Merge pull request #2064 from microsoft/dpaul-HcEpKey

Add SuppressExtendedProtection Key
microsoft · Apr 22, 2024 · 45c7668 · 45c7668
2 parents 42e2455 + 7af122a
commit 45c7668
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 1 deletion.
diff --git a/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerFrequentConfigurationIssues.ps1 b/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerFrequentConfigurationIssues.ps1
@@ -270,6 +270,15 @@ function Invoke-AnalyzerFrequentConfigurationIssues {
     }
     Add-AnalyzedResultInformation @params
 
+    if ($osInformation.RegistryValues.SuppressExtendedProtection -ne 0) {
+        $params = $baseParams + @{
+            Name             = "SuppressExtendedProtection"
+            Details          = "Value set to $($osInformation.RegistryValues.SuppressExtendedProtection), which disables EP resulting it to not work correctly and causes problems. --- ERROR"
+            DisplayWriteType = "Red"
+        }
+        Add-AnalyzedResultInformation @params
+    }
+
     # Detect Send Connector sending to EXO
     $exoConnector = New-Object System.Collections.Generic.List[object]
     $sendConnectors = $exchangeInformation.ExchangeConnectors | Where-Object { $_.ConnectorType -eq "Send" }

diff --git a/.../HealthChecker/Analyzer/Security/Invoke-AnalyzerSecurityExtendedProtectionConfigState.ps1 b/.../HealthChecker/Analyzer/Security/Invoke-AnalyzerSecurityExtendedProtectionConfigState.ps1
@@ -168,6 +168,17 @@ function Invoke-AnalyzerSecurityExtendedProtectionConfigState {
                     Details          = "For more information about Extended Protection and how to configure, please read this article:`n`thttps://aka.ms/HC-ExchangeEPDoc"
                 }
                 Add-AnalyzedResultInformation @moreInformationParams
+            } elseif ($SecurityObject.OsInformation.RegistryValues.SuppressExtendedProtection -ne 0) {
+                # If this key is set, we need to flag it as the server being vulnerable.
+                $params = $baseParams + @{
+                    Name                = "Security Vulnerability"
+                    Details             = $cveList
+                    DisplayWriteType    = "Red"
+                    TestingName         = "Extended Protection Vulnerable"
+                    CustomName          = $cveList
+                    DisplayTestingValue = $true
+                }
+                Add-AnalyzedResultInformation @params
             } else {
                 Write-Verbose "System NOT vulnerable to $cveList"
             }

diff --git a/...tics/HealthChecker/DataCollection/ServerInformation/Get-OperatingSystemRegistryValues.ps1 b/...tics/HealthChecker/DataCollection/ServerInformation/Get-OperatingSystemRegistryValues.ps1
@@ -64,6 +64,11 @@ function Get-OperatingSystemRegistryValues {
         GetValue = "LsaCfgFlags"
     }
 
+    $suppressEpParams = $baseParams + @{
+        SubKey   = "SYSTEM\CurrentControlSet\Control\LSA"
+        GetValue = "SuppressExtendedProtection"
+    }
+
     $lmCompParams = $baseParams + @{
         SubKey    = "SYSTEM\CurrentControlSet\Control\Lsa"
         GetValue  = "LmCompatibilityLevel"
@@ -74,6 +79,7 @@ function Get-OperatingSystemRegistryValues {
     if ($null -eq $lmValue) { $lmValue = 3 }
 
     return [PSCustomObject]@{
+        SuppressExtendedProtection      = [int](Get-RemoteRegistryValue @suppressEpParams)
         LmCompatibilityLevel            = $lmValue
         CurrentVersionUbr               = [int](Get-RemoteRegistryValue @ubrParams)
         LanManServerDisabledCompression = [int](Get-RemoteRegistryValue @lanManParams)

diff --git a/Diagnostics/HealthChecker/Tests/HealthChecker.MockedCalls.Tests.ps1 b/Diagnostics/HealthChecker/Tests/HealthChecker.MockedCalls.Tests.ps1
@@ -60,7 +60,7 @@ Describe "Testing Health Checker by Mock Data Imports" {
 
             Assert-MockCalled Get-WmiObjectHandler -Exactly 6
             Assert-MockCalled Invoke-ScriptBlockHandler -Exactly 5
-            Assert-MockCalled Get-RemoteRegistryValue -Exactly 24
+            Assert-MockCalled Get-RemoteRegistryValue -Exactly 25
             Assert-MockCalled Get-NETFrameworkVersion -Exactly 1
             Assert-MockCalled Get-DotNetDllFileVersions -Exactly 1
             Assert-MockCalled Get-NicPnpCapabilitiesSetting -Exactly 1

diff --git a/Diagnostics/HealthChecker/Tests/HealthCheckerTest.CommonMocks.NotPublished.ps1 b/Diagnostics/HealthChecker/Tests/HealthCheckerTest.CommonMocks.NotPublished.ps1
@@ -122,6 +122,7 @@ Mock Get-RemoteRegistryValue {
         "DisableBaseTypeCheckForDeserialization" { return $null }
         "DisablePreservation" { return 0 }
         "DatabasePath" { return "$Script:MockDataCollectionRoot\Exchange" }
+        "SuppressExtendedProtection" { return 0 }
         default { throw "Failed to find GetValue: $GetValue" }
     }
 }