Imported project to new repository

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2015, NWebsec
+Copyright (c) 2013-2015, Andr� N. Klingsheim
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
@@ -11,7 +11,7 @@ modification, are permitted provided that the following conditions are met:
   this list of conditions and the following disclaimer in the documentation
   and/or other materials provided with the distribution.
 
-* Neither the name of NWebsec.AzureStartupTasks nor the names of its
+* Neither the name of NWebsec nor the names of its
   contributors may be used to endorse or promote products derived from
   this software without specific prior written permission.
 

NWebsec.AzureStartupTasks.sln

@@ -0,0 +1,20 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2012
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "NWebsec.AzureStartupTasks", "NWebsec.AzureStartupTasks\NWebsec.AzureStartupTasks.csproj", "{2B784498-7014-4260-ACB5-2CA600FE0F51}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{2B784498-7014-4260-ACB5-2CA600FE0F51}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{2B784498-7014-4260-ACB5-2CA600FE0F51}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{2B784498-7014-4260-ACB5-2CA600FE0F51}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{2B784498-7014-4260-ACB5-2CA600FE0F51}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

NWebsec.AzureStartupTasks/Install.txt

@@ -0,0 +1,19 @@
+Copyright (c) André N. Klingsheim. See https://nwebsec.codeplex.com/license for license information.
+
+The scripts included in this package are intended to be run as startup tasks in
+Windows Azure roles, and it is recommended to install them through NuGet.
+If installation through NuGet install is not an option, the scripts can be
+added to an ASP.NET project by hand. The scripts are also useful to system
+administrators managing Windows Server 2008 R2/2012 (they require PowerShell 2).
+
+*** Configuring the Azure startup tasks by hand *** 
+Copy the "NWebsec.AzureStartupTasks" directory with contents to the root of
+your ASP.NET project. Make sure that the .cmd and .ps1 files have
+"Copy to output directory" set to "Copy Always" in their properties. Refer to
+the "NWebsec.AzureStartupTasks/ReadMe.txt" file for details on how to
+configure your Azure project to run the startup tasks.
+
+*** Running the scripts directly (for system administrators) *** 
+If you want to run the scripts directly, use the PowerShell scripts found in
+the "NWebsec.AzureStartupTasks/scripts" folder. The .cmd scripts are specific
+to Azure, and should only be used as Azure startup tasks.

NWebsec.AzureStartupTasks/NWebsec.AzureStartupTasks.csproj

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <ProjectGuid>{2B784498-7014-4260-ACB5-2CA600FE0F51}</ProjectGuid>
+    <OutputType>Exe</OutputType>
+    <AppDesignerFolder>Properties</AppDesignerFolder>
+    <RootNamespace>NWebsec.AzureStartupTasks</RootNamespace>
+    <AssemblyName>NWebsec.AzureStartupTasks</AssemblyName>
+    <TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
+    <FileAlignment>512</FileAlignment>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <OutputPath>bin\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugType>pdbonly</DebugType>
+    <Optimize>true</Optimize>
+    <OutputPath>bin\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+  </PropertyGroup>
+  <ItemGroup>
+    <Content Include="content\NWebsec.AzureStartupTasks\ReadMe.txt" />
+    <Content Include="Install.txt" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="content\NWebsec.AzureStartupTasks\TLS_hardening.cmd" />
+    <None Include="content\NWebsec.AzureStartupTasks\scripts\TLS_hardening.ps1" />
+    <None Include="content\NWebsec.AzureStartupTasks\Web.config" />
+    <None Include="NWebsec.AzureStartupTasks.nuspec" />
+    <None Include="tools\Install.ps1" />
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+  <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 
+       Other similar extension points exist, see Microsoft.Common.targets.
+  <Target Name="BeforeBuild">
+  </Target>
+  <Target Name="AfterBuild">
+  </Target>
+  -->
+</Project>

NWebsec.AzureStartupTasks/NWebsec.AzureStartupTasks.nuspec

@@ -0,0 +1,18 @@
+<?xml version="1.0"?>
+<package xmlns="http://schemas.microsoft.com/packaging/2010/07/nuspec.xsd">
+  <metadata>
+    <id>NWebsec.AzureStartupTasks</id>
+    <version>1.1.2</version>
+    <title>NWebsec.AzureStartupTasks</title>
+    <authors>André N. Klingsheim</authors>
+    <owners>André N. Klingsheim</owners>
+    <licenseUrl>https://nwebsec.codeplex.com/license</licenseUrl>
+    <projectUrl>https://nwebsec.codeplex.com</projectUrl>
+    <iconUrl>https://klings.blob.core.windows.net/nwebsecicon/nwebsec_nuget.png</iconUrl>
+    <requireLicenseAcceptance>false</requireLicenseAcceptance>
+    <description>Provides a startup task to harden the TLS configuration on Azure role instances. See project website for documentation.</description>
+    <releaseNotes>This release removes the AES-GCM cipher suites from TLS configuration to avoid potential issues introduced by MS14-066. See release notes at project web site for more details.</releaseNotes>
+    <copyright>Copyright © 2013,2014</copyright>
+    <tags>NWebsec security Asp.Net Azure</tags>
+  </metadata>
+</package>

