From 0d7fd8f5c482d19ae9138c2a871e24e5ddcfba80 Mon Sep 17 00:00:00 2001 From: metablaster <44481081+metablaster@users.noreply.github.com> Date: Thu, 23 Nov 2023 14:31:49 +0100 Subject: [PATCH] update rules for google software --- .../Public/Search-Installation.ps1 | 27 ++- .../Scripts/TargetProgram.ps1 | 1 + .../Ruleset.Utility/Public/Invoke-Process.ps1 | 42 ++-- Rules/IPv4/Outbound/Software/Google.ps1 | 221 +++++++++++++++++- Rules/IPv4/Outbound/Software/WebBrowser.ps1 | 163 +------------ docs/CHANGELOG.md | 2 + 6 files changed, 258 insertions(+), 198 deletions(-) diff --git a/Modules/Ruleset.ProgramInfo/Public/Search-Installation.ps1 b/Modules/Ruleset.ProgramInfo/Public/Search-Installation.ps1 index 32e6d00e..80505fd3 100644 --- a/Modules/Ruleset.ProgramInfo/Public/Search-Installation.ps1 +++ b/Modules/Ruleset.ProgramInfo/Public/Search-Installation.ps1 @@ -168,6 +168,13 @@ function Search-Installation } break } + "GoogleUpdate" + { + # TODO: This is for system wide installation, if program such Chrome is installed + # the path will be in user profile which is currently handled by Google.ps1 script + Edit-Table "%ProgramFiles% (x86)\Google\Update" + break + } "GooglePlay" { # TODO: This was not tested @@ -175,6 +182,16 @@ function Search-Installation #Edit-Table "%ProgramFiles%\Google\Play Games" break } + "Chrome" + { + Update-Table -Search "Google Chrome" -UserProfile + break + } + "GoogleDrive" + { + Update-Table -Search "Google Drive" + break + } "dotnet" { # TODO: No algorithm to find this path @@ -319,11 +336,6 @@ function Search-Installation Update-Table -Search "Arena Chess" break } - "GoogleDrive" - { - Update-Table -Search "Google Drive" - break - } "ColorMania" { Update-Table -Search "ColorMania" @@ -591,11 +603,6 @@ function Search-Installation # NOTE: ask user for standalone installation directory of SteamCMD break } - "Chrome" - { - Update-Table -Search "Google Chrome" -UserProfile - break - } "Firefox" { Update-Table -Search "Firefox" -UserProfile diff --git a/Modules/Ruleset.ProgramInfo/Scripts/TargetProgram.ps1 b/Modules/Ruleset.ProgramInfo/Scripts/TargetProgram.ps1 index 0c8fe298..0f959a39 100644 --- a/Modules/Ruleset.ProgramInfo/Scripts/TargetProgram.ps1 +++ b/Modules/Ruleset.ProgramInfo/Scripts/TargetProgram.ps1 @@ -30,6 +30,7 @@ SOFTWARE. # Services and store apps are not part of this enumeration enum TargetProgram { + GoogleUpdate BlueStacks BlueStacksServices GooglePlay diff --git a/Modules/Ruleset.Utility/Public/Invoke-Process.ps1 b/Modules/Ruleset.Utility/Public/Invoke-Process.ps1 index 82b5c267..61f79868 100644 --- a/Modules/Ruleset.Utility/Public/Invoke-Process.ps1 +++ b/Modules/Ruleset.Utility/Public/Invoke-Process.ps1 @@ -188,6 +188,7 @@ function Invoke-Process } } + $InvocationName = $MyInvocation.InvocationName [ScriptBlock] $Code = { param ( $Path, @@ -199,7 +200,8 @@ function Invoke-Process [PSCredential] $RunAsCredential, $ArgumentList, $Async, - $Domain + $Domain, + [string] $InvocationName = $InvocationName ) $CommandName = Split-Path -Path $Path -Leaf @@ -272,18 +274,16 @@ function Invoke-Process { # A collection of command-line arguments to use when starting the application $Process.StartInfo.Arguments = $ArgumentList - Write-Verbose -Message "[$($MyInvocation.InvocationName)] $CommandName argument list is '$ArgumentList'" + Write-Verbose -Message "[$InvocationName & Code] $CommandName argument list is '$ArgumentList'" } - $InvocationName = $MyInvocation.InvocationName - $Raw = $Raw $Async = $Async $Timeout = $Timeout if ($Async) { - Write-Verbose -Message "[$($MyInvocation.InvocationName)] Hooking up event handlers for asynchronous operations" + Write-Verbose -Message "[$InvocationName & Code] Hooking up event handlers for asynchronous operations" if ($Raw) { @@ -322,7 +322,7 @@ function Invoke-Process { # NOTE: Explicit -Debug or INFA is needed inside event Write-Debug -Message "[$InvocationName & OutputDataReceived] OutputDataReceived: $($OutLine.Data)" - Write-Information -Tags $InvocationName -MessageData "INFO: $($OutLine.Data)" -INFA "Continue" + Write-Information -Tags "[$InvocationName & OutputDataReceived]" -MessageData "INFO: $($OutLine.Data)" -INFA "Continue" } } @@ -401,7 +401,7 @@ function Invoke-Process try { - Write-Verbose -Message "[$($MyInvocation.InvocationName)] Starting process '$CommandName'" + Write-Verbose -Message "[$InvocationName & Code] Starting process '$CommandName'" # true if a process resource is started; false if no new process resource is started if (!$Process.Start()) @@ -435,7 +435,7 @@ function Invoke-Process { if (!$Raw) { - Write-Verbose -Message "[$($MyInvocation.InvocationName)] Starting asynchronous read" + Write-Verbose -Message "[$InvocationName & Code] Starting asynchronous read" } try @@ -451,7 +451,7 @@ function Invoke-Process Write-Error -Category InvalidOperation -TargetObject $Process -Message $_.Exception.Message $Async = $false - Write-Warning -Message "[$($MyInvocation.InvocationName)] Fallback to synchronous mode" + Write-Warning -Message "[$InvocationName & Code] Fallback to synchronous mode" } # Define the cancellation token @@ -470,7 +470,7 @@ function Invoke-Process { if ($Timeout -ge 0) { - Write-Information -Tags $MyInvocation.InvocationName ` + Write-Information -Tags "[$InvocationName & Code]" ` -MessageData "INFO: Waiting up to $($Timeout / 1000) seconds for process '$CommandName' to finish on '$Domain' computer..." if ($Async) @@ -486,13 +486,13 @@ function Invoke-Process if (!$StatusWait) { - Write-Warning -Message "[$($MyInvocation.InvocationName)] Process '$CommandName' is taking too long, aborting..." + Write-Warning -Message "[$InvocationName & Code] Process '$CommandName' is taking too long, aborting..." } } else { $StatusWait = $true - Write-Information -Tags $MyInvocation.InvocationName ` + Write-Information -Tags "[$InvocationName & Code]" ` -MessageData "INFO: Waiting infinitely for process '$CommandName' to finish on '$Domain' computer..." if ($Async) @@ -511,7 +511,7 @@ function Invoke-Process if ($Async -and $CancelSource.IsCancellationRequested) { - Write-Warning -Message "[$($MyInvocation.InvocationName)] The task has been canceled" + Write-Warning -Message "[$InvocationName & Code] The task has been canceled" } else { @@ -554,7 +554,7 @@ function Invoke-Process if ($Raw) { - Write-Verbose -Message "[$($MyInvocation.InvocationName)] Starting raw asynchronous read" + Write-Verbose -Message "[$InvocationName & Code] Starting raw asynchronous read" $StandardOutput = $OutputBuilder.ToString() if (![string]::IsNullOrEmpty($StandardOutput)) @@ -571,7 +571,7 @@ function Invoke-Process } elseif ($Raw) { - Write-Verbose -Message "[$($MyInvocation.InvocationName)] Starting raw synchronous read" + Write-Verbose -Message "[$InvocationName & Code] Starting raw synchronous read" # Reads all characters from the current position to the end of the stream (returns [string]) $StandardOutput = $Process.StandardOutput.ReadToEnd() @@ -588,7 +588,7 @@ function Invoke-Process } else { - Write-Verbose -Message "[$($MyInvocation.InvocationName)] Starting synchronous read" + Write-Verbose -Message "[$InvocationName & Code] Starting synchronous read" # true if the current stream position is at the end of the stream while (!