Harden-Windows-Security icon indicating copy to clipboard operation
Harden-Windows-Security copied to clipboard
Published 3 weeks ago verified publisher icon HotCakeX

[Suggestion]: New file allow rule attributes

Open pl4nty opened this issue 5 months ago • 1 comments

Are you sure the Security measure is not already implemented?

  • [x] Yes, I have checked and the Security measure I'm suggesting to be implemented is not duplicate. 🫡

Please explain your new Security measure suggestion

Some new file rule attributes showed up in the latest canary build. Does anyone know what they're for, and whether the policy editor should support them? Maybe to restrict hotpatch usage, and which PE sequence numbers can be used? No references to RequireHotpatchID yet though

<xs:attribute name="RequireHotpatchID" type="AllowType" use="optional" />
<xs:attribute name="MinimumHotpatchSequence" type="xs:unsignedInt" use="optional" />
<xs:attribute name="MaximumHotpatchSequence" type="xs:unsignedInt" use="optional" />

pl4nty avatar Jul 06 '25 01:07 pl4nty

Hi, The Policy Editor, generator (xml -> cip) and reverser (cip -> xml) must ultimately support them if they make it to the beta and stable builds. They seem incomplete at the moment, like why only available for Allow rule type and not for FileAttrib of a FilePublisher?

I assume they are designed to be used primarily by the OS itself to protect its important files from reverting to old vulnerable versions after a hotpatch is applied.

Chances are we will see those rules used in the default cip files that come with the OS and if we open them with AppControl Manager (once it supports them) we can see how they're being used.

HotCakeX avatar Jul 06 '25 07:07 HotCakeX