Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
11 changed files
with
270 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
|
||
Microsoft Visual Studio Solution File, Format Version 12.00 | ||
# Visual Studio 2012 | ||
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "NWebsec.AzureStartupTasks", "NWebsec.AzureStartupTasks\NWebsec.AzureStartupTasks.csproj", "{2B784498-7014-4260-ACB5-2CA600FE0F51}" | ||
EndProject | ||
Global | ||
GlobalSection(SolutionConfigurationPlatforms) = preSolution | ||
Debug|Any CPU = Debug|Any CPU | ||
Release|Any CPU = Release|Any CPU | ||
EndGlobalSection | ||
GlobalSection(ProjectConfigurationPlatforms) = postSolution | ||
{2B784498-7014-4260-ACB5-2CA600FE0F51}.Debug|Any CPU.ActiveCfg = Debug|Any CPU | ||
{2B784498-7014-4260-ACB5-2CA600FE0F51}.Debug|Any CPU.Build.0 = Debug|Any CPU | ||
{2B784498-7014-4260-ACB5-2CA600FE0F51}.Release|Any CPU.ActiveCfg = Release|Any CPU | ||
{2B784498-7014-4260-ACB5-2CA600FE0F51}.Release|Any CPU.Build.0 = Release|Any CPU | ||
EndGlobalSection | ||
GlobalSection(SolutionProperties) = preSolution | ||
HideSolutionNode = FALSE | ||
EndGlobalSection | ||
EndGlobal |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
Copyright (c) André N. Klingsheim. See https://nwebsec.codeplex.com/license for license information. | ||
|
||
The scripts included in this package are intended to be run as startup tasks in | ||
Windows Azure roles, and it is recommended to install them through NuGet. | ||
If installation through NuGet install is not an option, the scripts can be | ||
added to an ASP.NET project by hand. The scripts are also useful to system | ||
administrators managing Windows Server 2008 R2/2012 (they require PowerShell 2). | ||
|
||
*** Configuring the Azure startup tasks by hand *** | ||
Copy the "NWebsec.AzureStartupTasks" directory with contents to the root of | ||
your ASP.NET project. Make sure that the .cmd and .ps1 files have | ||
"Copy to output directory" set to "Copy Always" in their properties. Refer to | ||
the "NWebsec.AzureStartupTasks/ReadMe.txt" file for details on how to | ||
configure your Azure project to run the startup tasks. | ||
|
||
*** Running the scripts directly (for system administrators) *** | ||
If you want to run the scripts directly, use the PowerShell scripts found in | ||
the "NWebsec.AzureStartupTasks/scripts" folder. The .cmd scripts are specific | ||
to Azure, and should only be used as Azure startup tasks. |
53 changes: 53 additions & 0 deletions
53
NWebsec.AzureStartupTasks/NWebsec.AzureStartupTasks.csproj
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
<?xml version="1.0" encoding="utf-8"?> | ||
<Project ToolsVersion="4.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | ||
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" /> | ||
<PropertyGroup> | ||
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration> | ||
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform> | ||
<ProjectGuid>{2B784498-7014-4260-ACB5-2CA600FE0F51}</ProjectGuid> | ||
<OutputType>Exe</OutputType> | ||
<AppDesignerFolder>Properties</AppDesignerFolder> | ||
<RootNamespace>NWebsec.AzureStartupTasks</RootNamespace> | ||
<AssemblyName>NWebsec.AzureStartupTasks</AssemblyName> | ||
<TargetFrameworkVersion>v4.0</TargetFrameworkVersion> | ||
<FileAlignment>512</FileAlignment> | ||
</PropertyGroup> | ||
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' "> | ||
<PlatformTarget>AnyCPU</PlatformTarget> | ||
<DebugSymbols>true</DebugSymbols> | ||
<DebugType>full</DebugType> | ||
<Optimize>false</Optimize> | ||
<OutputPath>bin\Debug\</OutputPath> | ||
<DefineConstants>DEBUG;TRACE</DefineConstants> | ||
<ErrorReport>prompt</ErrorReport> | ||
<WarningLevel>4</WarningLevel> | ||