NWebsec.AzureStartupTasks/content/NWebsec.AzureStartupTasks/ReadMe.txt

@@ -0,0 +1,38 @@
+You need to add the startup tasks by hand to your ServiceDefinition.cfg.
+
+*** TLS hardening ***
+The TLS hardening script will update the relevant Schannel registry settings to
+configure enabled TLS protocol versions and cipher suites according to the
+latest recommendations on ssllabs.com. Refer to the NWebsec project website for
+documentation on which cipher suites are enabled for each version of this
+script (or have a look in the ps1 script). Changes to registry requires a
+reboot to take effect, this is handled by the script. The script is clever
+enough to only reboot after changes are made to the registry, avoiding
+unnecessary reboots of the role instances.
+
+You'll find a log file on you Azure role in:
+%TEMP%\NWebsec.AzureStartupTasksLog.txt
+
+Here's the required configuration for the ServiceDefinition.csdef file. Note
+the environment variable which prevents the script from running when the
+application is running in the Azure emulator. You probably forgot this if it
+updates your registry and reboots your machine. :)
+
+Note! The startup scripts require osFamily="2" or newer - so please check your
+ServiceConfiguration.Cloud.cscfg.
+
+Note also that the AES-GCM ciphers introduced with "Windows Server 2012 R2 Update" are available from guest OS version 4.7 (released May 2. 2014).
+
+<ServiceDefinition>
+  <WebRole>
+    <Startup>
+      <Task commandLine="NWebsec.AzureStartupTasks\TLS_hardening.cmd" executionContext="elevated" taskType="simple">
+        <Environment>
+          <Variable name="NWebsecInComputeEmulator">
+            <RoleInstanceValue xpath="/RoleEnvironment/Deployment/@emulated" />
+          </Variable>
+        </Environment>
+      </Task>
+    </Startup>
+  </WebRole>
+</ServiceDefinition>

NWebsec.AzureStartupTasks/content/NWebsec.AzureStartupTasks/TLS_hardening.cmd

@@ -0,0 +1,9 @@
+REM Copyright (c) André N. Klingsheim. See https://nwebsec.codeplex.com/license for license information.
+
+IF "%NWebsecInComputeEmulator%" == "false" (
+    pushd %~dp0
+    PowerShell -ExecutionPolicy Unrestricted scripts\TLS_hardening.ps1 -AllowReboot 1 >> "%TEMP%\NWebsec.AzureStartupTasksLog.txt" 2>&1
+	popd
+)
+
+EXIT /B %errorlevel%

NWebsec.AzureStartupTasks/content/NWebsec.AzureStartupTasks/Web.config

@@ -0,0 +1,13 @@
+<?xml version="1.0"?>
+<!-- This web.config hides the presence of the NWebsec.AzureStartupTasks folder.-->
+<configuration>
+  <system.webServer>
+    <security>
+      <requestFiltering>
+        <hiddenSegments >
+          <add segment="NWebsec.AzureStartupTasks" />
+        </hiddenSegments>
+      </requestFiltering>
+    </security>
+  </system.webServer>
+</configuration>

NWebsec.AzureStartupTasks/content/NWebsec.AzureStartupTasks/scripts/TLS_hardening.ps1