$Process.StandardOutput.EndOfStream) @@ -600,10 +600,10 @@ function Invoke-Process if (![string]::IsNullOrEmpty($StreamLine)) { - Write-Information -Tags $MyInvocation.InvocationName -MessageData "INFO: $StreamLine" + Write-Information -Tags "[$InvocationName & Code]" -MessageData "INFO: $StreamLine" } - Write-Debug -Message "[$($MyInvocation.InvocationName)] Sleeping..." + Write-Debug -Message "[$InvocationName & Code] Sleeping..." Start-Sleep -Milliseconds 300 } @@ -616,7 +616,7 @@ function Invoke-Process Write-Error -Category FromStdErr -TargetObject $Process -Message $StreamLine } - Write-Debug -Message "[$($MyInvocation.InvocationName)] Sleeping..." + Write-Debug -Message "[$InvocationName & Code] Sleeping..." Start-Sleep -Milliseconds 300 } } @@ -625,9 +625,9 @@ function Invoke-Process # closes the process handle, and clears process-specific properties. # NOTE: Close does not close the standard output, input, and error readers and writers in # case they are being referenced externally - Write-Debug -Message "[$($MyInvocation.InvocationName)] Closing process '$CommandName'" + Write-Debug -Message "[$InvocationName & Code] Closing process '$CommandName'" $Process.Close() - } + } # [ScriptBlock] $Code Invoke-Command @SessionParams -ArgumentList $Path, $NoNewWindow, $WorkingDirectory, $LoadUserProfile, $Timeout, $Raw, $RunAsCredential, $ArgumentList, $Async, $Domain -ScriptBlock $Code diff --git a/Rules/IPv4/Outbound/Software/Google.ps1 b/Rules/IPv4/Outbound/Software/Google.ps1 index 4486085b..27fd1699 100644 --- a/Rules/IPv4/Outbound/Software/Google.ps1 +++ b/Rules/IPv4/Outbound/Software/Google.ps1 @@ -98,6 +98,10 @@ $Accept = "Outbound rules for Google software will be loaded, recommended if Goo $Deny = "Skip operation, outbound rules for Google software will not be loaded into firewall" if (!(Approve-Execute -Accept $Accept -Deny $Deny -ContextLeaf $Group -Force:$Force)) { exit } +# Chromecast IP +# Adjust to Chromecast IP in your local network +[IPAddress] $CHROMECAST_IP = "192.168.8.50" + $PSDefaultParameterValues["Confirm-Installation:Quiet"] = $Quiet $PSDefaultParameterValues["Confirm-Installation:Interactive"] = $Interactive $PSDefaultParameterValues["Test-ExecutableFile:Quiet"] = $Quiet @@ -107,26 +111,36 @@ $PSDefaultParameterValues["Test-ExecutableFile:Force"] = $Trusted -or $SkipSigna # # Google installation directories # -$GoogleDriveRoot = "%ProgramFiles%\Google\Drive" +$GoogleDriveRoot = "%ProgramFiles%\Google\Drive File Stream" $GooglePlayRoot = "%ProgramFiles%\Google\Play Games" +$GoogleUpdateRoot = "%ProgramFiles% (x86)\Google\Update" +# TODO: Update path for all users? +$ChromeRoot = "%SystemDrive%\Users\$DefaultUser\AppData\Local\Google" # First remove all existing rules matching group Remove-NetFirewallRule -PolicyStore $PolicyStore -Group $Group -Direction $Direction -ErrorAction Ignore # -# Rules for Google +# Rules for Google software +# + +# +# Google drive # # Test if installation exists on system if ((Confirm-Installation "GoogleDrive" ([ref] $GoogleDriveRoot)) -or $ForceLoad) { - $Program = "$GoogleDriveRoot\googledrivesync.exe" + # Found path contains executable name so we remove it + $GoogleDriveRoot = $(Split-Path -Path $GoogleDriveRoot -Parent) + + $Program = "$GoogleDriveRoot\GoogleDriveFS.exe" if ((Test-ExecutableFile $Program) -or $ForceLoad) { New-NetFirewallRule -DisplayName "Google drive" ` -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` -Service Any -Program $Program -Group $Group ` - -Enabled False -Action Allow -Direction $Direction -Protocol TCP ` + -Enabled True -Action Allow -Direction $Direction -Protocol TCP ` -LocalAddress Any -RemoteAddress Internet4 ` -LocalPort Any -RemotePort 443 ` -LocalUser $UsersGroupSDDL ` @@ -137,9 +151,8 @@ if ((Confirm-Installation "GoogleDrive" ([ref] $GoogleDriveRoot)) -or $ForceLoad # # Google play emulator -# TODO: Chrome also uses executable with same name?, directory might be same for chrome -# %ProgramFiles% (x86)\Google\Update\GoogleUpdate.exe # + if ((Confirm-Installation "GooglePlay" ([ref] $GooglePlayRoot)) -or $ForceLoad) { $Program = "$GooglePlayRoot\current\service\Service.exe" @@ -207,6 +220,202 @@ if ((Confirm-Installation "GooglePlay" ([ref] $GooglePlayRoot)) -or $ForceLoad) -Description "" | Format-RuleOutput } +# +# Google Chrome +# + +# Test if installation exists on system +if ((Confirm-Installation "Chrome" ([ref] $ChromeRoot)) -or $ForceLoad) +{ + $Program = "$ChromeRoot\chrome.exe" + if ((Test-ExecutableFile $Program) -or $ForceLoad) + { + New-NetFirewallRule -DisplayName "Chrome HTTP\S" ` + -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` + -Service Any -Program $Program -Group $Group ` + -Enabled True -Action Allow -Direction $Direction -Protocol TCP ` + -LocalAddress Any -RemoteAddress Internet4 ` + -LocalPort Any -RemotePort 80, 443 ` + -LocalUser $UsersGroupSDDL ` + -InterfaceType $DefaultInterface ` + -Description "Hyper text transfer protocol." | Format-RuleOutput + + New-NetFirewallRule -DisplayName "Chrome FTP" ` + -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` + -Service Any -Program $Program -Group $Group ` + -Enabled False -Action Allow -Direction $Direction -Protocol TCP ` + -LocalAddress Any -RemoteAddress Internet4 ` + -LocalPort Any -RemotePort 21 ` + -LocalUser $UsersGroupSDDL ` + -InterfaceType $DefaultInterface ` + -Description "File transfer protocol." | Format-RuleOutput + + New-NetFirewallRule -DisplayName "Chrome GCM" ` + -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` + -Service Any -Program $Program -Group $Group ` + -Enabled False -Action Allow -Direction $Direction -Protocol TCP ` + -LocalAddress Any -RemoteAddress Internet4 ` + -LocalPort Any -RemotePort 5228 ` + -LocalUser $UsersGroupSDDL ` + -InterfaceType $DefaultInterface ` + -Description "Google cloud messaging, google services use 5228, hangouts, google play, +GCP.. etc use 5228." | Format-RuleOutput + + # TODO: removed port 80, probably not used + New-NetFirewallRule -DisplayName "Chrome QUIC" ` + -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` + -Service Any -Program $Program -Group $Group ` + -Enabled True -Action Allow -Direction $Direction -Protocol UDP ` + -LocalAddress Any -RemoteAddress Internet4 ` + -LocalPort Any -RemotePort 443 ` + -LocalUser $UsersGroupSDDL ` + -InterfaceType $DefaultInterface ` + -LocalOnlyMapping $false -LooseSourceMapping $false ` + -Description "Quick UDP Internet Connections, +Experimental transport layer network protocol developed by Google and implemented in 2013." | Format-RuleOutput + + New-NetFirewallRule -DisplayName "Chrome XMPP" ` + -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` + -Service Any -Program $Program -Group $Group ` + -Enabled False -Action Block -Direction $Direction -Protocol TCP ` + -LocalAddress Any -RemoteAddress Internet4 ` + -LocalPort Any -RemotePort 5222 ` + -LocalUser $UsersGroupSDDL ` + -InterfaceType $DefaultInterface ` + -Description "Extensible Messaging and Presence Protocol. +Google Drive (Talk), Cloud printing, Chrome Remote Desktop, Chrome Sync +(with fallback to 443 if 5222 is blocked)." | Format-RuleOutput + + New-NetFirewallRule -DisplayName "Chrome mDNS IPv4" ` + -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` + -Service Any -Program $Program -Group $Group ` + -Enabled False -Action Block -Direction $Direction -Protocol UDP ` + -LocalAddress Any -RemoteAddress 224.0.0.251 ` + -LocalPort 5353 -RemotePort 5353 ` + -LocalUser $UsersGroupSDDL ` + -InterfaceType $DefaultInterface ` + -LocalOnlyMapping $false -LooseSourceMapping $false ` + -Description "The multicast Domain Name System (mDNS) resolves host names to IP addresses +within small networks that do not include a local name server." | Format-RuleOutput + + New-NetFirewallRule -DisplayName "Chrome mDNS IPv6" ` + -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` + -Service Any -Program $Program -Group $Group ` + -Enabled False -Action Block -Direction $Direction -Protocol UDP ` + -LocalAddress Any -RemoteAddress ff02::fb ` + -LocalPort 5353 -RemotePort 5353 ` + -LocalUser $UsersGroupSDDL ` + -InterfaceType $DefaultInterface ` + -LocalOnlyMapping $false -LooseSourceMapping $false ` + -Description "The multicast Domain Name System (mDNS) resolves host names to IP addresses +within small networks that do not include a local name server." | Format-RuleOutput + + New-NetFirewallRule -DisplayName "Chrome Chromecast SSDP" ` + -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` + -Service Any -Program $Program -Group $Group ` + -Enabled False -Action Allow -Direction $Direction -Protocol UDP ` + -LocalAddress Any -RemoteAddress 239.255.255.250 ` + -LocalPort Any -RemotePort 1900 ` + -LocalUser $UsersGroupSDDL ` + -InterfaceType $DefaultInterface ` + -LocalOnlyMapping $false -LooseSourceMapping $false ` + -Description "Network Discovery to allow use of the Simple Service Discovery Protocol." | + Format-RuleOutput + + New-NetFirewallRule -DisplayName "Chrome Chromecast" ` + -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` + -Service Any -Program $Program -Group $Group ` + -Enabled False -Action Block -Direction $Direction -Protocol TCP ` + -LocalAddress Any -RemoteAddress $CHROMECAST_IP.IPAddressToString ` + -LocalPort Any -RemotePort 8008, 8009 ` + -LocalUser $UsersGroupSDDL ` + -InterfaceType $DefaultInterface ` + -Description "Allow Chromecast outbound TCP data" | Format-RuleOutput + + New-NetFirewallRule -DisplayName "Chrome Chromecast" ` + -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` + -Service Any -Program $Program -Group $Group ` + -Enabled False -Action Block -Direction $Direction -Protocol UDP ` + -LocalAddress Any -RemoteAddress $CHROMECAST_IP.IPAddressToString ` + -LocalPort 32768-61000 -RemotePort 32768-61000 ` + -LocalUser $UsersGroupSDDL ` + -InterfaceType $DefaultInterface ` + -LocalOnlyMapping $false -LooseSourceMapping $false ` + -Description "Allow Chromecast outbound UDP data" | Format-RuleOutput + + # + # IRC: 8605 + # Pokerist: 3103-3110 + # speedtest: 5060, 8080 + # + New-NetFirewallRule -DisplayName "Chrome special sites" ` + -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` + -Service Any -Program $Program -Group $Group ` + -Enabled False -Action Allow -Direction $Direction -Protocol TCP ` + -LocalAddress Any -RemoteAddress Internet4 ` + -LocalPort Any -RemotePort 3103-3110, 5060, 8080, 8605 ` + -LocalUser $UsersGroupSDDL ` + -InterfaceType $DefaultInterface ` + -Description "Ports needed for IRC, pokerist.com and speedtest.net" | Format-RuleOutput + } + + # If Chrome is installed in user profile it has it's own GoogleUpdate with different user permission + if ($ChromeRoot -like "*\Users\*") + { + # TODO: we should probably have a function for this and similar cases? + $ChromeUpdateRoot = $(Split-Path -Path $(Split-Path -Path $ChromeRoot -Parent) -Parent) + + # Test if installation exists on system + if ((Confirm-Installation "GoogleUpdate" ([ref] $GoogleUpdateRoot)) -or $ForceLoad) + { + $Program = "$ChromeUpdateRoot\Update\GoogleUpdate.exe" + if ((Test-ExecutableFile $Program) -or $ForceLoad) + { + # TODO: Unsure is SYSTEM account is needed by