Skip to content

Commit

Permalink
Merge pull request #1801 from microsoft/dpaul-HcDev
Browse files Browse the repository at this point in the history
Make sure we invoke actions in remote context correctly
  • Loading branch information
lusassl-msft authored Aug 10, 2023
2 parents ab05136 + 67bc378 commit ab6be0c
Showing 1 changed file with 38 additions and 26 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -20,34 +20,21 @@ function Get-ExchangeAES256CBCDetails {

begin {
Write-Verbose "Calling: $($MyInvocation.MyCommand)"
$aes256CBCSupported = $false
$msipcRegistryAclAsExpected = $false
$regPathToCheck = "HKLM:\SOFTWARE\Microsoft\MSIPC\Server"
# Translates to: "NetworkService", "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow"
# See: https://learn.microsoft.com/dotnet/api/system.security.accesscontrol.registryaccessrule.-ctor?view=net-7.0#system-security-accesscontrol-registryaccessrule-ctor(system-security-principal-identityreference-system-security-accesscontrol-registryrights-system-security-accesscontrol-inheritanceflags-system-security-accesscontrol-propagationflags-system-security-accesscontrol-accesscontroltype)
$networkServiceAcl = New-Object System.Security.AccessControl.RegistryAccessRule(
(New-Object System.Security.Principal.SecurityIdentifier("S-1-5-20")), 983103, 3, 0, 0
)
} process {
# First, check if the build running on the server supports AES256-CBC
if (Test-ExchangeBuildGreaterOrEqualThanSecurityPatch -CurrentExchangeBuild $VersionInformation -SU "Aug23SU") {

Write-Verbose "AES256-CBC encryption for information protection is supported by this Exchange Server build"
$aes256CBCSupported = $true

# As build supports AES256-CBC, next step is to check that the registry key exists and permissions are set as expected
$params = @{
ComputerName = $Server
ScriptBlock = { Test-Path -Path $regPathToCheck }
CatchActionFunction = ${Function:Invoke-CatchActions}
}
function GetRegistryAclCheckScriptBlock {
$sbMsipcRegistryAclAsExpected = $false
$regPathToCheck = "HKLM:\SOFTWARE\Microsoft\MSIPC\Server"
# Translates to: "NetworkService", "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow"
# See: https://learn.microsoft.com/dotnet/api/system.security.accesscontrol.registryaccessrule.-ctor?view=net-7.0#system-security-accesscontrol-registryaccessrule-ctor(system-security-principal-identityreference-system-security-accesscontrol-registryrights-system-security-accesscontrol-inheritanceflags-system-security-accesscontrol-propagationflags-system-security-accesscontrol-accesscontroltype)
$networkServiceAcl = New-Object System.Security.AccessControl.RegistryAccessRule(
(New-Object System.Security.Principal.SecurityIdentifier("S-1-5-20")), 983103, 3, 0, 0
)
$pathExists = Test-Path $regPathToCheck

if ((Invoke-ScriptBlockHandler @params) -eq $false) {
if ($pathExists -eq $false) {
Write-Verbose "Unable to query Acl of registry key $regPathToCheck assuming that the key doesn't exist"
} else {
$params.ScriptBlock = { Get-Acl -Path $regPathToCheck }
$acl = Invoke-ScriptBlockHandler @params

$acl = Get-Acl -Path $regPathToCheck
# ToDo: As we have multiple places in HC where we query acls, we should consider creating a function
# that can be used to do the acl call, similar to what we do in Get-ExchangeRegistryValues.ps1.
Write-Verbose "Registry key exists and Acl was successfully queried - validating Acl now"
Expand All @@ -62,15 +49,40 @@ function Get-ExchangeAES256CBCDetails {

if (@($aclMatch).Count -ge 1) {
Write-Verbose "Acl for NetworkService is as expected"
$msipcRegistryAclAsExpected = $true
$sbMsipcRegistryAclAsExpected = $true
} else {
Write-Verbose "Acl for NetworkService was not found or is not as expected"
}
} catch {
Write-Verbose "Unable to verify Acl on registry key $regPathToCheck"
Invoke-CatchActions
# Unable to use Invoke-CatchActions because of remote script block
}
}

return [PSCustomObject]@{
PathExits = $pathExists
RegistryKeyConfiguredAsExpected = $sbMsipcRegistryAclAsExpected
}
}

$aes256CBCSupported = $false
$msipcRegistryAclAsExpected = $false
} process {
# First, check if the build running on the server supports AES256-CBC
if (Test-ExchangeBuildGreaterOrEqualThanSecurityPatch -CurrentExchangeBuild $VersionInformation -SU "Aug23SU") {

Write-Verbose "AES256-CBC encryption for information protection is supported by this Exchange Server build"
$aes256CBCSupported = $true

$params = @{
ComputerName = $Server
ScriptBlock = ${Function:GetRegistryAclCheckScriptBlock}
CatchActionFunction = ${Function:Invoke-CatchActions}
}
$results = Invoke-ScriptBlockHandler @params
Write-Verbose "Found Registry Path: $($results.PathExits)"
Write-Verbose "Configured Correctly: $($results.RegistryKeyConfiguredAsExpected)"
$msipcRegistryAclAsExpected = $results.RegistryKeyConfiguredAsExpected
} else {
Write-Verbose "AES256-CBC encryption for information protection is not supported by this Exchange Server build"
}
Expand Down

0 comments on commit ab6be0c

Please sign in to comment.