Merge pull request #356 from microsoft/main

Release
microsoft · Mar 15, 2021 · edab95e · edab95e
2 parents 1b24eb9 + 4fb6331
commit edab95e
Show file tree

Hide file tree

Showing 5 changed files with 860 additions and 359 deletions.
diff --git a/.github/ISSUE_TEMPLATE/check-setting-or-config-request.md b/.github/ISSUE_TEMPLATE/check-setting-or-config-request.md
@@ -7,6 +7,12 @@ assignees: ''
 
 ---
 
+<!--
+
+If this is a MISSING BASELINE issue, please comment in #313 rather than opening a new issue.
+
+-->
+
 **Is your request related to a problem? Please describe.**
 A clear and concise description of what the problem is and the results it had on the environment.
 

diff --git a/.github/ISSUE_TEMPLATE/work-item.md b/.github/ISSUE_TEMPLATE/work-item.md
@@ -7,6 +7,12 @@ assignees: ''
 
 ---
 
+<!--
+
+If this is a MISSING BASELINE issue, please comment in #313 rather than opening a new issue.
+
+-->
+
 **Describe the work**
 Provide details of the work that needs to be done within the project
 

diff --git a/Security/README.md b/Security/README.md
@@ -1,12 +1,64 @@
 Script|More Info|Download
 -|-|-
-BackendCookieMitigation.ps1 | [More Info](https://github.com/microsoft/CSS-Exchange/tree/main/Security#backendcookiemitigationps1) | [Download](https://github.com/microsoft/CSS-Exchange/releases/latest/download/BackendCookieMitigation.ps1)
+EOMT | [More Info](https://github.com/microsoft/CSS-Exchange/tree/main/Security#exchange-on-premises-mitigation-tool-eomt) | [Download](https://github.com/microsoft/CSS-Exchange/releases/latest/download/EOMT.ps1)
 CompareExchangeHashes.ps1 | [More Info](https://github.com/microsoft/CSS-Exchange/tree/main/Security#compareexchangehashesps1) | [Download](https://github.com/microsoft/CSS-Exchange/releases/latest/download/CompareExchangeHashes.ps1)
 ExchangeMitigations.ps1 | [More Info](https://github.com/microsoft/CSS-Exchange/tree/main/Security#exchangemitigationsps1) | [Download](https://github.com/microsoft/CSS-Exchange/releases/latest/download/ExchangeMitigations.ps1)
 http-vuln-cve2021-26855.nse | [More Info](https://github.com/microsoft/CSS-Exchange/tree/main/Security#http-vuln-cve2021-26855nse) | [Download](https://github.com/microsoft/CSS-Exchange/releases/latest/download/http-vuln-cve2021-26855.nse)
 Test-ProxyLogon.ps1 | [More Info](https://github.com/microsoft/CSS-Exchange/tree/main/Security#test-proxylogonps1) | [Download](https://github.com/microsoft/CSS-Exchange/releases/latest/download/Test-ProxyLogon.ps1)
 
 # Security scripts
+
+## [Exchange On-premises Mitigation Tool (EOMT)](https://github.com/microsoft/CSS-Exchange/releases/latest/download/EOMT.ps1)
+This script contains mitigations to help address the following vulnerabilities.
+
+* CVE-2021-26855
+
+This is the most effective way to help quickly protect and mitigate your Exchange Servers prior to patching. **We recommend this script over the previous ExchangeMitigations.ps1 script.** EOMT automatically downloads any dependencies and runs the Microsoft Safety Scanner. This a better approach for Exchange deployments with Internet access and for those who want an attempt at automated remediation. We have not observed any impact to Exchange Server functionality via these mitigation methods. EOMT.ps1 is completely automated and uses familiar mitigation methods previously documented. This script has three operations it performs:
+
+* Mitigation of CVE-2021-26855 via a URL Rewrite configuration. Note: This mitigates the known methods of this exploit.
+* Malware scan of the Exchange Server via the Microsoft Safety Scanner (https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download)
+* Attempt to remediate compromises detected by the Microsoft Safety Scanner.
+
+This a better approach for Exchange deployments with Internet access and for those who want an attempt at automated remediation. We have not observed any impact to Exchange Server functionality via these mitigation methods nor do these mitigation methods make any direct changes that disable features of Exchange.
+
+### Requirements to run EOMT
+
+* External Internet Connection from your Exchange server (required to download the safety scanner and the IIS URL Rewrite Module).
+* PowerShell script must be run as Administrator.
+
+### System Requirements
+* PowerShell 3 or later
+* IIS 7.5 and later
+* Exchange 2013, 2016, or 2019
+* Windows Server 2008 R2, Server 2012, Server 2012 R2, Server 2016, Server 2019
+
+### Who should run EOMT
+
+Situation | Guidance
+-|-
+If you have done nothing to date to patch or mitigate this issue… | Run EOMT.PS1 as soon as possible.This will both attempt to remediate as well as mitigate your servers against further attacks. Once complete, follow patching guidance to update your servers on http://aka.ms/exchangevulns
+If you have mitigated using any/all of the mitigation guidance Microsoft has given (Exchangemitigations.Ps1, Blog post, etc..) | Run EOMT.PS1 as soon as possible.  This will both attempt to remediate as well as mitigate your servers against further attacks.   Once complete, follow patching guidance to update your servers on http://aka.ms/exchangevulns
+If you have already patched your systems and are protected, but did NOT investigate for any adversary activity, indicators of compromise, etc…. | Run EOMT.PS1 as soon as possible.   This will attempt to remediate any existing compromise that may not have been full remediated before patching.
+If you have already patched and investigated your systems for any indicators of compromise, etc…. | No action is required
+
+### Important note regarding Microsoft Safety Scanner
+ EOMT runs the Microsoft Safety Scanner in a quick scan mode. If you suspect any compromise, we highly recommend you run it in the FULL SCAN mode. FULL SCAN mode can take a long time but if you are not running Mirosoft Defender AV as your default AV, FULL SCAN will be required to remediate threats.
+
+### EOMT Examples
+The default recommended way of using of EOMT.ps1. This will determine if your server is vulnerable, mitigate if vulnerable, and run MSERT in quick scan mode. If the server is not vulnerable only MSERT quick scan will run.
+
+`.\EOMT.ps1`
+
+To run a Full MSERT Scan -  We only recommend this option only if the initial quick scan discovered threats. The full scan may take hours or days to complete.
+
+`.\EOMT.ps1 -RunFullScan -DoNotRunMitigation`
+
+To roll back EOMT mitigations
+
+`.\EOMT.ps1 -Rollbackmitigation`
+
+Note: If ExchangeMitigations.ps1 was used previously to apply mitigations, Use ExchangeMitigations.ps1 for rollback.
+
 ## [Test-ProxyLogon.ps1](https://github.com/microsoft/CSS-Exchange/releases/latest/download/Test-ProxyLogon.ps1)
 
