Merge branch 'main' into dpaul-setup

.build/Build.ps1

@@ -32,12 +32,6 @@ $scriptFiles = Get-ChildItem -Path $repoRoot -Directory |
     Sort-Object Name |
     ForEach-Object { $_.FullName }
 
-$otherFiles = Get-ChildItem -Path $repoRoot -Directory |
-    Where-Object { $_.Name -ne ".build" } |
-    ForEach-Object { Get-ChildItem -Path $_.FullName *.nse -Recurse } |
-    Sort-Object Name |
-    ForEach-Object { $_.FullName }
-
 $nonUnique = @($scriptFiles | ForEach-Object { [IO.Path]::GetFileName($_) } | Group-Object | Where-Object { $_.Count -gt 1 })
 if ($nonUnique.Count -gt 0) {
     $nonUnique | ForEach-Object {
@@ -137,6 +131,21 @@ $scriptFiles | ForEach-Object {
     Set-Content -Path ([IO.Path]::Combine($distFolder, [IO.Path]::GetFileName($_))) -Value $scriptContent
 }
 
+$csvHashFiles = Get-ChildItem -Path "$repoRoot\Security\Baselines" -Filter *.csv
+
+$csvHashFiles | ForEach-Object {
+    $zipFilePath = "$distFolder\$($_.BaseName).zip"
+    Compress-Archive -Path $_.FullName -DestinationPath $zipFilePath
+    $hash = Get-Item $zipFilePath | Get-FileHash
+    $hash.Hash | Out-File "$distFolder\$($_.BaseName).checksum.txt"
+}
+
+$otherFiles = Get-ChildItem -Path $repoRoot -Directory |
+    Where-Object { $_.Name -ne ".build" } |
+    ForEach-Object { Get-ChildItem -Path $_.FullName *.nse -Recurse } |
+    Sort-Object Name |
+    ForEach-Object { $_.FullName }
+
 $otherFiles | ForEach-Object {
     Copy-Item $_ $distFolder
 }

.build/CodeFormatter.ps1

@@ -1,11 +1,13 @@
 [CmdletBinding()]
 param(
+    [Switch]
+    $Save
 )
 
 $repoRoot = Get-Item "$PSScriptRoot\.."
 
 $scriptFiles = Get-ChildItem -Path $repoRoot -Directory | Where-Object { $_.Name -ne ".build" -and
-    $_.Name -ne "dist"} | ForEach-Object { Get-ChildItem -Path $_.FullName *.ps1 -Recurse } | ForEach-Object { $_.FullName }
+    $_.Name -ne "dist" } | ForEach-Object { Get-ChildItem -Path $_.FullName -Include "*.ps1", "*.psm1" -Recurse } | ForEach-Object { $_.FullName }
 $filesFailed = $false
 
 foreach ($file in $scriptFiles) {
@@ -21,6 +23,11 @@ foreach ($file in $scriptFiles) {
         if ($scriptFormatter.StringContent -cne $scriptFormatter.FormattedScript) {
             Write-Host ("Failed to follow the same format defined in the repro")
             git diff ($($scriptFormatter.StringContent) | git hash-object -w --stdin) ($($scriptFormatter.FormattedScript) | git hash-object -w --stdin)
+
+            if ($Save) {
+                Set-Content -Path $file -Value $scriptFormatter.FormattedScript -Encoding utf8BOM
+                Write-Host "Saved $file with formatting corrections."
+            }
         }
 
         if ($null -ne $scriptFormatter.AnalyzedResults) {

Security/BackendCookieMitigation.ps1

@@ -1,30 +1,44 @@
 <#
-    BackendCookieMitigation.ps1
+    .SYNOPSIS
+        This script contains a mitigation for CVE-2021-26855
+        For more information please https://aka.ms/exchangevulns
 
-    Description:
-        This mitigation will filter https requests that contain malicious X-AnonResource-Backend and malformed X-BEResource cookies which were found to be used in the SSRF attacks in the wild.
+	.DESCRIPTION
+		This mitigation will filter https requests that contain malicious X-AnonResource-Backend and malformed X-BEResource cookies which were found to be used in cve2021-26855.
         This will help with defense against the known patterns observed but not the SSRF as a whole.
 
