diff --git a/Security/src/EOMT.ps1 b/Security/src/EOMT.ps1 index 61c173a9ef..1af9119b3d 100644 --- a/Security/src/EOMT.ps1 +++ b/Security/src/EOMT.ps1 @@ -4,6 +4,7 @@ CVE-2021-26855 For more information on each mitigation please visit https://aka.ms/exchangevulns + Use of the Exchange On-premises Mitigation Tool and the Microsoft Saftey Scanner are subject to the terms of the Microsoft Privacy Statement: https://aka.ms/privacy .DESCRIPTION This script has three operations it performs: @@ -46,6 +47,7 @@ https://aka.ms/exchangevulns https://www.iis.net/downloads/microsoft/url-rewrite https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download + https://aka.ms/privacy #> [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSReviewUnusedParameter', '', Justification = 'Invalid rule result')] [Cmdletbinding()] diff --git a/Security/src/ExchangeMitigations.ps1 b/Security/src/ExchangeMitigations.ps1 index d2ef6bd1af..ea7b3bf48f 100644 --- a/Security/src/ExchangeMitigations.ps1 +++ b/Security/src/ExchangeMitigations.ps1 @@ -60,6 +60,9 @@ .PARAMETER operationTimeOutDuration operationTimeOutDuration is the max duration (in seconds) we wait for each mitigation/rollback before timing it out and throwing. + .PARAMETER AutoDownloadURLRewrite + If set will automatically download/install the IIS URL Rewrite Module. + .PARAMETER Verbose The Verbose switch can be used to view the changes that occurs during script execution. @@ -68,6 +71,11 @@ To apply all mitigations and install the IIS URL Rewrite Module. + .EXAMPLE + PS C:\> ExchangeMitigations.ps1 -AutoDownloadURLRewrite -WebSiteNames "Default Web Site" -ApplyAllMitigations -Verbose + + To apply all mitigations, download, and install the IIS URL Rewrite Module. + .EXAMPLE PS C:\> ExchangeMitigations.ps1 -WebSiteNames "Default Web Site" -ApplyAllMitigation -Verbose @@ -110,7 +118,8 @@ param( [switch]$RollbackOABAppPoolMitigation, [int]$operationTimeOutDuration = 120, [ValidateNotNullOrEmpty()][string[]]$WebSiteNames = $(throw "WebSiteNames is mandatory, please provide valid value."), - [System.IO.FileInfo]$FullPathToMSI + [System.IO.FileInfo]$FullPathToMSI, + [switch]$AutoDownloadURLRewrite ) function GetMsiProductVersion { @@ -188,6 +197,85 @@ function Get-InstalledSoftwareVersion { Write-Error -Message "Error: $($_.Exception.Message) - Line Number: $($_.InvocationInfo.ScriptLineNumber)" } } +function GetURLRewriteLink { + $DownloadLinks = @{ + "v2.1" = @{ + "x86" = @{ + "de-DE" = "https://download.microsoft.com/download/D/8/1/D81E5DD6-1ABB-46B0-9B4B-21894E18B77F/rewrite_x86_de-DE.msi" + "en-US" = "https://download.microsoft.com/download/D/8/1/D81E5DD6-1ABB-46B0-9B4B-21894E18B77F/rewrite_x86_en-US.msi" + "es-ES" = "https://download.microsoft.com/download/D/8/1/D81E5DD6-1ABB-46B0-9B4B-21894E18B77F/rewrite_x86_es-ES.msi" + "fr-FR" = "https://download.microsoft.com/download/D/8/1/D81E5DD6-1ABB-46B0-9B4B-21894E18B77F/rewrite_x86_fr-FR.msi" + "it-IT" = "https://download.microsoft.com/download/D/8/1/D81E5DD6-1ABB-46B0-9B4B-21894E18B77F/rewrite_x86_it-IT.msi" + "ja-JP" = "https://download.microsoft.com/download/D/8/1/D81E5DD6-1ABB-46B0-9B4B-21894E18B77F/rewrite_x86_ja-JP.msi" + "ko-KR" = "https://download.microsoft.com/download/D/8/1/D81E5DD6-1ABB-46B0-9B4B-21894E18B77F/rewrite_x86_ko-KR.msi" + "ru-RU" = "https://download.microsoft.com/download/D/8/1/D81E5DD6-1ABB-46B0-9B4B-21894E18B77F/rewrite_x86_ru-RU.msi" + "zh-CN" = "https://download.microsoft.com/download/D/8/1/D81E5DD6-1ABB-46B0-9B4B-21894E18B77F/rewrite_x86_zh-CN.msi" + "zh-TW" = "https://download.microsoft.com/download/D/8/1/D81E5DD6-1ABB-46B0-9B4B-21894E18B77F/rewrite_x86_zh-TW.msi" + } + + "x64" = @{ + "de-DE" = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_de-DE.msi" + "en-US" = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_en-US.msi" + "es-ES" = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_es-ES.msi" + "fr-FR" = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_fr-FR.msi" + "it-IT" = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_it-IT.msi" + "ja-JP" = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_ja-JP.msi" + "ko-KR" = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_ko-KR.msi" + "ru-RU" = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_ru-RU.msi" + "zh-CN" = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_zh-CN.msi" + "zh-TW" = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_zh-TW.msi" + } + } + "v2.0" = @{ + "x86" = @{ + "de-DE" = "https://download.microsoft.com/download/0/5/0/05045383-D280-4DC6-AE8C-81764118B0F9/rewrite_x86_de-DE.msi" + "en-US" = "https://download.microsoft.com/download/6/9/C/69C1195A-123E-4BE8-8EDF-371CDCA4EC6C/rewrite_2.0_rtw_x86.msi" + "es-ES" = "https://download.microsoft.com/download/1/D/9/1D9464B8-9F3B-4A86-97F2-AEC2AB48F481/rewrite_x86_es-ES.msi" + "fr-FR" = "https://download.microsoft.com/download/1/2/9/129A2686-9654-4B2A-82ED-FC7BCE2BCE93/rewrite_x86_fr-FR.msi" + "it-IT" = "https://download.microsoft.com/download/2/4/A/24AE553F-CA8F-43B3-ACF8-DAC526FC84F2/rewrite_x86_it-IT.msi" + "ja-JP" = "https://download.microsoft.com/download/A/6/9/A69D23A5-7CE3-4F80-B5AE-CF6478A5DE19/rewrite_x86_ja-JP.msi" + "ko-KR" = "https://download.microsoft.com/download/2/6/F/26FCA84A-48BC-4AEE-BD6A-B28ED595832E/rewrite_x86_ko-KR.msi" + "ru-RU" = "https://download.microsoft.com/download/B/1/F/B1FDE19F-B4F9-4EBF-9E50-5C9CDF0302D2/rewrite_x86_ru-RU.msi" + "zh-CN" = "https://download.microsoft.com/download/4/9/C/49CD28DB-4AA6-4A51-9437-AA001221F606/rewrite_x86_zh-CN.msi" + "zh-TW" = "https://download.microsoft.com/download/1/9/4/1947187A-8D73-4C3E-B62C-DC6C7E1B353C/rewrite_x86_zh-TW.msi" + } + "x64" = @{ + "de-DE" = "https://download.microsoft.com/download/3/1/C/31CE0BF6-31D7-415D-A70A-46A430DE731F/rewrite_x64_de-DE.msi" + "en-US" = "https://download.microsoft.com/download/6/7/D/67D80164-7DD0-48AF-86E3-DE7A182D6815/rewrite_2.0_rtw_x64.msi" + "es-ES" = "https://download.microsoft.com/download/9/5/5/955337F6-5A11-417E-A95A-E45EE8C7E7AC/rewrite_x64_es-ES.msi" + "fr-FR" = "https://download.microsoft.com/download/3/D/3/3D359CD6-147B-42E9-BD5B-407D3A1F0B97/rewrite_x64_fr-FR.msi" + "it-IT" = "https://download.microsoft.com/download/6/8/B/68B8EFA8-9404-45A3-A51B-53D940D5E742/rewrite_x64_it-IT.msi" + "ja-JP" = "https://download.microsoft.com/download/3/7/5/375C965C-9D98-438A-8F11-7F417D071DC9/rewrite_x64_ja-JP.msi