Outsystems.SetupTools

2.8.1.0

Functions/Set-OSServerSecuritySettings.ps1

                                function Set-OSServerSecuritySettings

{

    <#

    .SYNOPSIS

    Configures Windows and IIS with the recommended security settings for OutSystems.

    .DESCRIPTION

    This will configure Windows and IIS with the recommended security settings for the OutSystems platform.

    Will disable unsafe SSL protocols on Windows and add custom headers to protect IIS from click jacking.

    .EXAMPLE

    Set-OSServerSecuritySettings

    #>

    [CmdletBinding()]

    param()

    begin

    {

        LogMessage -Function $($MyInvocation.Mycommand) -Phase 0 -Stream 0 -Message "Starting"

        SendFunctionStartEvent -InvocationInfo $MyInvocation

    }

    process

    {

        if (-not $(IsAdmin))

        {

            LogMessage -Function $($MyInvocation.Mycommand) -Phase 1 -Stream 3 -Message "The current user is not Administrator or not running this script in an elevated session"

            WriteNonTerminalError -Message "The current user is not Administrator or not running this script in an elevated session"

            return

        }

        if ($(-not $(GetServerVersion)) -or $(-not $(GetServerInstallDir)))

        {

            LogMessage -Function $($MyInvocation.Mycommand) -Phase 1 -Stream 3 -Message "Outsystems platform is not installed"

            WriteNonTerminalError -Message "Outsystems platform is not installed"

            return

        }

        # Disable unsafe SSL protocols

        LogMessage -Function $($MyInvocation.Mycommand) -Phase 1 -Stream 0 -Message "Disabling unsafe SSL protocols"

        $protocols = @("SSL 2.0", "SSL 3.0")

        try

        {

            foreach ($protocol in $protocols)

            {

                LogMessage -Function $($MyInvocation.Mycommand) -Phase 1 -Stream 0 -Message "Disabling $protocol"

                RegWrite -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server" -Name "Enabled" -Type "DWord" -Value 0

                RegWrite -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client" -Name "Enabled" -Type "DWord" -Value 0

                RegWrite -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server" -Name "DisabledByDefault" -Type "DWord" -Value 1

                RegWrite -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client" -Name "DisabledByDefault" -Type "DWord" -Value 1

            }

        }

        catch

        {

            LogMessage -Function $($MyInvocation.Mycommand) -Phase 1 -Exception $_.Exception -Stream 3 -Message "Error disabling unsafe SSL protocols"

            WriteNonTerminalError -Message "Error disabling unsafe SSL protocols"

            return

        }

        # Disable clickjacking (Server Level)

        LogMessage -Function $($MyInvocation.Mycommand) -Phase 1 -Stream 0 -Message "Disabling click jacking"

        try

        {

            SetWebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" -Filter "system.webServer/httpProtocol/customHeaders" -Value @{name = "X-Frame-Options"; value = "SAMEORIGIN"}

            SetWebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" -Filter "system.webServer/httpProtocol/customHeaders" -Value @{name = "Content-Security-Policy"; value = "frame-ancestors 'self'"}

        }

        catch

        {

            LogMessage -Function $($MyInvocation.Mycommand) -Phase 1 -Exception $_.Exception -Stream 3 -Message "Error disabling click jacking"

            WriteNonTerminalError -Message "Error disabling click jacking"

            return

        }

    }

    end

    {

        SendFunctionEndEvent -InvocationInfo $MyInvocation

        LogMessage -Function $($MyInvocation.Mycommand) -Phase 2 -Stream 0 -Message "Ending"

    }

}