</PropertyGroup> | ||
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' "> | ||
<PlatformTarget>AnyCPU</PlatformTarget> | ||
<DebugType>pdbonly</DebugType> | ||
<Optimize>true</Optimize> | ||
<OutputPath>bin\Release\</OutputPath> | ||
<DefineConstants>TRACE</DefineConstants> | ||
<ErrorReport>prompt</ErrorReport> | ||
<WarningLevel>4</WarningLevel> | ||
</PropertyGroup> | ||
<ItemGroup> | ||
<Content Include="content\NWebsec.AzureStartupTasks\ReadMe.txt" /> | ||
<Content Include="Install.txt" /> | ||
</ItemGroup> | ||
<ItemGroup> | ||
<None Include="content\NWebsec.AzureStartupTasks\TLS_hardening.cmd" /> | ||
<None Include="content\NWebsec.AzureStartupTasks\scripts\TLS_hardening.ps1" /> | ||
<None Include="content\NWebsec.AzureStartupTasks\Web.config" /> | ||
<None Include="NWebsec.AzureStartupTasks.nuspec" /> | ||
<None Include="tools\Install.ps1" /> | ||
</ItemGroup> | ||
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" /> | ||
<!-- To modify your build process, add your task inside one of the targets below and uncomment it. | ||
Other similar extension points exist, see Microsoft.Common.targets. | ||
<Target Name="BeforeBuild"> | ||
</Target> | ||
<Target Name="AfterBuild"> | ||
</Target> | ||
--> | ||
</Project> |
18 changes: 18 additions & 0 deletions
18
NWebsec.AzureStartupTasks/NWebsec.AzureStartupTasks.nuspec
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
<?xml version="1.0"?> | ||
<package xmlns="http://schemas.microsoft.com/packaging/2010/07/nuspec.xsd"> | ||
<metadata> | ||
<id>NWebsec.AzureStartupTasks</id> | ||
<version>1.1.2</version> | ||
<title>NWebsec.AzureStartupTasks</title> | ||
<authors>André N. Klingsheim</authors> | ||
<owners>André N. Klingsheim</owners> | ||
<licenseUrl>https://nwebsec.codeplex.com/license</licenseUrl> | ||
<projectUrl>https://nwebsec.codeplex.com</projectUrl> | ||
<iconUrl>https://klings.blob.core.windows.net/nwebsecicon/nwebsec_nuget.png</iconUrl> | ||
<requireLicenseAcceptance>false</requireLicenseAcceptance> | ||
<description>Provides a startup task to harden the TLS configuration on Azure role instances. See project website for documentation.</description> | ||
<releaseNotes>This release removes the AES-GCM cipher suites from TLS configuration to avoid potential issues introduced by MS14-066. See release notes at project web site for more details.</releaseNotes> | ||
<copyright>Copyright © 2013,2014</copyright> | ||
<tags>NWebsec security Asp.Net Azure</tags> | ||
</metadata> | ||
</package> |
38 changes: 38 additions & 0 deletions
38
NWebsec.AzureStartupTasks/content/NWebsec.AzureStartupTasks/ReadMe.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
You need to add the startup tasks by hand to your ServiceDefinition.cfg. | ||
|
||
*** TLS hardening *** | ||
The TLS hardening script will update the relevant Schannel registry settings to | ||
configure enabled TLS protocol versions and cipher suites according to the | ||
latest recommendations on ssllabs.com. Refer to the NWebsec project website for | ||
documentation on which cipher suites are enabled for each version of this | ||
script (or have a look in the ps1 script). Changes to registry requires a | ||
reboot to take effect, this is handled by the script. The script is clever | ||
enough to only reboot after changes are made to the registry, avoiding | ||
unnecessary reboots of the role instances. | ||
|
||
You'll find a log file on you Azure role in: | ||
%TEMP%\NWebsec.AzureStartupTasksLog.txt | ||
|
||
Here's the required configuration for the ServiceDefinition.csdef file. Note | ||
the environment variable which prevents the script from running when the | ||
application is running in the Azure emulator. You probably forgot this if it | ||
