-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathKB5005413_scan.ps
80 lines (66 loc) · 3.28 KB
/
KB5005413_scan.ps
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# $t@$h
# As of 11/28/2023 there is no patch for KB5005413
# This scanner does checks for it to the best of my ability
# For stuff I don't know how to scan (yet), I've given advice
# IT DOES NOT MODIFY YOUR SYSTEM IN ANY WAY.
# It HAS to be run as Admin. No way around it.
# Also, make sure powershell is enabled:
# Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
# To lock up again when done:
# Set-ExecutionPolicy Undefined -Scope CurrentUser
if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
{
Write-Warning "This script has to be run as Admin"
break
}
# IIS check for EPA and SSL
function CheckIISConfig {
param ($siteName)
Import-Module WebAdministration
$sitePath = "IIS:\Sites\" + $siteName
$siteExists = Test-Path $sitePath
if ($siteExists) {
$siteConfig = Get-WebConfiguration -Filter /system.webServer/security/authentication/windowsAuthentication -PSPath $sitePath
$useKernelMode = $siteConfig.useKernelMode
$useEPA = $siteConfig.extendedProtection.tokenChecking -eq "Allow"
Write-Host "Site: $siteName"
Write-Host "`tUse Kernel Mode: $useKernelMode"
Write-Host "`tExtended Protection for Authentication (EPA): $useEPA"
# Check SSL
$sslRequired = Get-WebConfigurationProperty -Filter /system.webServer/security/access -Name sslFlags -PSPath $sitePath
$sslEnabled = $sslRequired.Value -eq 'Ssl'
Write-Host "`tSSL Required: $sslEnabled"
if (-not $useEPA -or -not $sslEnabled) {
Write-Warning "!!!Potential vulnerability Detected: EPA or SSL not properly configured in '$siteName'."
Write-Warning "***Advice: Ensure EPA is enabled and SSL for '$siteName'"
}
}
else { Write-Warning "Site $siteName not found" }
}
# Version check
$winVersion = [System.Environment]::OSVersion.Version
Write-Host "Windows Version: $winVersion"
# AD CS check
$caWebEnrollment = Get-Service -Name "CertSvc" -ErrorAction SilentlyContinue
$caEnrollmentService = Get-Service -Name "CertificateEnrollmentService" -ErrorAction SilentlyContinue
if ($caWebEnrollment -and $caWebEnrollment.Status -eq "Running") {
Write-Host "Cert Authority Web Enrollment is running"
CheckIISConfig "Cert Authority Web Enrollment"
}
else { Write-Host "!!!Cert Authority Web Enrollment NOT running. Need for AD CS" }
if ($caEnrollmentService -and $caEnrollmentService.Status -eq "Running") {
Write-Host "Certificate Enrollment Web Service is running."
CheckIISConfig "Certificate Enrollment Web Service"
}
else { Write-Host "!!!Certificate Enrollment Web Service NOT running. Needed for AD CS" }
# NTLM Check
Write-Host "NTLM Auth Check:"
$ntlmSettings = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "RestrictSendingNTLMTraffic"
if ($ntlmSettings -and $ntlmSettings.RestrictSendingNTLMTraffic -eq 2) {
Write-Host "NTLM Authentication is restricted on this system."
}
else {
Write-Warning "!!!Potential Vulnerability Detected: NTLM Auth not restricted"
Write-Warning "***Advice: Restrict NTLM Auth on domain controllers and AD CS Servers"
}
Write-Host "***Advice: Manually set Group Policy settings for 'Network security: Restrict NTLM'"