignedAndReputable(string StagingArea, bool IsAudit, u
 			policyID = PolicyIDToUse;
 		}
 
-
-		if (deployAppControlSupplementalPolicy == true)
+		if (deployAppControlSupplementalPolicy)
 		{
+			// Supply the policy ID of the policy being deployed to this method
 			SupplementalForSelf.Deploy(StagingArea, policyID);
 		}
 
 		SetCiPolicyInfo.Set(tempPolicyPath, new Version("1.0.0.0"), PolicyIDToUse);
 
-
 		if (deploy)
 		{
 			ConfigureISGServices.Configure();
@@ -732,7 +725,6 @@ internal static void BuildSignedAndReputable(string StagingArea, bool IsAudit, u
 
 		File.Copy(tempPolicyPath, finalPolicyPath, true);
 
-
 		// Assign the created policy path to the Sidebar if condition is met
 		MainWindow.Instance.AssignToSidebar(finalPolicyPath);
 	}

diff --git a/AppControl Manager/Others/PolicyHashObj.cs b/AppControl Manager/Others/PolicyHashObj.cs
diff --git a/AppControl Manager/Others/SupplementalForSelf.cs b/AppControl Manager/Others/SupplementalForSelf.cs
@@ -3,21 +3,23 @@
 using System.IO;
 using System.Linq;
 using AppControlManager.Main;
+using AppControlManager.SiPolicy;
 using AppControlManager.SiPolicyIntel;
+using AppControlManager.XMLOps;
 
 namespace AppControlManager.Others;
 
 internal static class SupplementalForSelf
 {
 	/// <summary>
-	/// Deploys the Supplemental Policy that allows the Application to be allowed to run after deployment
-	/// Each Base policy should have this supplemental policy
+	/// Deploys the Supplemental Policy that allows the Application to be allowed to run after deployment.
+	/// Each Base policy should have this supplemental policy.
 	/// </summary>
 	/// <param name="StagingArea"></param>
 	internal static void Deploy(string StagingArea, string basePolicyID)
 	{
 		// Instantiate the policy
-		SiPolicy.SiPolicy policyObj = SiPolicy.Management.Initialize(GlobalVars.AppControlManagerSpecialPolicyPath, null);
+		SiPolicy.SiPolicy policyObj = Management.Initialize(GlobalVars.AppControlManagerSpecialPolicyPath, null);
 
 		#region Replace the BasePolicyID of the Supplemental Policy and reset its PolicyID which is necessary in order to have more than 1 of these supplemental policies deployed on the system
 
@@ -38,14 +40,15 @@ internal static void Deploy(string StagingArea, string basePolicyID)
 		string cipPath = Path.Combine(StagingArea, $"{GlobalVars.AppControlManagerSpecialPolicyName}.cip");
 
 		// Save the XML to the path as XML file
-		SiPolicy.Management.SavePolicyToFile(policyObj, savePath);
+		Management.SavePolicyToFile(policyObj, savePath);
 
 		Logger.Write($"Checking the deployment status of '{GlobalVars.AppControlManagerSpecialPolicyName}' Supplemental policy");
 
 		// Get all the deployed supplemental policies to see if our policy is among them
 
 		string trimmedBasePolicyID = basePolicyID.Trim('{', '}');
 
+		// Get all of the supplemental policies deployed on the system
 		List<CiPolicyInfo> CurrentlyDeployedSupplementalPolicyNoFilter = CiToolHelper.GetPolicies(false, false, true);
 
 		List<CiPolicyInfo> CurrentlyDeployedSupplementalPolicy1stFilter = [.. CurrentlyDeployedSupplementalPolicyNoFilter.Where(policy => string.Equals(policy.FriendlyName, GlobalVars.AppControlManagerSpecialPolicyName, StringComparison.OrdinalIgnoreCase))];
@@ -79,7 +82,7 @@ internal static void DeploySigned(string basePolicyID, string CertPath, string S
 		DirectoryInfo stagingArea = StagingArea.NewStagingArea("SignedSupplementalPolicySpecialDeployment");
 
 		// Instantiate the policy
-		SiPolicy.SiPolicy policyObj = SiPolicy.Management.Initialize(GlobalVars.AppControlManagerSpecialPolicyPath, null);
+		SiPolicy.SiPolicy policyObj = Management.Initialize(GlobalVars.AppControlManagerSpecialPolicyPath, null);
 
 		#region Replace the BasePolicyID of the Supplemental Policy and reset its PolicyID which is necessary in order to have more than 1 of these supplemental policies deployed on the system
 
@@ -98,7 +101,7 @@ internal static void DeploySigned(string basePolicyID, string CertPath, string S
 		string savePath = Path.Combine(stagingArea.FullName, $"{GlobalVars.AppControlManagerSpecialPolicyName}.xml");
 
 		// Save the XML to the path as XML file
-		SiPolicy.Management.SavePolicyToFile(policyObj, savePath);
+		Management.SavePolicyToFile(policyObj, savePath);
 
 		Logger.Write($"Checking the deployment status of '{GlobalVars.AppControlManagerSpecialPolicyName}' Supplemental policy");
 
