Merge remote-tracking branch 'local-from/develop' into HEAD

Author: CI (Automated)

bosh-psmodules/modules/BOSH.Utils/BOSH.Utils.Tests.ps1

@@ -1,6 +1,58 @@
 Remove-Module -Name BOSH.Utils -ErrorAction Ignore
 Import-Module ./BOSH.Utils.psm1
 
+#As of now, this function only supports DWords and Strings.
+function Restore-RegistryState {
+    param(
+        [bool]$KeyExists,
+        [String]$KeyPath,
+        [String]$ValueName,
+        [PSObject]$ValueData
+    )
+    if ($KeyExists) {
+        if ($ValueData -eq $null) {
+            Remove-ItemProperty -path $KeyPath -Name $ValueName
+        } else {
+            Set-ItemProperty -path $KeyPath -Name $ValueName -Value $ValueData
+        }
+    } else {
+        Remove-Item -Path $KeyPath -ErrorAction SilentlyContinue
+    }
+}
+
+Describe "Restore-RegistryState" {
+    BeforeEach {
+        Mock Remove-ItemProperty {}
+        Mock Set-ItemProperty {}
+        Mock Remove-Item {}
+    }
+    It "restores the registry by deleting a registry key created by the test" {
+        Restore-RegistryState -KeyExists $false -KeyPath "HKLM:\Some registry key"
+
+        Assert-MockCalled Remove-Item -Times 1 -Scope It -ParameterFilter { $Path -eq "HKLM:\Some registry key" }
+        Assert-MockCalled Remove-ItemProperty -Times 0 -Scope It
+        Assert-MockCalled Set-ItemProperty -Times 0 -Scope It
+    }
+
+    It "restores the registry by deleting a registry value created by the test" {
+        Restore-RegistryState -KeyExist $true -KeyPath "HKLM:\Some registry key" -ValueName "SomeValue"
+
+        Assert-MockCalled Remove-Item -Times 0 -Scope It
+        Assert-MockCalled Remove-ItemProperty -Times 1 -Scope It -ParameterFilter { $Path -eq "HKLM:\Some registry key" -and $Name -eq "SomeValue"}
+        Assert-MockCalled Set-ItemProperty -Times 0 -Scope It
+    }
+
+    It "restores the registry by restoring a registry data modified by the test" {
+        Restore-RegistryState -KeyExist $true -KeyPath "HKLM:\Some registry key" -ValueName "SomeValue" -ValueData "Some Data"
+        Restore-RegistryState -KeyExist $true -KeyPath "HKLM:\Some dword reg key" -ValueName "SomeDwordValye" -ValueData 85432
+
+        Assert-MockCalled Remove-Item -Times 0 -Scope It
+        Assert-MockCalled Remove-ItemProperty -Times 0 -Scope It
+        Assert-MockCalled Set-ItemProperty -Times 1 -Scope It -ParameterFilter { $Path -eq "HKLM:\Some registry key" -and $Name -eq "SomeValue" -and $Value -eq "Some Data" }
+        Assert-MockCalled Set-ItemProperty -Times 1 -Scope It -ParameterFilter { $Path -eq "HKLM:\Some dword reg key" -and $Name -eq "SomeDwordValye" -and $Value -eq 85432 }
+    }
+}
+
 function New-TempDir {
     $parent = [System.IO.Path]::GetTempPath()
     [string] $name = [System.Guid]::NewGuid()
@@ -92,4 +144,89 @@ Describe  "Protect-Dir" {
     }
 }
 
