forked from m-dwyer/CryptoBlocker
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathBlockFileExtensionsGPO.ps1
154 lines (116 loc) · 6.24 KB
/
BlockFileExtensionsGPO.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
# --------------------------------------------------
# BlockFileExtensionsGPO.ps1
# --------------------------------------------------
# This script creates a GPO to block certain questionable file extensions using a software restriction policy
# GPO Name and extensions to block can be modified below. By default, the GPO is linked to the domain
$blockedFileExtensions = "VBS,JS,COM,BAT,SCR,PIF"
Import-Module ActiveDirectory
Function ConvertTo-WmiFilter([Microsoft.ActiveDirectory.Management.ADObject[]] $ADObject)
{
$gpDomain = New-Object -Type Microsoft.GroupPolicy.GPDomain
$ADObject | ForEach-Object {
$path = 'MSFT_SomFilter.Domain="' + $gpDomain.DomainName + '",ID="' + $_.Name + '"'
try
{
$filter = $gpDomain.GetWmiFilter($path)
}
catch { }
if ($filter)
{
[Guid]$guid = $_.Name.Substring(1, $_.Name.Length - 2)
$filter | Add-Member -MemberType NoteProperty -Name Guid -Value $Guid -PassThru | Add-Member -MemberType NoteProperty -Name Content -Value $_."msWMI-Parm2" -PassThru
}
}
}
Function New-SoftwareRestrictionGPO($GpoName, $ParanoidExtensions, $WmiFilter)
{
Set-StrictMode -Version 2
# Just in case GPMC modules are missing..
Import-Module ServerManager
Add-WindowsFeature GPMC
Import-Module GroupPolicy
$existingGpo = Get-GPO -Name $GpoName
if ($existingGPO -ne $null)
{
Remove-GPO -Name $GpoName
}
$newGPO = New-GPO -Name $GpoName
$newGPO.WmiFilter = $WmiFilter
$nLevel = 0
$settingsKey = "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers"
$fileTimeNow = (Get-Date).ToFileTime()
# Set global parameters
Set-GPRegistryValue -Name $GpoName -Key "$settingsKey" `
-Type MultiString -ValueName "ExecutableTypes" -Value "" | Out-Null
Set-GPRegistryValue -Name $GpoName -Key "$settingsKey" `
-Type DWord -ValueName "DefaultLevel" -Value 262144 | Out-Null
Set-GPRegistryValue -Name $GpoName -Key "$settingsKey" `
-Type DWord -ValueName "PolicyScope" -Value 0 | Out-Null
Set-GPRegistryValue -Name $GpoName -Key "$settingsKey" `
-Type DWord -ValueName "TransparentEnabled" -Value 1 | Out-Null
Set-GPRegistryValue -Name $GpoName -Key "$settingsKey" `
-Type DWord -ValueName "AuthenticodeEnabled" -Value 0 | Out-Null
Set-GPRegistryValue -Name $GpoName -Key "$settingsKey" `
-Type QWord -ValueName "LastModified" -Value $fileTimeNow | Out-Null
$ParanoidExtensionsSplit = $ParanoidExtensions.Split(",")
foreach ($paranoidExtension in $ParanoidExtensionsSplit)
{
$newPathGUID = [System.Guid]::NewGuid()
$newPathGUID = "{$newPathGUID}"
Set-GPRegistryValue -Name $GpoName -Key "$settingsKey\$nLevel\Paths\$newPathGUID" `
-Type String -ValueName "ItemData" -Value "*.$paranoidExtension" | Out-Null
Set-GPRegistryValue -Name $GpoName -Key "$settingsKey\$nLevel\Paths\$newPathGUID" `
-Type DWord -ValueName "SaferFlags" -Value 0 | Out-Null
Set-GPRegistryValue -Name $GpoName -Key "$settingsKey\$nLevel\Paths\$newPathGUID" `