@@ -129,7 +132,7 @@ internal static void DeploySigned(string basePolicyID, string CertPath, string S
 		_ = AddSigningDetails.Add(savePath, CertPath);
 
 		// Remove the unsigned policy rule option from the policy
-		CiRuleOptions.Set(filePath: savePath, rulesToRemove: [SiPolicy.OptionType.EnabledUnsignedSystemIntegrityPolicy]);
+		CiRuleOptions.Set(filePath: savePath, rulesToRemove: [OptionType.EnabledUnsignedSystemIntegrityPolicy]);
 
 		// Define the path for the CIP file
 		string randomString = GUIDGenerator.GenerateUniqueGUID();
@@ -150,4 +153,32 @@ internal static void DeploySigned(string basePolicyID, string CertPath, string S
 		// Deploy the signed CIP file
 		CiToolHelper.UpdatePolicy(CIPFilePath);
 	}
+
+
+	/// <summary>
+	/// Checks whether an App Control policy is eligible to have the AppControlManager supplemental policy
+	/// </summary>
+	/// <param name="policyObj"></param>
+	/// <param name="policyFile"></param>
+	/// <returns></returns>
+	internal static bool IsEligible(SiPolicy.SiPolicy policyObj, string policyFile)
+	{
+		// Don't need to deploy it for the recommended block rules since they are only explicit Deny mode policies
+		if (!string.Equals(policyObj.FriendlyName, "Microsoft Windows Recommended User Mode BlockList", StringComparison.OrdinalIgnoreCase))
+		{
+			if (!string.Equals(policyObj.FriendlyName, "Microsoft Windows Driver Policy", StringComparison.OrdinalIgnoreCase))
+			{
+				// Make sure the policy is a base policy and it doesn't have allow all rule
+				if (policyObj.PolicyType is PolicyType.BasePolicy)
+				{
+					if (!CheckForAllowAll.Check(policyFile))
+					{
+						return true;
+					}
+				}
+			}
+		}
+
+		return false;
+	}
 }
diff --git a/AppControl Manager/Package.appxmanifest b/AppControl Manager/Package.appxmanifest
@@ -11,7 +11,7 @@
   <Identity
     Name="AppControlManager"
     Publisher="CN=SelfSignedCertForAppControlManager"
-    Version="1.9.3.0" />
+    Version="1.9.4.0" />
 
   <mp:PhoneIdentity PhoneProductId="199a23ec-7cb6-4ab5-ab50-8baca348bc79" PhonePublisherId="00000000-0000-0000-0000-000000000000"/>
 

diff --git a/AppControl Manager/Pages/AllowNewApps/AllowNewAppsStart.xaml.cs b/AppControl Manager/Pages/AllowNewApps/AllowNewAppsStart.xaml.cs
@@ -323,7 +323,7 @@ await Task.Run(() =>
 
 
 				// If the policy doesn't have any rule options or it doesn't have the EnabledUnsignedSystemIntegrityPolicy rule option then it is signed
-				_IsSignedPolicy = (_BasePolicyObject.Rules is null || !_BasePolicyObject.Rules.Any(rule => rule.Item is OptionType.EnabledUnsignedSystemIntegrityPolicy));
+				_IsSignedPolicy = (!_BasePolicyObject.Rules.Any(rule => rule.Item is OptionType.EnabledUnsignedSystemIntegrityPolicy));
 			});
 
 			if (_IsSignedPolicy)

diff --git a/AppControl Manager/Pages/ConfigurePolicyRuleOptions.xaml.cs b/AppControl Manager/Pages/ConfigurePolicyRuleOptions.xaml.cs
@@ -76,6 +76,9 @@ private async void LightUp1(object sender, RoutedEventArgs e)
 		SelectedFilePath = unsignedBasePolicyPathFromSidebar;
 
 		await LoadPolicyOptionsFromXML(SelectedFilePath);
+
+		// Expand the settings expander when user selects a policy
+		PolicyRuleExpander.IsExpanded = true;
 	}
 
 	#endregion
@@ -255,8 +258,25 @@ await Task.Run(() =>
 
 					string cipPath = Path.Combine(stagingArea.FullName, $"{Path.GetFileName(SelectedFilePath)}.cip");
 
+					SiPolicy.SiPolicy policyObj = Management.Initialize(SelectedFilePath, null);
+
+					if (!policyObj.Rules.Any(x => x.Item is OptionType.EnabledUnsignedSystemIntegrityPolicy))
+					{
+						_ = DispatcherQueue.TryEnqueue(() =>
+						{
+							MainTeachingTip.IsOpen = true;
+							MainTeachingTip.Subtitle = "The selected policy requires signing. Please use the 'Deploy App Control Policy' page to deploy it as a signed policy.";
+						});
+
+						return;
+					}
+
 					PolicyToCIPConverter.Convert(SelectedFilePath, cipPath);
 
+					// If a base policy is being deployed, ensure it's supplemental policy for AppControl Manager also gets deployed
+					if (SupplementalForSelf.IsEligible(policyObj, SelectedFilePath))
+						SupplementalForSelf.Deploy(stagingArea.FullName, policyObj.PolicyID);
+
 					CiToolHelper.UpdatePolicy(cipPath);
 				});
 			}