Google update + # Merge-SDDL ([ref] $UpdateAccounts) -From $UsersGroupSDDL + + New-NetFirewallRule -DisplayName "Google Update" ` + -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` + -Service Any -Program $Program -Group $Group ` + -Enabled True -Action Allow -Direction $Direction -Protocol TCP ` + -LocalAddress Any -RemoteAddress Internet4 ` + -LocalPort Any -RemotePort 80, 443 ` + -LocalUser $UsersGroupSDDL ` + -InterfaceType $DefaultInterface ` + -Description "Update google products" | Format-RuleOutput + } + } + } +} + +# +# Google update +# +# This rule must the the last one in this script so that GoogleUpdateRoot is set to correct path to handle +# cases where GoogleUpdate is installed into user profile because Search-Installation set system wide path +# + +# Test if installation exists on system +if ((Confirm-Installation "GoogleUpdate" ([ref] $GoogleUpdateRoot)) -or $ForceLoad) +{ + $Program = "$GoogleUpdateRoot\GoogleUpdate.exe" + if ((Test-ExecutableFile $Program) -or $ForceLoad) + { + # TODO: Unsure is Users account is needed by Google update + # Merge-SDDL ([ref] $UpdateAccounts) -From $UsersGroupSDDL + + New-NetFirewallRule -DisplayName "Google Update" ` + -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` + -Service Any -Program $Program -Group $Group ` + -Enabled True -Action Allow -Direction $Direction -Protocol TCP ` + -LocalAddress Any -RemoteAddress Internet4 ` + -LocalPort Any -RemotePort 80, 443 ` + -LocalUser $LocalSystem ` + -InterfaceType $DefaultInterface ` + -Description "Update google products" | Format-RuleOutput + } +} + if ($UpdateGPO) { Invoke-Process gpupdate.exe diff --git a/Rules/IPv4/Outbound/Software/WebBrowser.ps1 b/Rules/IPv4/Outbound/Software/WebBrowser.ps1 index 91374998..7e10ead2 100644 --- a/Rules/IPv4/Outbound/Software/WebBrowser.ps1 +++ b/Rules/IPv4/Outbound/Software/WebBrowser.ps1 @@ -28,10 +28,10 @@ SOFTWARE. <# .SYNOPSIS -Outbound firewall rules for WebBrowser +Outbound firewall rules for web browsers .DESCRIPTION -Outbound firewall rules for 3rd party web browsers +Outbound firewall rules for web browsers that are not from Microsoft of Google .PARAMETER Domain Computer name onto which to deploy rules @@ -98,10 +98,6 @@ $Accept = "Outbound rules for 3rd party web browsers will be loaded, recommended $Deny = "Skip operation, outbound rules for web browsers will not be loaded into firewall" if (!(Approve-Execute -Accept $Accept -Deny $Deny -ContextLeaf $Group -Force:$Force)) { exit } -# Chromecast IP -# Adjust to Chromecast IP in your local network -[IPAddress] $CHROMECAST_IP = "192.168.8.50" - $PSDefaultParameterValues["Confirm-Installation:Quiet"] = $Quiet $PSDefaultParameterValues["Confirm-Installation:Interactive"] = $Interactive $PSDefaultParameterValues["Test-ExecutableFile:Quiet"] = $Quiet @@ -116,7 +112,6 @@ Remove-NetFirewallRule -PolicyStore $PolicyStore -Group $Group -Direction $Direc # TODO: Update path for all users? # TODO: Returned path will miss browser updaters # -$ChromeRoot = "%SystemDrive%\Users\$DefaultUser\AppData\Local\Google" $FirefoxRoot = "%SystemDrive%\Users\$DefaultUser\AppData\Local\Mozilla Firefox" $YandexRoot = "%SystemDrive%\Users\$DefaultUser\AppData\Local\Yandex" $TorRoot = "%SystemDrive%\Users\$DefaultUser\AppData\Local\Tor Browser" @@ -131,160 +126,6 @@ $BraveTorRoot = "C:\Users\$DefaultUser\AppData\Local\BraveSoftware\Brave-Browser # Web browser rules # -# -# Google Chrome -# - -# Test if installation exists on system -if ((Confirm-Installation "Chrome" ([ref] $ChromeRoot)) -or $ForceLoad) -{ - $Program = "$ChromeRoot\Chrome\Application\chrome.exe" - if ((Test-ExecutableFile $Program) -or $ForceLoad) - { - New-NetFirewallRule -DisplayName "Chrome HTTP\S" ` - -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` - -Service Any -Program $Program -Group $Group ` - -Enabled False -Action Allow -Direction $Direction -Protocol TCP ` - -LocalAddress Any -RemoteAddress Internet4 ` - -LocalPort Any -RemotePort 80, 443 ` - -LocalUser $UsersGroupSDDL ` - -InterfaceType $DefaultInterface ` - -Description "Hyper text transfer protocol." | Format-RuleOutput - - New-NetFirewallRule -DisplayName "Chrome FTP" ` - -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` - -Service Any -Program $Program -Group $Group ` - -Enabled False -Action Allow -Direction $Direction -Protocol TCP ` - -LocalAddress Any -RemoteAddress Internet4 ` - -LocalPort Any -RemotePort 21 ` - -LocalUser $UsersGroupSDDL ` - -InterfaceType $DefaultInterface ` - -Description "File transfer protocol." | Format-RuleOutput - - New-NetFirewallRule -DisplayName "Chrome GCM" ` - -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` - -Service Any -Program $Program -Group $Group ` - -Enabled False -Action Allow -Direction $Direction -Protocol TCP ` - -LocalAddress Any -RemoteAddress Internet4 ` - -LocalPort Any -RemotePort 5228 ` - -LocalUser $UsersGroupSDDL ` - -InterfaceType $DefaultInterface ` - -Description "Google cloud messaging, google services use 5228, hangouts, google play, -GCP.. etc use 5228." | Format-RuleOutput - - # TODO: removed port 80, probably not used - New-NetFirewallRule -DisplayName "Chrome QUIC" ` - -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` - -Service Any -Program $Program -Group $Group ` - -Enabled False -Action Allow -Direction $Direction -Protocol UDP ` - -LocalAddress Any -RemoteAddress Internet4 ` - -LocalPort Any -RemotePort 443 ` - -LocalUser $UsersGroupSDDL ` - -InterfaceType $DefaultInterface ` - -LocalOnlyMapping $false -LooseSourceMapping $false ` - -Description "Quick UDP Internet Connections, -Experimental transport layer network protocol developed by Google and implemented in 2013." | Format-RuleOutput - - New-NetFirewallRule -DisplayName "Chrome XMPP" ` - -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` - -Service Any -Program $Program -Group $Group ` - -Enabled False -Action Block -Direction $Direction -Protocol TCP ` - -LocalAddress Any -RemoteAddress Internet4 ` - -LocalPort Any -RemotePort 5222 ` - -LocalUser $UsersGroupSDDL ` - -InterfaceType $DefaultInterface ` - -Description "Extensible Messaging and Presence Protocol. -Google Drive (Talk), Cloud printing, Chrome Remote Desktop, Chrome Sync -(with fallback to 443 if 5222 is blocked)." | Format-RuleOutput - - New-NetFirewallRule -DisplayName "Chrome mDNS IPv4" ` - -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` - -Service Any -Program $Program -Group $Group ` - -Enabled False -Action Block -Direction $Direction -Protocol UDP ` - -LocalAddress Any -RemoteAddress 224.0.0.251 ` - -LocalPort 5353 -RemotePort 5353 ` - -LocalUser $UsersGroupSDDL ` - -InterfaceType $DefaultInterface ` - -LocalOnlyMapping $false -LooseSourceMapping $false ` - -Description "The multicast Domain Name System (mDNS) resolves host names to IP addresses -within small networks that do not include a local name server." | Format-RuleOutput - - New-NetFirewallRule -DisplayName "Chrome mDNS IPv6" ` - -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` - -Service Any -Program $Program -Group $Group ` - -Enabled False -Action Block -Direction $Direction -Protocol UDP ` - -LocalAddress Any -RemoteAddress ff02::fb ` - -LocalPort 5353 -RemotePort 5353 ` - -LocalUser $UsersGroupSDDL ` - -InterfaceType $DefaultInterface ` - -LocalOnlyMapping $false -LooseSourceMapping $false ` - -Description "The