Merge pull request #1856 from microsoft/main

Release 10-17-23
microsoft · Oct 17, 2023 · 423e007 · 423e007
2 parents b8445db + 6329958
commit 423e007
Show file tree

Hide file tree

Showing 5 changed files with 78 additions and 57 deletions.
diff --git a/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerIISInformation.ps1 b/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerIISInformation.ps1
@@ -192,7 +192,7 @@ function Invoke-AnalyzerIISInformation {
                 `r`t`tMore Information: https://aka.ms/CVE-2023-21709ScriptDoc"
             )
             DisplayWriteType    = "Yellow"
-            AddHtmlDetailRow    = $false
+            AddHtmlDetailRow    = $true
             DisplayTestingValue = $true
         }
         Add-AnalyzedResultInformation @params

diff --git a/Diagnostics/HealthChecker/Analyzer/Security/Invoke-AnalyzerSecurityIISModules.ps1 b/Diagnostics/HealthChecker/Analyzer/Security/Invoke-AnalyzerSecurityIISModules.ps1
@@ -42,7 +42,8 @@ function Invoke-AnalyzerSecurityIISModules {
                             Status = "Not signed"
                         })
                 } elseif (($m.SignatureDetails.IsMicrosoftSigned -eq $false) -or
-                    ($m.SignatureDetails.SignatureStatus -ne 0)) {
+                    ($m.SignatureDetails.SignatureStatus -ne 0) -and
+                    ($m.SignatureDetails.SignatureStatus -ne -1)) {
                     if ($modulesWriteType -ne "Red") {
                         $modulesWriteType = "Yellow"
                     }

diff --git a/Shared/IISFunctions/Get-IISModules.ps1 b/Shared/IISFunctions/Get-IISModules.ps1
@@ -24,43 +24,6 @@ function Get-IISModules {
         Write-Verbose "Calling: $($MyInvocation.MyCommand)"
         $modulesToCheckList = New-Object 'System.Collections.Generic.List[object]'
 
-        # Add all modules here which should be skipped on legacy OS (pre-Windows Server 2016)
-        $modulesToSkip = @(
-            "$env:windir\system32\inetSrv\cachUri.dll",
-            "$env:windir\system32\inetSrv\cachFile.dll",
-            "$env:windir\system32\inetSrv\cachtokn.dll",
-            "$env:windir\system32\inetSrv\cachHttp.dll",
-            "$env:windir\system32\inetSrv\compStat.dll",
-            "$env:windir\system32\inetSrv\defDoc.dll",
-            "$env:windir\system32\inetSrv\dirList.dll",
-            "$env:windir\system32\inetSrv\protsUp.dll",
-            "$env:windir\system32\inetSrv\redirect.dll",
-            "$env:windir\system32\inetSrv\static.dll",
-            "$env:windir\system32\inetSrv\authAnon.dll",
-            "$env:windir\system32\inetSrv\cusTerr.dll",
-            "$env:windir\system32\inetSrv\logHttp.dll",
-            "$env:windir\system32\inetSrv\iisEtw.dll",
-            "$env:windir\system32\inetSrv\iisFreb.dll",
-            "$env:windir\system32\inetSrv\iisReQs.dll",
-            "$env:windir\system32\inetSrv\isApi.dll",
-            "$env:windir\system32\inetSrv\compDyn.dll",
-            "$env:windir\system32\inetSrv\authCert.dll",
-            "$env:windir\system32\inetSrv\authBas.dll",
-            "$env:windir\system32\inetSrv\authsspi.dll",
-            "$env:windir\system32\inetSrv\authMd5.dll",
-            "$env:windir\system32\inetSrv\modRqFlt.dll",
-            "$env:windir\system32\inetSrv\filter.dll",
-            "$env:windir\system32\rpcProxy\rpcProxy.dll",
-            "$env:windir\system32\inetSrv\validCfg.dll",
-            "$env:windir\system32\wsmSvc.dll",
-            "$env:windir\system32\inetSrv\ipReStr.dll",
-            "$env:windir\system32\inetSrv\dipReStr.dll",
-            "$env:windir\system32\inetSrv\iis_ssi.dll",
-            "$env:windir\system32\inetSrv\cgi.dll",
-            "$env:windir\system32\inetSrv\iisFcGi.dll",
-            "$env:windir\system32\inetSrv\iisWSock.dll",
-            "$env:windir\system32\inetSrv\warmup.dll")
-
         function GetModulePath {
             [CmdletBinding()]
             [OutputType([System.String])]
@@ -98,15 +61,59 @@ function Get-IISModules {
                 [Parameter(Mandatory = $true)]
                 [object[]]$Modules,
 
