maxmustermann/PowerShell
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Disallow all COM for AppLocker system lock down (#16268)

Browse source 
Co-authored-by: Paul Higinbotham <paulhi@microsoft.com>
This commit is contained in:
Travis Plunk 2021-10-19 11:18:37 -07:00 committed by GitHub
parent a82630a17a
commit 5d447cb773
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/System.Management.Automation/security/wldpNativeMethods.cs
View file

@ -391,6 +391,14 @@ namespace System.Management.Automation.Security
/// <returns>True if the COM object is allowed, False otherwise.</returns>
internal static bool IsClassInApprovedList(Guid clsid)
{
// This method is called only if there is an AppLocker and/or WLDP system wide lock down enforcement policy.
if (s_cachedWldpSystemPolicy.GetValueOrDefault(SystemEnforcementMode.None) != SystemEnforcementMode.Enforce)
{
// No WLDP policy implies only AppLocker policy enforcement. Disallow all COM object instantiation.
return false;
}
// WLDP policy must be in system wide enforcement, look up COM Id in WLDP approval list.
try
{
WLDP_HOST_INFORMATION hostInformation = new WLDP_HOST_INFORMATION();