updates your registry and reboots your machine. :) | ||
|
||
Note! The startup scripts require osFamily="2" or newer - so please check your | ||
ServiceConfiguration.Cloud.cscfg. | ||
|
||
Note also that the AES-GCM ciphers introduced with "Windows Server 2012 R2 Update" are available from guest OS version 4.7 (released May 2. 2014). | ||
|
||
<ServiceDefinition> | ||
<WebRole> | ||
<Startup> | ||
<Task commandLine="NWebsec.AzureStartupTasks\TLS_hardening.cmd" executionContext="elevated" taskType="simple"> | ||
<Environment> | ||
<Variable name="NWebsecInComputeEmulator"> | ||
<RoleInstanceValue xpath="/RoleEnvironment/Deployment/@emulated" /> | ||
</Variable> | ||
</Environment> | ||
</Task> | ||
</Startup> | ||
</WebRole> | ||
</ServiceDefinition> |
9 changes: 9 additions & 0 deletions
9
NWebsec.AzureStartupTasks/content/NWebsec.AzureStartupTasks/TLS_hardening.cmd
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
REM Copyright (c) André N. Klingsheim. See https://nwebsec.codeplex.com/license for license information. | ||
|
||
IF "%NWebsecInComputeEmulator%" == "false" ( | ||
pushd %~dp0 | ||
PowerShell -ExecutionPolicy Unrestricted scripts\TLS_hardening.ps1 -AllowReboot 1 >> "%TEMP%\NWebsec.AzureStartupTasksLog.txt" 2>&1 | ||
popd | ||
) | ||
|
||
EXIT /B %errorlevel% |
13 changes: 13 additions & 0 deletions
13
NWebsec.AzureStartupTasks/content/NWebsec.AzureStartupTasks/Web.config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
<?xml version="1.0"?> | ||
<!-- This web.config hides the presence of the NWebsec.AzureStartupTasks folder.--> | ||
<configuration> | ||
<system.webServer> | ||
<security> | ||
<requestFiltering> | ||
<hiddenSegments > | ||
<add segment="NWebsec.AzureStartupTasks" /> | ||
</hiddenSegments> | ||
</requestFiltering> | ||
</security> | ||
</system.webServer> | ||
</configuration> |
83 changes: 83 additions & 0 deletions
83
NWebsec.AzureStartupTasks/content/NWebsec.AzureStartupTasks/scripts/TLS_hardening.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
# Copyright (c) André N. Klingsheim. See https://nwebsec.codeplex.com/license for license information. | ||
|
||
param([bool]$allowReboot = $false) | ||
|
||
Function UpdateRegistryPath($path){ | ||
|
||
if(test-path $path){ | ||
return $false | ||
} | ||
write-Host "Creating registry path: $path" | ||
md $path | ||
return $true | ||
} | ||
|
||
Function UpdateRegistryKey($path, $propertyName, $value, $propertyType){ | ||
$property = Get-ItemProperty -Path $path -Name $propertyName -ErrorAction SilentlyContinue | ||
|
||
if($property){ | ||
if($property.$propertyName -eq $value){ | ||
return $false | ||
} | ||
Write-Host "Updating registry key $path $propertyName $value" | ||
Set-ItemProperty -path $path -name $propertyName -value $value | ||
return $true | ||
} | ||
Write-Host "Creating registry key $path $propertyName $value" | ||
New-ItemProperty -path $path -name $propertyName -value $value -PropertyType $propertyType | ||
return $true | ||
} | ||
|
||
$date = Get-Date | ||
write-output "---- NWebsec.AzureStartupTasks - TLS hardening - $date ----" | ||
write-output "Checking for registry keys, updating as necessary" | ||
write-output "" | ||
|
||
|
||
$preferredCipherSuites = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" | ||
$rebootRequired = $false | ||
|
||
# Disable SSL 2.0 | ||
write-output "**** Making sure SSL 2.0 is disabled ****" | ||
$rebootRequired = (UpdateRegistryPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server") -Or $rebootRequired | ||
$rebootRequired = (UpdateRegistryKey "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" "Enabled" 0 "DWord") -Or $rebootRequired | ||
|
||
# Disable SSL 3.0 | ||
write-output "**** Making sure SSL 3.0 is disabled ****" | ||