+                [Parameter(Mandatory = $false)]
+                [bool]$SkipLegacyOSModules = $false,
+
                 [Parameter(Mandatory = $false)]
                 [ScriptBlock]$CatchActionFunction
             )
+            begin {
+                # Add all modules here which should be skipped on legacy OS (pre-Windows Server 2016)
+                $modulesToSkip = @(
+                    "$env:windir\system32\inetSrv\cachUri.dll",
+                    "$env:windir\system32\inetSrv\cachFile.dll",
+                    "$env:windir\system32\inetSrv\cachtokn.dll",
+                    "$env:windir\system32\inetSrv\cachHttp.dll",
+                    "$env:windir\system32\inetSrv\compStat.dll",
+                    "$env:windir\system32\inetSrv\defDoc.dll",
+                    "$env:windir\system32\inetSrv\dirList.dll",
+                    "$env:windir\system32\inetSrv\protsUp.dll",
+                    "$env:windir\system32\inetSrv\redirect.dll",
+                    "$env:windir\system32\inetSrv\static.dll",
+                    "$env:windir\system32\inetSrv\authAnon.dll",
+                    "$env:windir\system32\inetSrv\cusTerr.dll",
+                    "$env:windir\system32\inetSrv\logHttp.dll",
+                    "$env:windir\system32\inetSrv\iisEtw.dll",
+                    "$env:windir\system32\inetSrv\iisFreb.dll",
+                    "$env:windir\system32\inetSrv\iisReQs.dll",
+                    "$env:windir\system32\inetSrv\isApi.dll",
+                    "$env:windir\system32\inetSrv\compDyn.dll",
+                    "$env:windir\system32\inetSrv\authCert.dll",
+                    "$env:windir\system32\inetSrv\authBas.dll",
+                    "$env:windir\system32\inetSrv\authsspi.dll",
+                    "$env:windir\system32\inetSrv\authMd5.dll",
+                    "$env:windir\system32\inetSrv\modRqFlt.dll",
+                    "$env:windir\system32\inetSrv\filter.dll",
+                    "$env:windir\system32\rpcProxy\rpcProxy.dll",
+                    "$env:windir\system32\inetSrv\validCfg.dll",
+                    "$env:windir\system32\wsmSvc.dll",
+                    "$env:windir\system32\inetSrv\ipReStr.dll",
+                    "$env:windir\system32\inetSrv\dipReStr.dll",
+                    "$env:windir\system32\inetSrv\iis_ssi.dll",
+                    "$env:windir\system32\inetSrv\cgi.dll",
+                    "$env:windir\system32\inetSrv\iisFcGi.dll",
+                    "$env:windir\system32\inetSrv\iisWSock.dll",
+                    "$env:windir\system32\inetSrv\warmup.dll")
+
+                $iisModulesList = New-Object 'System.Collections.Generic.List[object]'
+                $signerSubject = "O=Microsoft Corporation, L=Redmond, S=Washington"
+            }
             process {
                 try {
-                    $iisModulesList = New-Object 'System.Collections.Generic.List[object]'
                     $numberOfModulesFound = $Modules.Count
                     if ($numberOfModulesFound -ge 1) {
                         Write-Verbose "$numberOfModulesFound module(s) loaded by IIS"
+                        Write-Verbose "SkipLegacyOSModules enabled? $SkipLegacyOSModules"
                         Write-Verbose "Checking file signing information now..."
 