+Describe "Disable-RC4" {
+    It "Disables the use of RC4 Cipher" {
+        $rc4_128Path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128"
+        $rc4_128PathExists = Test-Path -Path $rc4_128Path
+        $oldRC4_128Value = (Get-ItemProperty -path $rc4_128Path -ErrorAction SilentlyContinue).'Enabled'
+
+        $rc4_40Path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128"
+        $rc4_40PathExists = Test-Path -Path $rc4_40Path
+        $oldRC4_40Value = (Get-ItemProperty -path $rc4_40Path -ErrorAction SilentlyContinue).'Enabled'
+
+        $rc4_56Path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128"
+        $rc4_56PathExists = Test-Path -Path $rc4_56Path
+        $oldRC4_56Value = (Get-ItemProperty -path $rc4_56Path -ErrorAction SilentlyContinue).'Enabled'
+
+        { Disable-RC4 } | Should Not Throw
+
+        (Get-ItemProperty -Path $rc4_128Path).'Enabled' | Should Be "0"
+        (Get-ItemProperty -Path $rc4_40Path).'Enabled' | Should Be "0"
+        (Get-ItemProperty -Path $rc4_56Path).'Enabled' | Should Be "0"
+
+        Restore-RegistryState -KeyExists $rc4_128PathExists -KeyPath $rc4_128Path -ValueName 'Enabled' -ValueData $oldRC4_128Value
+        Restore-RegistryState -KeyExists $rc4_40PathExists -KeyPath $rc4_40Path -ValueName 'Enabled' -ValueData $oldRC4_40Value
+        Restore-RegistryState -KeyExists $rc4_56PathExists -KeyPath $rc4_56Path -ValueName 'Enabled' -ValueData $oldRC4_56Value
+    }
+}
+
+Describe "Disable-TLS1" {
+    It "Disables the use of TLS 1.0" {
+        $serverPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server'
+        $serverPathExists = Test-Path -Path $serverPath
+
+        $oldServerEnabledValue = (Get-ItemProperty -path $serverPath -ErrorAction SilentlyContinue).'Enabled'
+        $oldServerDisabledValue =  (Get-ItemProperty -path $serverPath -ErrorAction SilentlyContinue).'DisabledByDefault'
+        $oldServerValue = (Get-ItemProperty -path $serverPath -ErrorAction SilentlyContinue).'Enabled'
+
+        $clientPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client'
+        $clientPathExists = Test-Path -Path $clientPath
+
+        $oldClientEnabledValue = (Get-ItemProperty -path $clientPath -ErrorAction SilentlyContinue).'Enabled'
+        $oldClientDisabledValue = (Get-ItemProperty -path $clientPath -ErrorAction SilentlyContinue).'DisabledByDefault'
+
+        { Disable-TLS1 } | Should Not Throw
+
+        (Get-ItemProperty -Path $serverPath).'Enabled' | Should Be "0"
+        (Get-ItemProperty -Path $serverPath).'DisabledByDefault' | Should Be "1"
+
+        (Get-ItemProperty -Path $clientPath).'Enabled' | Should Be "0"
+        (Get-ItemProperty -Path $clientPath).'DisabledByDefault' | Should Be "1"
+
+        Restore-RegistryState -KeyExists $serverPathExists -KeyPath $serverPath -ValueName 'Enabled' -ValueData $oldServerValue
+        Restore-RegistryState -KeyExists $serverPathExists -KeyPath $serverPath -ValueName 'DisabledByDefault' -ValueData $oldServerDisabledValue
+
+        Restore-RegistryState -KeyExists $clientPathExists -KeyPath $clientPath -ValueName 'Enabled' -ValueData $oldClientValue
+        Restore-RegistryState -KeyExists $clientPathExists -KeyPath $clientPath -ValueName 'DisabledByDefault' -ValueData $oldClientDisabledValue
+    }
+}
+
+Describe "Disable-3DES" {
+    It "Disables birthday attacks against 64 bit block TLS ciphers" {
+        $registryPath = 'hklm:\system\currentcontrolset\control\securityproviders\schannel\ciphers\triple des 168'
+        $tripleDESPathExists = Test-Path $registryPath
+        $oldDESValue = (Get-ItemProperty -path $registryPath -ErrorAction SilentlyContinue).'Enabled'
+
+        { Disable-3DES } | Should Not Throw
+
+        (Get-ItemProperty -path $registryPath).'Enabled' | Should Be "0"
+
+        Restore-RegistryState -KeyExists $tripleDESPathExists -KeyPath $registryPath -ValueName 'Enabled' -ValueData $oldDESValue
+    }
+}
+
+Describe "Disable-DCOM" -Tag 'Focused' {
+    It "Disables the use of DCOM" {
+        $DCOMPath = 'HKLM:\Software\Microsoft\OLE'
+        $oldDCOMValue = (Get-ItemProperty -Path $DCOMPath).'EnableDCOM'
+
+        { Disable-DCOM } | Should Not Throw
+
+        (Get-ItemProperty -Path $DCOMPath).'EnableDCOM' | Should Be "N"
+        Set-ItemProperty -Path $DCOMPath -Name 'EnableDCOM' -Value $oldDCOMValue
+
+        Restore-RegistryState -KeyExists $true -KeyPath $DCOMPath -ValueName 'EnableDCOM' -ValueData $oldDCOMValue
+    }
+}
+
 Remove-Module -Name BOSH.Utils -ErrorAction Ignore