multicast Domain Name System (mDNS) resolves host names to IP addresses -within small networks that do not include a local name server." | Format-RuleOutput - - New-NetFirewallRule -DisplayName "Chrome Chromecast SSDP" ` - -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` - -Service Any -Program $Program -Group $Group ` - -Enabled False -Action Allow -Direction $Direction -Protocol UDP ` - -LocalAddress Any -RemoteAddress 239.255.255.250 ` - -LocalPort Any -RemotePort 1900 ` - -LocalUser $UsersGroupSDDL ` - -InterfaceType $DefaultInterface ` - -LocalOnlyMapping $false -LooseSourceMapping $false ` - -Description "Network Discovery to allow use of the Simple Service Discovery Protocol." | - Format-RuleOutput - - New-NetFirewallRule -DisplayName "Chrome Chromecast" ` - -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` - -Service Any -Program $Program -Group $Group ` - -Enabled False -Action Block -Direction $Direction -Protocol TCP ` - -LocalAddress Any -RemoteAddress $CHROMECAST_IP.IPAddressToString ` - -LocalPort Any -RemotePort 8008, 8009 ` - -LocalUser $UsersGroupSDDL ` - -InterfaceType $DefaultInterface ` - -Description "Allow Chromecast outbound TCP data" | Format-RuleOutput - - New-NetFirewallRule -DisplayName "Chrome Chromecast" ` - -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` - -Service Any -Program $Program -Group $Group ` - -Enabled False -Action Block -Direction $Direction -Protocol UDP ` - -LocalAddress Any -RemoteAddress $CHROMECAST_IP.IPAddressToString ` - -LocalPort 32768-61000 -RemotePort 32768-61000 ` - -LocalUser $UsersGroupSDDL ` - -InterfaceType $DefaultInterface ` - -LocalOnlyMapping $false -LooseSourceMapping $false ` - -Description "Allow Chromecast outbound UDP data" | Format-RuleOutput - - # - # IRC: 8605 - # Pokerist: 3103-3110 - # speedtest: 5060, 8080 - # - New-NetFirewallRule -DisplayName "Chrome special sites" ` - -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` - -Service Any -Program $Program -Group $Group ` - -Enabled False -Action Allow -Direction $Direction -Protocol TCP ` - -LocalAddress Any -RemoteAddress Internet4 ` - -LocalPort Any -RemotePort 3103-3110, 5060, 8080, 8605 ` - -LocalUser $UsersGroupSDDL ` - -InterfaceType $DefaultInterface ` - -Description "Ports needed for IRC, pokerist.com and speedtest.net" | Format-RuleOutput - } - - $Program = "$ChromeRoot\Update\GoogleUpdate.exe" - if ((Test-ExecutableFile $Program) -or $ForceLoad) - { - New-NetFirewallRule -DisplayName "Chrome Update" ` - -Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile ` - -Service Any -Program $Program -Group $Group ` - -Enabled False -Action Allow -Direction $Direction -Protocol TCP ` - -LocalAddress Any -RemoteAddress Internet4 ` - -LocalPort Any -RemotePort 80, 443 ` - -LocalUser $UsersGroupSDDL ` - -InterfaceType $DefaultInterface ` - -Description "Update google products" | Format-RuleOutput - } -} - # # Mozilla Firefox # diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index b3c512dd..3bffb82a 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -36,6 +36,7 @@ Here is a list of changes for each of the releases. - Added rules for GooglePlay and Bluestacks - Updated rules for Microsoft phone app now known as Microsoft Phone Link - Added rule for OneDriveFile Co-Authoring Executable + - Updated rules for google software - Modules @@ -48,6 +49,7 @@ Here is a list of changes for each of the releases. - `Get-SystemProgram` Improved program search - `Uninstall-DuplicateModule` Improved to show reason for failure and how to fix - `Initialize-Provider` Was failing in Windows PS on Windows 11, fixed + - `Invoke-Process` Fixed Write-* streams to show caller name - Scripts