-    Note:
-        The IIS ReWrite rules will be removed after Exchange is upgraded and the mitigation will need to be reapplied.
+        For this script to work you must have the IIS URL Rewrite Module installed which can be done via this script using the -FullPathToMSI parameter.
+        To obtain the IIS URL Rewrite Module visit the Official Microsoft IIS Site (https://www.iis.net/downloads/microsoft/url-rewrite), download the necessary MSI based off your systems info (x86 or x64), and save to each server locally along with this script.
 
-    Impact:
-        No known impact to Exchange functionality, however, limited testing has been performed
+        Script requires PowerShell 3.0 and later and must be executed from an elevated PowerShell Session.
 
-    Requirements:
-        URL Rewrite : The Official Microsoft IIS Site MSI (https://www.iis.net/downloads/microsoft/url-rewrite)
+	.PARAMETER FullPathToMSI
+        This is string parameter is used to specify path of MSI file of URL Rewrite Module.
 
+    .PARAMETER WebSiteNames
+        This is string array parameter is used to specify name of the Default Web Site in IIS.
 
-    Examples:
+    .PARAMETER RollbackMitigation
+        This is a switch parameter is used to roll back the Backend Cookie Mitigation
 
-    To apply with MSI install via PowerShell:
-        .\BackendCookieMitigation.ps1 -FullPathToMSI “<FullPathToMSI>" -WebSiteNames "Default Web Site" -Verbose
+	.EXAMPLE
+		PS C:\> BackendCookieMitigation.ps1 -FullPathToMSI "C:\temp\rewrite_amd64_en-US.msi" -WebSiteNames "Default Web Site" -Verbose
 
-    To apply without MSI install via PowerShell:
-        .\BackendCookieMitigation.ps1 -WebSiteNames "Default Web Site" -Verbose
+		To apply with MSI install of the URL Rewrite module - Note: version may vary depending on system info
 
-    To rollback:
-        .\BackendCookieMitigation.ps1 -WebSiteNames "Default Web Site" -RollbackMitigation -Verbose
+	.EXAMPLE
+		PS C:\> BackendCookieMitigation.ps1 -WebSiteNames "Default Web Site" -Verbose
+
+		To apply without MSI install
+
+    .EXAMPLE
+        PS C:\> BackendCookieMitigation.ps1 -WebSiteNames "Default Web Site" -RollbackMitigation -Verbose
+
+        To rollback - Note: This does not remove the IIS Rewrite module, only the rules.
+
+    .LINK
+        https://aka.ms/exchangevulns
+        https://www.iis.net/downloads/microsoft/url-rewrite
 #>
 
 [CmdLetBinding()]
@@ -34,6 +48,16 @@ param(
     [string[]]$WebSiteNames,
     [switch]$RollbackMitigation
 )
+$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
+if (!$currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
+    throw "Script must be executed as administrator, please close and re-run Exchange Mangement Shell as administrator"
+    return
+}
+if ($PSVersionTable.PSVersion.Major -lt 3) {
+    throw "PowerShell does not meet the minimum requirements, system must have PowerShell 3 or later"
+}
+
+Import-Module WebAdministration
 
 #Configure Rewrite Rule consts
 $HttpCookieInput = '{HTTP_COOKIE}'
@@ -53,7 +77,7 @@ if (!$RollbackMitigation) {
     Write-Verbose "[INFO] Checking for IIS URL Rewrite Module 2 on $env:computername"
     $IISRewriteQuery = (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BCA2118-F753-4A1E-BCF3-5A820729965C}' -ErrorAction SilentlyContinue).DisplayName
 
-    $RewriteModuleInstallLog = ($FullPathToMSI.Directory.FullName + '\' + 'RewriteModuleInstallLog.log')
+    $RewriteModuleInstallLog = ($PSScriptRoot + '\' + 'RewriteModuleInstallLog.log')
 