bosh-psmodules/modules/BOSH.Utils/BOSH.Utils.psd1

@@ -6,7 +6,20 @@ Author = 'BOSH'
 Copyright = '(c) 2017 BOSH'
 Description = 'Common Utils on a BOSH deployed vm'
 PowerShellVersion = '4.0'
-FunctionsToExport = @('Write-Log','Get-Log','Open-Zip','New-Provisioner','Clear-Provisioner','Protect-Dir','Protect-MountedDir', 'Set-ProxySettings', 'Clear-ProxySettings')
+FunctionsToExport = @(
+    'Write-Log',
+    'Get-Log',
+    'Open-Zip',
+    'New-Provisioner',
+    'Clear-Provisioner',
+    'Protect-Dir',
+    'Protect-MountedDir',
+    'Set-ProxySettings',
+    'Clear-ProxySettings',
+    'Disable-RC4',
+    'Disable-TLS1',
+    'Disable-3DES',
+    'Disable-DCOM')
 CmdletsToExport = @()
 VariablesToExport = '*'
 AliasesToExport = @()

bosh-psmodules/modules/BOSH.Utils/BOSH.Utils.psm1

@@ -175,3 +175,35 @@ function Clear-ProxySettings {
         exit(1)
     }
 }
+
+function Disable-RC4() {
+    New-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Name 'RC4 128/128' -Force
+    New-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Name 'RC4 40/128' -Force
+    New-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Name 'RC4 56/128' -Force
+
+    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128' -Value 0 -Name 'Enabled' -Type DWORD
+    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128' -Value 0 -Name 'Enabled' -Type DWORD
+    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128' -Value 0 -Name 'Enabled' -Type DWORD
+}
+
+function Disable-TLS1() {
+    New-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\' -Name 'TLS 1.0' -Force
+    New-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0' -Name 'Server' -Force
+    New-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0' -Name 'Client' -Force
+
+    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Value 0 -Name 'Enabled' -Type DWORD
+    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Value 1 -Name 'DisabledByDefault' -Type DWORD
+
+    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -Value 0 -Name 'Enabled' -Type DWORD
+    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -Value 1 -Name 'DisabledByDefault' -Type DWORD
+}
+
+function Disable-3DES() {
+    New-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\' -Name 'Triple DES 168' -Force
+
+    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" -Value 0 -Name 'Enabled' -Type DWORD
+}
+
+function Disable-DCOM() {
+    Set-ItemProperty -Path "HKLM:\Software\Microsoft\OLE" -Value 'N' -Name 'EnableDCOM'
+}

bosh-psmodules/modules/BOSH.WindowsUpdates/BOSH.WindowsUpdates.Tests.ps1

@@ -185,5 +185,6 @@ Describe "Enable-SecurityPatches" {
     }
 }
 
+
 Remove-Module -Name BOSH.WindowsUpdates -ErrorAction Ignore
 Remove-Module -Name BOSH.Utils -ErrorAction Ignore

bosh-psmodules/modules/BOSH.WindowsUpdates/BOSH.WindowsUpdates.psm1

@@ -393,4 +393,3 @@ function Enable-CredSSP() {
     #Policy set to "mitigated"
     reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 1 /f
 }
-

lib/packer/config/base.rb

@@ -59,7 +59,11 @@ def self.enable_security_patches(os)
           provisioners = [
               Provisioners::ENABLE_CVE_2015_6161,
               Provisioners::ENABLE_CVE_2017_8529,
-              Provisioners::ENABLE_CREDSSP
+              Provisioners::ENABLE_CREDSSP,
+              Provisioners::Disable_RC4,
+              Provisioners::Disable_TLS1,
+              Provisioners::Disable_3DES,
+              Provisioners::Disable_DCOM
           ]
         end
 

lib/packer/config/provisioners.rb

@@ -55,6 +55,10 @@ def self.powershell_provisioner(command)
       CLEAR_PROXY_SETTINGS = powershell_provisioner('Clear-ProxySettings')
       ENABLE_CVE_2015_6161 = powershell_provisioner('Enable-CVE-2015-6161')
       ENABLE_CVE_2017_8529 = powershell_provisioner('Enable-CVE-2017-8529')
+      Disable_RC4 = powershell_provisioner('Disable-RC4')
+      Disable_TLS1 = powershell_provisioner('Disable-TLS1')
+      Disable_3DES = powershell_provisioner('Disable-3DES')
+      Disable_DCOM = powershell_provisioner('Disable-DCOM')
       ENABLE_CREDSSP = powershell_provisioner('Enable-CredSSP')
 
       def self.setup_proxy_settings(http_proxy, https_proxy, bypass_list)

