Skip to content

Adjustments to check for IP Filtering #1230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dpaulson45 merged 2 commits into from
Sep 15, 2022
Merged

Adjustments to check for IP Filtering #1230

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
13b541f
Adjustments to check for IP Filtering
lusassl-msft Aug 29, 2022
cc2fda1
Merge branch 'main' into lusassl-EPv2HCAdjustment
lusassl-msft Sep 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 70 additions & 14 deletions .../HealthChecker/Analyzer/Security/Invoke-AnalyzerSecurityExtendedProtectionConfigState.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,25 +34,36 @@ function Invoke-AnalyzerSecurityExtendedProtectionConfigState {
# Fix: Install Aug 2022 SU & enable extended protection
# Extended protection is available with IIS 7.5 or higher
Write-Verbose "Testing CVE: CVE-2022-24516, CVE-2022-21979, CVE-2022-21980, CVE-2022-24477, CVE-2022-30134"
if (($extendedProtection.ExtendedProtectionConfiguration.SupportedExtendedProtection.Contains($false)) -or
if (($extendedProtection.ExtendedProtectionConfiguration.ProperlySecuredConfiguration.Contains($false)) -or
($extendedProtection.SupportedVersionForExtendedProtection -eq $false)) {
Write-Verbose "At least one vDir is not configured properly and so, the system may be at risk"
if (($extendedProtection.ExtendedProtectionConfiguration.SupportedExtendedProtection.Contains($false)) -and
($extendedProtection.SupportedVersionForExtendedProtection -eq $false)) {
# This combination means that EP is configured for at least one vDir, but the Exchange build doesn't support it.
# Such a combination can break several things like mailbox access, EMS... .
# Recommended action: Disable EP, upgrade to a supported build (Aug 2022 SU+) and enable afterwards.
$epDetails = "Extended Protection is configured, but not supported on this Exchange Server build."
$epDetails = "Extended Protection is configured, but not supported on this Exchange Server build"
} elseif ((-not($extendedProtection.ExtendedProtectionConfiguration.SupportedExtendedProtection.Contains($false))) -and
($extendedProtection.SupportedVersionForExtendedProtection -eq $false)) {
# This combination means that EP is not configured and the Exchange build doesn't support it.
# Recommended action: Upgrade to a supported build (Aug 2022 SU+) and enable EP afterwards.
$epDetails = "Your Exchange server is at risk. Install the latest SU and enable Extended Protection."
$epDetails = "Your Exchange server is at risk. Install the latest SU and enable Extended Protection"
} else {
if ($extendedProtection.ExtendedProtectionConfiguration | Where-Object {
(($_.MitigationEnabled) -and
($_.ProperlySecuredConfiguration -eq $false))
}) {
# This means that EP is supported and configured. On at least 1 vDir is IP filtering configured to mitigate known issues with Extended Protection.
# We've detected that EP was not set to "None" on the vDir for which the IP filtering was turned on. This can cause issues.
# Recommended action: Set EP to "None" on the vDir where IP filtering is enabled and was configured.
$epDetails = "Extended Protection should be set to 'None' on the vDir where IP filtering is enabled`n`t`t"
}

# This means that EP is supported but not configured for at least one vDir.
# Recommended action: Enable EP for each vDir on the system by using the script provided by us.
$epDetails = "Extended Protection should be configured."
$epDetails += "Extended Protection isn't configured as expected"
}

$epCveParams = $baseParams + @{
Name = "Security Vulnerability"
Details = "CVE-2022-24516, CVE-2022-21979, CVE-2022-21980, CVE-2022-24477, CVE-2022-30134"
Expand All @@ -61,24 +72,41 @@ function Invoke-AnalyzerSecurityExtendedProtectionConfigState {
$epBasicParams = $baseParams + @{
DisplayWriteType = "Red"
DisplayCustomTabNumber = 2
Details = "$epDetails Current config:"
Details = "$epDetails"
}
Add-AnalyzedResultInformation @epCveParams
Add-AnalyzedResultInformation @epBasicParams