                         $signatureParams = @{
@@ -129,7 +136,12 @@ function Get-IISModules {
 
                             try {
                                 $signature = $allSignatures | Where-Object { $_.Path -eq $m.image } | Select-Object -First 1
-                                if ($null -ne $signature) {
+                                if (($SkipLegacyOSModules) -and
+                                    ($m.image -in $modulesToSkip)) {
+                                    Write-Verbose "Module was found in module skip list and will be skipped"
+                                    # set to $null as this will indicate that the module was on the skip list
+                                    $isModuleSigned = $null
+                                } elseif ($null -ne $signature) {
                                     Write-Verbose "Performing signature status validation. Status: $($signature.Status)"
                                     # Signature Status Enum Values:
                                     # <0> Valid, <1> UnknownError, <2> NotSigned, <3> HashMismatch,
@@ -147,11 +159,12 @@ function Get-IISModules {
                                         if ($null -ne $signature.SignerCertificate.Subject) {
                                             Write-Verbose "Signer information found. Subject: $($signature.SignerCertificate.Subject)"
                                             $signatureDetails.Signer = $signature.SignerCertificate.Subject.ToString()
-                                            $signatureDetails.IsMicrosoftSigned = $signature.SignerCertificate.Subject -cmatch "O=Microsoft Corporation, L=Redmond, S=Washington"
+                                            $signatureDetails.IsMicrosoftSigned = $signature.SignerCertificate.Subject -cmatch $signerSubject
                                         }
                                     }
                                 } else {
                                     Write-Verbose "No signature information found for module $($m.name)"
+                                    $isModuleSigned = $false
                                 }
 
                                 $iisModulesList.Add([PSCustomObject]@{
@@ -183,18 +196,13 @@ function Get-IISModules {
             $moduleFilePath = GetModulePath -Path $_.image
             # Replace the image path with the full path without environment variables
             $_.image = $moduleFilePath
-            if ($SkipLegacyOSModulesCheck) {
-                if ($moduleFilePath -notin $modulesToSkip) {
-                    $modulesToCheckList.Add($_)
-                }
-            } else {
-                $modulesToCheckList.Add($_)
-            }
+            $modulesToCheckList.Add($_)
         }
 
         $getIISModulesSignatureStatusParams = @{
             ComputerName        = $ComputerName
             Modules             = $modulesToCheckList
+            SkipLegacyOSModules = $SkipLegacyOSModulesCheck # now handled within the function as we need to return all modules which are loaded by IIS
             CatchActionFunction = $CatchActionFunction
         }
         $modules = GetIISModulesSignatureStatus @getIISModulesSignatureStatusParams

diff --git a/Shared/Tests/Get-IISModules.Tests.ps1 b/Shared/Tests/Get-IISModules.Tests.ps1
@@ -175,15 +175,27 @@ Describe "Testing Get-IISModules.ps1" {
             $iisModules.GetType() | Should -Be PSCustomObject
             $iisModules.ModuleList.GetType() | Should -Be System.Object[]
             $iisModules.Count | Should -Be 1
-            $iisModules.ModuleList.Count | Should -Be 4
+            $iisModules.ModuleList.Count | Should -Be 31
+        }
+
+        It "Should Contain Default Modules Which Are Excluded" {
+            $iisModules.ModuleList.Path -contains "C:\Windows\system32\inetSrv\protSup.dll" | Should -Be $true
+            $iisModules.ModuleList.Path -contains "C:\Windows\system32\inetSrv\iisFreb.dll" | Should -Be $true
+            $iisModules.ModuleList.Path -contains "C:\Windows\system32\inetSrv\isApi.dll" | Should -Be $true
+            $iisModules.ModuleList.Path -contains "C:\Windows\system32\rpcProxy\rpcProxy.dll" | Should -Be $true
+            $iisModules.ModuleList.Path -contains "C:\Windows\system32\inetSrv\cachtokn.dll" | Should -Be $true
         }
 
-        It "Should Not Contain Default Modules Which Are Excluded" {
-            $iisModules.ModuleList.Path.Contains("C:\windows\system32\inetSrv\protSup.dll") | Should -Be $false
-            $iisModules.ModuleList.Path.Contains("C:\windows\system32\inetSrv\iisFreb.dll") | Should -Be $false
-            $iisModules.ModuleList.Path.Contains("C:\windows\system32\inetSrv\protSup.dll") | Should -Be $false
-            $iisModules.ModuleList.Path.Contains("C:\windows\system32\inetSrv\isApi.dll") | Should -Be $false
-            $iisModules.ModuleList.Path.Contains("C:\windows\system32\rpcProxy\rpcProxy.dll") | Should -Be $false
+        It "Should Contain Default Signature Information For Modules That Are Skipped" {
+            foreach ($m in $iisModules.ModuleList) {
+                if (($m.Name -eq "TokenCacheModule") -or
+                    ($m.Name -eq "ProtocolSupportModule")) {
+                    $m.Signed | Should -Be $null
+                    $m.SignatureDetails.SignatureStatus | Should -Be -1
+                    $m.SignatureDetails.Signer | Should -Be $null
+                    $m.SignatureDetails.IsMicrosoftSigned | Should -Be $null
+                }
+            }
         }
     }
 }
diff --git a/docs/Emerging-Issues.md b/docs/Emerging-Issues.md
@@ -9,7 +9,7 @@ This page lists emerging issues for Exchange On-Premises deployments, possible r
 