 Formerly known as Test-Hafnium, this script automates all four of the commands found in the [Hafnium blog post](https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/). It also has a progress bar and some performance tweaks to make the CVE-2021-26855 test run much faster.
@@ -138,44 +190,6 @@ Submitting files for analysis:
 * Please submit the output file for analysis in the malware analysis portal [here](https://www.microsoft.com/en-us/wdsi/filesubmission). Please add the text "ExchangeMarchCVE" in "Additional Information" field on the portal submission form.
 * Instructions on how to use the portal can be found [here](https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/submission-guide).
 
-## [BackendCookieMitigation.ps1](https://github.com/microsoft/CSS-Exchange/releases/latest/download/BackendCookieMitigation.ps1)
-
-This mitigation will filter https requests that contain malicious X-AnonResource-Backend and malformed X-BEResource cookies which were found to be used in CVE-2021-26855.
-
-This will help with defense against the known patterns observed but not the SSRF as a whole. For more information please visit https://aka.ms/exchangevulns.
-
-**For this script to work you must have the IIS URL Rewrite Module installed which can be done via this script using the -FullPathToMSI parameter.**
-
-For IIS 10 and higher URL Rewrite Module 2.1 must be installed, you can download version 2.1 here:
-
-* x86 & x64 -https://www.iis.net/downloads/microsoft/url-rewrite
-
-For IIS 8.5 and lower Rewrite Module 2.0 must be installed, you can download version 2.0 here:
-
-* x86 - https://www.microsoft.com/en-us/download/details.aspx?id=5747
-
-* x64 - https://www.microsoft.com/en-us/download/details.aspx?id=7435
-
-Installing URL Rewrite version 2.1 on IIS versions 8.5 and lower may cause IIS and Exchange to become unstable. If there is a mismatch between the URL Rewrite module and IIS version, BackendCookieMitigation.ps1 will not apply the mitigation for CVE-2021-26855. You must uninstall the URL Rewrite module and reinstall the correct version.
-
-**Script requires PowerShell 3.0 and later and must be executed from an elevated PowerShell Session.**
-
-Download the latest release here:
-
-[Download BackendCookieMitigation.ps1](https://github.com/microsoft/CSS-Exchange/releases/latest/download/BackendCookieMitigation.ps1)
-
-To apply with MSI install of the URL Rewrite module - Note: version may vary depending on system info
-
-`PS C:\> BackendCookieMitigation.ps1 -FullPathToMSI "C:\temp\rewrite_amd64_en-US.msi" -WebSiteNames "Default Web Site" -Verbose `
-
-To apply without MSI install
-
-`PS C:\> BackendCookieMitigation.ps1 -WebSiteNames "Default Web Site" -Verbose`
-
-To rollback - Note: This does not remove the IIS Rewrite module, only the rules.
-
-`PS C:\> BackendCookieMitigation.ps1 -WebSiteNames "Default Web Site" -RollbackMitigation -Verbose`
-
 ## [http-vuln-cve2021-26855.nse](https://github.com/microsoft/CSS-Exchange/releases/latest/download/http-vuln-cve2021-26855.nse)
 
 This file is for use with nmap. It detects whether the specified URL is vulnerable to the Exchange Server SSRF Vulnerability (CVE-2021-26855).