spec/packer/config/aws_spec.rb

@@ -157,6 +157,10 @@
           {"type"=>"powershell", "inline"=>["$ErrorActionPreference = \"Stop\";", "trap { $host.SetShouldExit(1) }", "Enable-CVE-2015-6161"]},
           {"type"=>"powershell", "inline"=>["$ErrorActionPreference = \"Stop\";", "trap { $host.SetShouldExit(1) }", "Enable-CVE-2017-8529"]},
           {"type"=>"powershell", "inline"=>["$ErrorActionPreference = \"Stop\";", "trap { $host.SetShouldExit(1) }", "Enable-CredSSP"]},
+          {"type"=>"powershell", "inline"=>["$ErrorActionPreference = \"Stop\";", "trap { $host.SetShouldExit(1) }", "Disable-RC4"]},
+          {"type"=>"powershell", "inline"=>["$ErrorActionPreference = \"Stop\";", "trap { $host.SetShouldExit(1) }", "Disable-TLS1"]},
+          {"type"=>"powershell", "inline"=>["$ErrorActionPreference = \"Stop\";", "trap { $host.SetShouldExit(1) }", "Disable-3DES"]},
+          {"type"=>"powershell", "inline"=>["$ErrorActionPreference = \"Stop\";", "trap { $host.SetShouldExit(1) }", "Disable-DCOM"]},
           {'type'=>'powershell', 'inline'=> ['$ErrorActionPreference = "Stop";',
                                              'trap { $host.SetShouldExit(1) }',
                                              'Clear-ProxySettings']},

spec/packer/config/azure_spec.rb

@@ -130,6 +130,10 @@
           {"type"=>"powershell", "inline"=>["$ErrorActionPreference = \"Stop\";", "trap { $host.SetShouldExit(1) }", "Enable-CVE-2015-6161"]},
           {"type"=>"powershell", "inline"=>["$ErrorActionPreference = \"Stop\";", "trap { $host.SetShouldExit(1) }", "Enable-CVE-2017-8529"]},
           {"type"=>"powershell", "inline"=>["$ErrorActionPreference = \"Stop\";", "trap { $host.SetShouldExit(1) }", "Enable-CredSSP"]},
+          {"type"=>"powershell", "inline"=>["$ErrorActionPreference = \"Stop\";", "trap { $host.SetShouldExit(1) }", "Disable-RC4"]},
+          {"type"=>"powershell", "inline"=>["$ErrorActionPreference = \"Stop\";", "trap { $host.SetShouldExit(1) }", "Disable-TLS1"]},
+          {"type"=>"powershell", "inline"=>["$ErrorActionPreference = \"Stop\";", "trap { $host.SetShouldExit(1) }", "Disable-3DES"]},
+          {"type"=>"powershell", "inline"=>["$ErrorActionPreference = \"Stop\";", "trap { $host.SetShouldExit(1) }", "Disable-DCOM"]},
           {'type'=>'powershell', 'inline'=> ['$ErrorActionPreference = "Stop";',
                                              'trap { $host.SetShouldExit(1) }',
                                              'Clear-ProxySettings']},

spec/packer/config/gcp_spec.rb

@@ -109,6 +109,10 @@
           {"type"=>"powershell", "inline"=>["$ErrorActionPreference = \"Stop\";", "trap { $host.SetShouldExit(1) }", "Enable-CVE-2015-6161"]},
           {"type"=>"powershell", "inline"=>["$ErrorActionPreference = \"Stop\";", "trap { $host.SetShouldExit(1) }", "Enable-CVE-2017-8529"]},
           {"type"=>"powershell", "inline"=>["$ErrorActionPreference = \"Stop\";", "trap { $host.SetShouldExit(1) }", "Enable-CredSSP"]},
+          {"type"=>"powershell", "inline"=>["$ErrorActionPreference = \"Stop\";", "trap { $host.SetShouldExit(1) }", "Disable-RC4"]},
+          {"type"=>"powershell", "inline"=>["$ErrorActionPreference = \"Stop\";", "trap { $host.SetShouldExit(1) }", "Disable-TLS1"]},
+          {"type"=>"powershell", "inline"=>["$ErrorActionPreference = \"Stop\";", "trap { $host.SetShouldExit(1) }", "Disable-3DES"]},
+          {"type"=>"powershell", "inline"=>["$ErrorActionPreference = \"Stop\";", "trap { $host.SetShouldExit(1) }", "Disable-DCOM"]},
           {'type'=>'powershell', 'inline'=> ['$ErrorActionPreference = "Stop";',
                                              'trap { $host.SetShouldExit(1) }',
                                              'Clear-ProxySettings']},