$epOutputObjectDisplayValue = New-Object 'System.Collections.Generic.List[object]'
$epFrontEndOutputObjectDisplayValue = New-Object 'System.Collections.Generic.List[object]'
$epBackEndOutputObjectDisplayValue = New-Object 'System.Collections.Generic.List[object]'
$mitigationOutputObjectDisplayValue = New-Object 'System.Collections.Generic.List[object]'

foreach ($entry in $extendedProtection.ExtendedProtectionConfiguration) {
$vDirArray = $entry.VirtualDirectoryName.Split("/", 2)
$ssl = $entry.Configuration.SslSettings

$epOutputObjectDisplayValue.Add(([PSCustomObject]@{
VirtualDirectory = $entry.VirtualDirectoryName
$listToAdd = $epFrontEndOutputObjectDisplayValue
if ($vDirArray[0] -eq "Exchange Back End") {
$listToAdd = $epBackEndOutputObjectDisplayValue
}

$listToAdd.Add(([PSCustomObject]@{
$vDirArray[0] = $vDirArray[1]
Value = $entry.ExtendedProtection
SupportedValue = $entry.ExpectedExtendedConfiguration
ConfigSupported = $entry.SupportedExtendedProtection
SupportedValue = if ($entry.MitigationEnabled) { "None" } else { $entry.ExpectedExtendedConfiguration }
ConfigSupported = $entry.ProperlySecuredConfiguration
RequireSSL = "$($ssl.RequireSSL) $(if($ssl.Ssl128Bit) { "(128-bit)" })".Trim()
ClientCertificate = $ssl.ClientCertificate
IPFilterEnabled = $entry.MitigationEnabled
})
)

if ($entry.MitigationEnabled) {
$mitigationOutputObjectDisplayValue.Add([PSCustomObject]@{
VirtualDirectory = $entry.VirtualDirectoryName
Details = $entry.Configuration.MitigationSettings.Restrictions
})
}
}

$epConfig = {
Expand All @@ -89,23 +117,51 @@ function Invoke-AnalyzerSecurityExtendedProtectionConfigState {
} else {
"Green"
}
} elseif ($p -eq "IPFilterEnabled") {
if ($o.$p -eq $true) {
"Green"
}
}
}

$epParams = $baseParams + @{
$epFrontEndParams = $baseParams + @{
Name = "Security Vulnerability"
OutColumns = ([PSCustomObject]@{
DisplayObject = $epFrontEndOutputObjectDisplayValue
ColorizerFunctions = @($epConfig)
IndentSpaces = 8
})
DisplayTestingValue = "CVE-2022-24516, CVE-2022-21979, CVE-2022-21980, CVE-2022-24477, CVE-2022-30134"
}

$epBackEndParams = $baseParams + @{
Name = "Security Vulnerability"
OutColumns = ([PSCustomObject]@{
DisplayObject = $epOutputObjectDisplayValue
DisplayObject = $epBackEndOutputObjectDisplayValue
ColorizerFunctions = @($epConfig)
IndentSpaces = 8
})
DisplayTestingValue = "CVE-2022-24516, CVE-2022-21979, CVE-2022-21980, CVE-2022-24477, CVE-2022-30134"
}
Add-AnalyzedResultInformation @epParams

Add-AnalyzedResultInformation @epFrontEndParams
Add-AnalyzedResultInformation @epBackEndParams
if ($mitigationOutputObjectDisplayValue.Count -ge 1) {
foreach ($mitigation in $mitigationOutputObjectDisplayValue) {
$epMitigationvDir = $baseParams + @{
Details = "$($mitigation.Details.Count) IPs in filter list on vDir: '$($mitigation.VirtualDirectory)'"
DisplayWriteType = "Yellow"
}
Add-AnalyzedResultInformation @epMitigationvDir
$mitigationOutputObjectDisplayValue.Details.GetEnumerator() | ForEach-Object {
Write-Verbose "IP Address: $($_.key) is allowed to connect? $($_.value)"
}
}
}