     #Install module
     if ($null -ne $IISRewriteQuery) {
@@ -83,6 +107,15 @@ if (!$RollbackMitigation) {
         $site = "IIS:\Sites\$($website)"
 
         try {
+            if ((Get-WebConfiguration -Filter $filter -PSPath $site).name -eq $name) {
+                Clear-WebConfiguration -Filter $filter -PSPath $site
+            }
+
+            if ((Get-WebConfiguration -Filter $filter2 -PSPath $site).name -eq $name2) {
+                Clear-WebConfiguration -Filter $filter2 -PSPath $site
+            }
+
+
             Add-WebConfigurationProperty -PSPath $site -filter $root -name '.' -value @{name = $name; patterSyntax = 'Regular Expressions'; stopProcessing = 'False' }
             Set-WebConfigurationProperty -PSPath $site -filter "$filter/match" -name 'url' -value $inbound
             Set-WebConfigurationProperty -PSPath $site -filter "$filter/conditions" -name '.' -value @{input = $HttpCookieInput; matchType = '0'; pattern = $pattern; ignoreCase = 'True'; negate = 'False' }

Security/Defender-MSERT-Guidance.md

@@ -0,0 +1,21 @@
+### Microsoft Support Emergency Response Tool (MSERT) to scan Microsoft Exchange Server
+
+Microsoft Defender has included security intelligence updates to the latest version of the  [Microsoft Safety Scanner](https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download)  (MSERT.EXE) to detect and remediate the latest threats known to abuse the  [Exchange Server vulnerabilities](https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/)  disclosed on March 2, 2021. Administrators can use this tool for servers not protected by Microsoft Defender for Endpoint or where exclusions are configured for the recommended folders below.
+
+To use the Microsoft Support Emergency Response Tool (MSERT) to scan the Microsoft Exchange Server locations for known indicators from adversaries:
+
+1.  Download MSERT from [Microsoft Safety Scanner Download – Windows security.](https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download)  **Note:**  In case you need to troubleshoot it, see [How to troubleshoot an error when you run the Microsoft Safety Scanner](https://support.microsoft.com/en-us/topic/how-to-troubleshoot-an-error-when-you-run-the-microsoft-safety-scanner-6cd5faa1-f7b4-afd2-85c7-9bed02860f1c).
+2.  Read and accept the  **End user license agreement**, then click  **Next**.
+3.  Read the  **Microsoft Safety Scanner Privacy Statement**, then click  **Next**.
+4.  Select whether you want to do full scan, or customized scan.
+
+-   **Full scan**  – The most effective way to thoroughly scan every file on the device. It is the most effective option although it might take a long time to complete depending on the directory size of your server.
+-   **Customized scan**  – This can be configured to scan the following file paths where malicious files from the threat actor have been observed:  
+
+_%IIS installation path%\aspnet_client\*_  
+_%IIS installation path%\aspnet_client\system_web\*_  
+_%Exchange Server installation path%\FrontEnd\HttpProxy\owa\auth\*_  
+_%Exchange Server Installation%\FrontEnd\HttpProxy\ecp\auth\*_  
+_Configured temporary ASP.NET files path_  
+
+These remediation steps are effective against known attack patterns but are  **not guaranteed as complete mitigation for all possible exploitation**  of these vulnerabilities. Microsoft Defender will continue to monitor and provide the latest security updates.

Security/README.md

@@ -1,40 +1,57 @@
 # Security scripts
 
-## BackendCookieMitigation.ps1
+## Test-ProxyLogon.ps1
 
-This mitigation will filter https requests that contain malicious X-AnonResource-Backend and malformed X-BEResource cookies which were found to be used in the SSRF attacks in the wild.
-This will help with defense against the known patterns observed but not the SSRF as a whole. For more information, see the comments at the top of the script.
+Formerly known as Test-Hafnium, this script automates all four of the commands found in the [Hafnium blog post](https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/). It also has a progress bar and some performance tweaks to make the CVE-2021-26855 test run much faster.
 