$rebootRequired = (UpdateRegistryPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0") -Or $rebootRequired | ||
$rebootRequired = (UpdateRegistryPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server") -Or $rebootRequired | ||
$rebootRequired = (UpdateRegistryKey "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" "Enabled" 0 "DWord") -Or $rebootRequired | ||
|
||
# Enable TLS 1.1 | ||
write-output "**** Making sure TLS 1.1 is enabled ****" | ||
$rebootRequired = (UpdateRegistryPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1") -Or $rebootRequired | ||
$rebootRequired = (UpdateRegistryPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server") -Or $rebootRequired | ||
$rebootRequired = (UpdateRegistryKey "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" "DisabledByDefault" 0 "DWord") -Or $rebootRequired | ||
$rebootRequired = (UpdateRegistryPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client") -Or $rebootRequired | ||
$rebootRequired = (UpdateRegistryKey "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" "DisabledByDefault" 0 "DWord") -Or $rebootRequired | ||
|
||
|
||
# Enable TSL 1.2 | ||
write-output "**** Making sure TLS 1.2 is enabled ****" | ||
$rebootRequired = (UpdateRegistryPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2") -Or $rebootRequired | ||
$rebootRequired = (UpdateRegistryPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server") -Or $rebootRequired | ||
$rebootRequired = (UpdateRegistryKey "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" "DisabledByDefault" 0 "DWord") -Or $rebootRequired | ||
$rebootRequired = (UpdateRegistryPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client") -Or $rebootRequired | ||
$rebootRequired = (UpdateRegistryKey "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" "DisabledByDefault" 0 "DWord") -Or $rebootRequired | ||
|
||
# Protocol versions done, set preferred cipher suites | ||
write-output "**** Making sure preferred cipher suites are set ****" | ||
$rebootRequired = (UpdateRegistryKey "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" "Functions" $preferredCipherSuites "String") -Or $rebootRequired | ||
|
||
if($rebootRequired){ | ||
if($allowReboot){ | ||
write-output "Registry was updated, rebooting..." | ||
write-output "---- NWebsec.AzureStartupTasks - TLS hardening Completed - $date ----" | ||
shutdown /r /t 0 | ||
}else{ | ||
write-output "Registry was updated, reboot is required for changes to take effect." | ||
} | ||
}else{ | ||
write-output "Registry keys were ok, exiting." | ||
} | ||
write-output "---- NWebsec.AzureStartupTasks - TLS hardening Completed - $date ----" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
param($installPath, $toolsPath, $package, $project) | ||
$project.ProjectItems.Item("NWebsec.AzureStartupTasks").ProjectItems.Item("ReadMe.txt").Properties.Item("BuildAction").Value = 0 | ||
$project.ProjectItems.Item("NWebsec.AzureStartupTasks").ProjectItems.Item("TLS_hardening.cmd").Properties.Item("CopyToOutputDirectory").Value = 1 | ||
$project.ProjectItems.Item("NWebsec.AzureStartupTasks").ProjectItems.Item("scripts").ProjectItems.Item("TLS_hardening.ps1").Properties.Item("CopyToOutputDirectory").Value = 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
@pushd NWebsec.AzureStartupTasks | ||
|
||
@rd /s /q d:\nuget\NWebsec.AzureStartupTasks | ||
@xcopy /s /y content d:\nuget\NWebsec.AzureStartupTasks\content\ | ||
@xcopy /s /y tools d:\nuget\NWebsec.AzureStartupTasks\tools\ | ||
@xcopy /f /y *.nuspec d:\nuget\NWebsec.AzureStartupTasks\ | ||
@xcopy /f /y Install.Txt d:\nuget\NWebsec.AzureStartupTasks\ | ||
@popd | ||
|
||
@echo "Now go to d:\nuget\NWebsec.AzureStartupTasks, update nuspec version number, and publish! :)" | ||
|