-Type QWord -ValueName "LastModified" -Value $fileTimeNow | Out-Null
}
$domain = (Get-ADDomain).DistinguishedName
New-GPLink -Name "$GpoName" -Target "$domain"
}
Function New-WMIFilter($FilterName, $FilterDescription, $FilterNamespace, $FilterExpression)
{
$guid = [System.Guid]::NewGuid()
$defaultNamingContext = (Get-ADRootDSE).DefaultNamingContext
$msWMIAuthor = (Get-ADUser $env:USERNAME).UserPrincipleName
$msWMICreationDate = (Get-Date).ToUniversalTime().ToString("yyyyMMddhhmmss.ffffff-000")
$wmiGUID = "{$guid}"
$wmiDistinguishedName = "CN=$wmiGUID,CN=SOM,CN=WMIPolicy,CN=System,$defaultNamingContext"
$msWMIParm1 = "$FilterDescription "
$msWMIParm2 = $FilterExpression.Count.ToString() + ";"
$FilterExpression | ForEach-Object {
$msWMIParm2 += "3;" + $FilterNamespace.Length + ";" + $_.Length + ";WQL;" + $FilterNamespace + ";" + $_ + ";"
}
$existingWmiFilter = Get-ADObject -Filter 'objectClass -eq "msWMI-Som"' -Properties "msWMI-Name", "msWMI-Parm1" | Where-Object { $_."msWMI-Name" -eq $FilterName } | Select -First 1
if ($existingWmiFilter -ne $null)
{
Remove-ADObject -Identity $existingWmiFilter -Confirm:$false
}
$attributes = @{
"msWMI-Name" = $FilterName;
"msWMI-Parm1" = $msWMIParm1;
"msWMI-Parm2" = $msWMIParm2;
"msWMI-Author" = $msWMIAuthor;
"instanceType" = 4;
"msWMI-ID" = $wmiGUID;
"showInAdvancedViewOnly" = "TRUE";
"distinguishedname" = $wmiDistinguishedName;
"msWMI-ChangeDate" = $msWMICreationDate;
"msWMI-CreationDate" = $msWMICreationDate;
}
$wmiPath = ("CN=SOM,CN=WMIPolicy,CN=System,$defaultNamingContext")
$adObject = New-ADObject -Name $wmiGUID -Type "msWMI-Som" -Path $wmiPath -OtherAttributes $attributes -PassThru
ConvertTo-WmiFilter $adObject | Write-Output
}
$workstationFilterName = "Workstations"
$2K3TSFilterName = "2003 Terminal Servers"
$2K8TSFilterName = "2008+ Terminal Servers"
# Create WMI filters for workstations, and 200
$workstationFilter = New-WMIFilter -FilterName $workstationFilterName -FilterDescription "Filter on workstations" `
-FilterNamespace "ROOT\CIMV2" -FilterExpression "SELECT * FROM Win32_ComputerSystem WHERE DomainRole = 0 OR DomainRole = 1"
$2K3TSFilter = New-WMIFilter -FilterName $2K3TSFilterName -FilterDescription "Filter on 2003 terminal servers" `
-FilterNamespace 'ROOT\CIMV2' -FilterExpression 'SELECT * FROM Win32_TerminalServiceSetting WHERE LicensingType > 1'
$2K8TSFilter = New-WMIFilter -FilterName $2K8TSFilterName -FilterDescription "Filter on 2008+ terminal servers" `
-FilterNamespace 'ROOT\CIMV2\TerminalServices' -FilterExpression 'SELECT * FROM Win32_TerminalServiceSetting WHERE LicensingType > 1'
New-SoftwareRestrictionGPO -GpoName "Block File Extensions - Workstations" -ParanoidExtensions $blockedFileExtensions -WmiFilter $workstationFilter
New-SoftwareRestrictionGPO -GpoName "Block File Extensions - 2K3 TS" -ParanoidExtensions $blockedFileExtensions -WmiFilter $2K3TSFilter
New-SoftwareRestrictionGPO -GpoName "Block File Extensions - 2K8+ TS" -ParanoidExtensions $blockedFileExtensions -WmiFilter $2K8TSFilter