$moreInformationParams = $baseParams + @{
DisplayWriteType = "Red"
Details = "For more information about Extended Protection and how to configure, please read this article: https://aka.ms/HC-ExchangeEPDoc"
Details = "For more information about Extended Protection and how to configure, please read this article:`n`thttps://aka.ms/HC-ExchangeEPDoc"
}
Add-AnalyzedResultInformation @moreInformationParams
} else {
Expand Down
2 changes: 1 addition & 1 deletion Diagnostics/HealthChecker/Tests/HealthChecker.E16.Tests.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ Describe "Testing Health Checker by Mock Data Imports - Exchange 2016" {
$downlaodDomains = GetObject "CVE-2021-1730"
$downlaodDomains.DownloadDomainsEnabled | Should -Be "false"

$Script:ActiveGrouping.Count | Should -Be 20
$Script:ActiveGrouping.Count | Should -Be 21
}
}

Expand Down
18 changes: 18 additions & 0 deletions ...changeExtendedProtectionManagement/DataCollection/Get-ExtendedProtectionConfiguration.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,13 +110,15 @@ function Get-ExtendedProtectionConfiguration {
try {
$nodePath = [string]::Empty
$extendedProtection = "None"
$ipRestictionsHashTable = @{}
$pathIndex = [array]::IndexOf(($Xml.configuration.location.path).ToLower(), $Path.ToLower())
$rootIndex = [array]::IndexOf(($Xml.configuration.location.path).ToLower(), ($Path.Split("/")[0]).ToLower())

if ($pathIndex -ne -1) {
$configNode = $Xml.configuration.location[$pathIndex]
$nodePath = $configNode.Path
$ep = $configNode.'system.webServer'.security.authentication.windowsAuthentication.extendedProtection.tokenChecking
$ipRestrictions = $configNode.'system.webServer'.security.ipSecurity

if (-not ([string]::IsNullOrEmpty($ep))) {
Write-Verbose "Found tokenChecking: $ep"
Expand All @@ -137,6 +139,13 @@ function Get-ExtendedProtectionConfiguration {
}
}

if (-not([string]::IsNullOrEmpty($ipRestrictions))) {
Write-Verbose "IP-filtered restrictions detected"
foreach ($restriction in $ipRestrictions.add) {
$ipRestictionsHashTable.Add($restriction.ipAddress, $restriction.allowed)
}
}

Write-Verbose "SSLSettings: $sslSettings"

if ($null -ne $sslSettings) {
Expand Down Expand Up @@ -181,6 +190,10 @@ function Get-ExtendedProtectionConfiguration {
ClientCertificate = $clientCertificate
Value = $sslSettings
}
MitigationSettings = [PScustomObject]@{
AllowUnlisted = $ipRestrictions.allowUnlisted
Restrictions = $ipRestictionsHashTable
}
}
}
}
Expand Down Expand Up @@ -323,6 +336,11 @@ function Get-ExtendedProtectionConfiguration {
ExtendedProtection = $extendedConfiguration.ExtendedProtection
SupportedExtendedProtection = $expectedExtendedConfiguration -eq $extendedConfiguration.ExtendedProtection
ExpectedExtendedConfiguration = $expectedExtendedConfiguration
MitigationEnabled = ($extendedConfiguration.MitigationSettings.AllowUnlisted -eq $false)
ProperlySecuredConfiguration = ((($extendedConfiguration.MitigationSettings.AllowUnlisted -eq $false) -and
($extendedConfiguration.ExtendedProtection -eq "None")) -or
(($extendedConfiguration.MitigationSettings.AllowUnlisted -ne $false) -and
($expectedExtendedConfiguration -eq $extendedConfiguration.ExtendedProtection)))
ExpectedSslFlags = $matchEntry.SslFlags
SslFlagsSetCorrectly = $sslFlagsToSet.Split(",").Count -eq $currentSetFlags.Count
SslFlagsToSet = $sslFlagsToSet
Expand Down
Loading