 Download the latest release here:
 
-[Download BackendCookieMitigation.ps1](https://github.com/microsoft/CSS-Exchange/releases/latest/download/BackendCookieMitigation.ps1)
+[Download Test-ProxyLogon.ps1](https://github.com/microsoft/CSS-Exchange/releases/latest/download/Test-ProxyLogon.ps1)
 
-## http-vuln-cve2021-26855.nse
+The most typical usage of this script is to check all Exchange servers and save the output,
+by using the following syntax from Exchange Management Shell:
 
-This file is for use with nmap. It detects whether the specified URL is vulnerable to the Exchange Server SSRF Vulnerability (CVE-2021-26855).
-For usage information, please read the top of the file.
+`Get-ExchangeServer | .\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs`
 
-Download the latest release here:
+To check the local server only, just run the script:
 
-[Download http-vuln-cve2021-26855.nse](https://github.com/microsoft/CSS-Exchange/releases/latest/download/http-vuln-cve2021-26855.nse)
+`.\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs`
 
-## Test-ProxyLogon.ps1
+To display the results without saving them, pass -DisplayOnly:
+
+`.\Test-ProxyLogon.ps1 -DisplayOnly`
+
+## BackendCookieMitigation.ps1
 
-Formerly known as Test-Hafnium, this script automates all four of the commands found in the [Hafnium blog post](https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/). It also has a progress bar and some performance tweaks to make the CVE-2021-26855 test run much faster. Download the latest release here:
+This mitigation will filter https requests that contain malicious X-AnonResource-Backend and malformed X-BEResource cookies which were found to be used in cve2021-26855.
+This will help with defense against the known patterns observed but not the SSRF as a whole. For more information please visit https://aka.ms/exchangevulns.
+
+For this script to work you must have the IIS URL Rewrite Module installed which can be done via this script using the -FullPathToMSI parameter. 
+To obtain the IIS URL Rewrite Module visit the Official Microsoft IIS Site (https://www.iis.net/downloads/microsoft/url-rewrite), download the necessary MSI based off your systems info (x86 or x64), and save to each server locally along with this script.
+
+Script requires PowerShell 3.0 and later and must be executed from an elevated PowerShell Session.
 
 Download the latest release here:
 
-[Download Test-ProxyLogon.ps1](https://github.com/microsoft/CSS-Exchange/releases/latest/download/Test-ProxyLogon.ps1)
+[Download BackendCookieMitigation.ps1](https://github.com/microsoft/CSS-Exchange/releases/latest/download/BackendCookieMitigation.ps1)
 
-The most typical usage of this script is to check all Exchange servers and save the output,
-by using the following syntax from Exchange Management Shell:
+To apply with MSI install of the URL Rewrite module - Note: version may vary depending on system info
 
-`Get-ExchangeServer | .\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs`
+`PS C:\> BackendCookieMitigation.ps1 -FullPathToMSI "C:\temp\rewrite_amd64_en-US.msi" -WebSiteNames "Default Web Site" -Verbose `
 
-To check the local server only, just run the script:
+To apply without MSI install
 
-`.\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs`
+`PS C:\> BackendCookieMitigation.ps1 -WebSiteNames "Default Web Site" -Verbose`
 
-To display the results without saving them, drop the -Outpath parameter from either example above:
+To rollback - Note: This does not remove the IIS Rewrite module, only the rules.
 
-`.\Test-ProxyLogon.ps1`
+`PS C:\> BackendCookieMitigation.ps1 -WebSiteNames "Default Web Site" -RollbackMitigation -Verbose`
+
+## http-vuln-cve2021-26855.nse
+
+This file is for use with nmap. It detects whether the specified URL is vulnerable to the Exchange Server SSRF Vulnerability (CVE-2021-26855).
+For usage information, please read the top of the file.
+
+Download the latest release here:
+
+[Download http-vuln-cve2021-26855.nse](https://github.com/microsoft/CSS-Exchange/releases/latest/download/http-vuln-cve2021-26855.nse)