@@ -0,0 +1,83 @@
+# Copyright (c) André N. Klingsheim. See https://nwebsec.codeplex.com/license for license information.
+
+param([bool]$allowReboot = $false)
+
+Function UpdateRegistryPath($path){
+
+  if(test-path $path){
+    return $false
+  }
+  write-Host "Creating registry path: $path"
+  md $path
+  return $true
+}
+
+Function UpdateRegistryKey($path, $propertyName, $value, $propertyType){
+  $property = Get-ItemProperty -Path $path -Name $propertyName -ErrorAction SilentlyContinue
+
+  if($property){
+    if($property.$propertyName -eq $value){
+      return $false
+    }
+  Write-Host "Updating registry key $path $propertyName $value"
+    Set-ItemProperty -path $path -name $propertyName -value $value
+    return $true
+  }
+  Write-Host "Creating registry key $path $propertyName $value"
+  New-ItemProperty -path $path -name $propertyName -value $value -PropertyType $propertyType
+  return $true
+}
+
+$date = Get-Date
+write-output "---- NWebsec.AzureStartupTasks - TLS hardening - $date ----"
+write-output "Checking for registry keys, updating as necessary"
+write-output ""
+
+
+$preferredCipherSuites = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
+$rebootRequired = $false
+
+# Disable SSL 2.0
+write-output "**** Making sure SSL 2.0 is disabled ****"
+$rebootRequired = (UpdateRegistryPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server") -Or $rebootRequired
+$rebootRequired = (UpdateRegistryKey "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" "Enabled" 0 "DWord") -Or $rebootRequired
+
+# Disable SSL 3.0
+write-output "**** Making sure SSL 3.0 is disabled ****"
+$rebootRequired = (UpdateRegistryPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0") -Or $rebootRequired
+$rebootRequired = (UpdateRegistryPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server") -Or $rebootRequired
+$rebootRequired = (UpdateRegistryKey "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" "Enabled" 0 "DWord") -Or $rebootRequired
+
+# Enable TLS 1.1
+write-output "**** Making sure TLS 1.1 is enabled ****"
+$rebootRequired = (UpdateRegistryPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1") -Or $rebootRequired
+$rebootRequired = (UpdateRegistryPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server") -Or $rebootRequired
+$rebootRequired = (UpdateRegistryKey "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" "DisabledByDefault" 0 "DWord") -Or $rebootRequired
+$rebootRequired = (UpdateRegistryPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client") -Or $rebootRequired
+$rebootRequired = (UpdateRegistryKey "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" "DisabledByDefault" 0 "DWord") -Or $rebootRequired
+
+
+# Enable TSL 1.2
+write-output "**** Making sure TLS 1.2 is enabled ****"
+$rebootRequired = (UpdateRegistryPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2") -Or $rebootRequired
+$rebootRequired = (UpdateRegistryPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server") -Or $rebootRequired
+$rebootRequired = (UpdateRegistryKey "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" "DisabledByDefault" 0 "DWord") -Or $rebootRequired
+$rebootRequired = (UpdateRegistryPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client") -Or $rebootRequired
+$rebootRequired = (UpdateRegistryKey "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" "DisabledByDefault" 0 "DWord") -Or $rebootRequired
+
+# Protocol versions done, set preferred cipher suites
+write-output "**** Making sure preferred cipher suites are set ****"
+$rebootRequired = (UpdateRegistryKey "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" "Functions" $preferredCipherSuites "String") -Or $rebootRequired
+
+if($rebootRequired){
+  if($allowReboot){
+    write-output "Registry was updated, rebooting..."
+    write-output "---- NWebsec.AzureStartupTasks - TLS hardening Completed - $date ----"
+    shutdown /r /t 0
+  }else{
+    write-output "Registry was updated, reboot is required for changes to take effect."
+  }
+}else{
+write-output "Registry keys were ok, exiting."
+}
+write-output "---- NWebsec.AzureStartupTasks - TLS hardening Completed - $date ----"

NWebsec.AzureStartupTasks/tools/Install.ps1

@@ -0,0 +1,4 @@
+param($installPath, $toolsPath, $package, $project)
+$project.ProjectItems.Item("NWebsec.AzureStartupTasks").ProjectItems.Item("ReadMe.txt").Properties.Item("BuildAction").Value = 0
+$project.ProjectItems.Item("NWebsec.AzureStartupTasks").ProjectItems.Item("TLS_hardening.cmd").Properties.Item("CopyToOutputDirectory").Value = 1
+$project.ProjectItems.Item("NWebsec.AzureStartupTasks").ProjectItems.Item("scripts").ProjectItems.Item("TLS_hardening.ps1").Properties.Item("CopyToOutputDirectory").Value = 1

createnugetpackage.bat

@@ -0,0 +1,11 @@
+@pushd NWebsec.AzureStartupTasks
+
+@rd /s /q d:\nuget\NWebsec.AzureStartupTasks
+@xcopy /s /y content d:\nuget\NWebsec.AzureStartupTasks\content\
+@xcopy /s /y tools d:\nuget\NWebsec.AzureStartupTasks\tools\
+@xcopy /f /y *.nuspec d:\nuget\NWebsec.AzureStartupTasks\
+@xcopy /f /y Install.Txt d:\nuget\NWebsec.AzureStartupTasks\
+@popd
+
+@echo "Now go to d:\nuget\NWebsec.AzureStartupTasks, update nuspec version number, and publish! :)"
+