" + "ko-KR" = "https://download.microsoft.com/download/2/A/7/2A746C73-467A-4BC6-B5CF-C4E88BB40406/rewrite_x64_ko-KR.msi" + "ru-RU" = "https://download.microsoft.com/download/7/4/E/74E569F7-44B9-4D3F-BCA7-87C5FE36BD62/rewrite_x64_ru-RU.msi" + "zh-CN" = "https://download.microsoft.com/download/4/E/7/4E7ECE9A-DF55-4F90-A354-B497072BDE0A/rewrite_x64_zh-CN.msi" + "zh-TW" = "https://download.microsoft.com/download/8/2/C/82CE350D-2068-4DAC-99D5-AEB2241DB545/rewrite_x64_zh-TW.msi" + } + } + } + + $IISVersion = Get-ItemProperty HKLM:\SOFTWARE\Microsoft\InetStp\ | Select-Object versionstring + + if ($IISVersion.VersionString -like "* 10.*") { + $Version = "v2.1" + } else { + $Version = "v2.0" + } + + if ([Environment]::Is64BitOperatingSystem) { + $Architecture = "x64" + } else { + $Architecture = "x86" + } + + if ((Get-Culture).Name -in @("de-DE", "en-US", "es-ES", "fr-FR", "it-IT", "ja-JP", "ko-KR", "ru-RU", "zn-CN", "zn-TW")) { + $Language = (Get-Culture).Name + } else { + $Language = "en-US" + } + + return $DownloadLinks[$Version][$Architecture][$Language] +} Function BackendCookieMitigation { [CmdLetBinding()] param( @@ -209,10 +297,10 @@ Function BackendCookieMitigation { $filter2 = "{0}/rule[@name='{1}']" -f $root, $name2 if (!$RollbackMitigation) { - Write-Verbose "[INFO] Starting mitigation process on $env:computername" + Write-Verbose "[INFO] Starting mitigation process on $env:computername" -Verbose #Check if IIS URL Rewrite Module 2 is installed - Write-Verbose "[INFO] Checking for IIS URL Rewrite Module 2 on $env:computername" + Write-Verbose "[INFO] Checking for IIS URL Rewrite Module 2 on $env:computername" -Verbose #If IIS 10 check for URL rewrite 2.1 else URL rewrite 2.0 $RewriteModule = Get-InstalledSoftwareVersion -Name "*IIS*", "*URL*", "*2*" @@ -234,6 +322,27 @@ Function BackendCookieMitigation { Write-Verbose "[INFO] IIS URL Rewrite Module 2 already installed on $env:computername" -Verbose } else { + #IfAutoDownloadURLRewrite + if ($AutoDownloadURLRewrite) { + Write-Verbose -Message "ExchangeMitigations.ps1 will now attempt to download and install the IIS URL Rewrite Module on $env:computername" -Verbose + try { + # Force TLS1.2 to make sure we can download from HTTPS + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + $ProgressPreference = "SilentlyContinue" + $DownloadDir = Join-Path $env:TEMP "IISUrlRewrite" + $DownloadLink = GetURLRewriteLink + $FullPathToMSI = Join-Path $DownloadDir "\$($DownloadLink.Split("/")[-1])" + if (!(Test-Path $DownloadDir)) { + New-Item -ItemType Directory $DownloadDir | Out-Null + } + Write-Verbose -Message "Downloading IIS URLRewrite MSI here: $FullPathToMSI" -Verbose + $response = Invoke-WebRequest $DownloadLink -UseBasicParsing + [IO.File]::WriteAllBytes($FullPathToMSI, $response.Content) + } catch { + throw $_ + } + } + if ($FullPathToMSI) { $MSIProductVersion = GetMsiProductVersion -filename $FullPathToMSI @@ -576,7 +685,6 @@ if ($PSVersionTable.PSVersion.Major -lt 3) { throw "PowerShell does not meet the minimum requirements, system must have PowerShell 3 or later" } - Import-Module WebAdministration if ($ApplyAllMitigations -or $ApplyBackendCookieMitigation) { if ($FullPathToMSI) {