 |**Updated on** | **Update causing the issue**| **Issue**| **Workaround/Solution**
 |-|-|-|-|
-8/17/2023|[All versions of August 2023 Security Update](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2023-exchange-server-security-updates/ba-p/3892811) for Exchange 2016, Exchange 2019 | Users in account forest can’t change expired password in OWA in multi-forest Exchange deployments after installing any version of [August 2023 Security Update for Exchange servers](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2023-exchange-server-security-updates/ba-p/3892811) <BR><BR>**Note**<BR> The account forest user will be able to change the password after they sign in to Outlook on the web if their password is not yet expired. The issue affects only account forest users who have passwords that are already expired. This change does not affect users in organizations that don’t use multiple forests.|Please follow the steps on [this KB article](https://support.microsoft.com/topic/b17c3579-0233-4d84-9245-755dd1092edb)
+10/12/2023|[All versions of August 2023 Security Update](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2023-exchange-server-security-updates/ba-p/3892811) for Exchange 2016, Exchange 2019 | Users in account forest can’t change expired password in OWA in multi-forest Exchange deployments after installing any version of [August 2023 Security Update for Exchange servers](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2023-exchange-server-security-updates/ba-p/3892811) <BR><BR>**Note**<BR> The account forest user will be able to change the password after they sign in to Outlook on the web if their password is not yet expired. The issue affects only account forest users who have passwords that are already expired. This change does not affect users in organizations that don’t use multiple forests.|** Update on 10/12/2023 ** <BR><BR> Follow steps on [this article](https://support.microsoft.com/topic/users-in-account-forest-can-t-change-expired-password-in-owa-in-multi-forest-exchange-deployments-after-installing-august-2023-su-b17c3579-0233-4d84-9245-755dd1092edb)
 8/15/2023|[Non-English August 2023 Security Update](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2023-exchange-server-security-updates/ba-p/3892811) for Exchange 2016, Exchange 2019 | When you install the Microsoft Exchange Server 2019 or 2016 August 2023 Security Update (SU) on a Windows Server-based device that is running a non-English operating system (OS) version, Setup suddenly stops and rolls back the changes. However, the Exchange Server services remain in a disabled state. |The latest SUs have been released that do not require a workaround to install. If you used a workaround to install KB5029388, it is highly recommend to uninstall the KB5029388 to avoid issues down the line. For more information please check out [this KB](https://support.microsoft.com/topic/exchange-server-2019-and-2016-august-2023-security-update-installation-fails-on-non-english-operating-systems-ef38d805-f645-4511-8cc5-cf967e5d5c75).
 6/15/2023|[January 2023 Security Update](https://www.microsoft.com/en-us/download/details.aspx?id=104914) for Exchange 2016, Exchange 2019 | When you try to uninstall Microsoft Exchange Server 2019 or 2016 on servers, that had January 2023 Security Update for Exchange Server installed at any point, the Setup fails with following error message: <BR><BR>[ERROR] The operation couldn't be performed because object '<ServerName>' couldn't be found on '<DomainControllerName>'. |Install Exchange Security Update June 2023 or higher to resolve the issue. Check [this KB](https://support.microsoft.com/help/5025312) for more details
 6/15/2023|Extended protection enabled on Exchange server | Changing the permissions for Public Folders by using an Outlook client will fail with the following error, if Extended Protection is enabled: <BR><BR>`The modified Permissions cannot be changed.`| Install Exchange Security Update June 2023 or higher to resolve the issue. Check [this KB](https://support.microsoft.com/en-us/topic/extended-protection-doesn-t-support-public-folder-client-permissions-management-through-outlook-bd2037b5-40e0-413a-b368-746b3f5439ee) for more details