<# MIT License Copyright (c) Microsoft Corporation. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE #> # Version 21.06.29.0910 <# .SYNOPSIS This script contains 4 mitigations to help address the following vulnerabilities: CVE-2021-26855 CVE-2021-26857 CVE-2021-27065 CVE-2021-26858 For more information on each mitigation please visit https://aka.ms/exchangevulns .DESCRIPTION For IIS 10 and higher URL Rewrite Module 2.1 must be installed, you can download version 2.1 (x86 and x64) here: * x86 & x64 -https://www.iis.net/downloads/microsoft/url-rewrite For IIS 8.5 and lower Rewrite Module 2.0 must be installed, you can download version 2.0 here: * x86 - https://www.microsoft.com/en-us/download/details.aspx?id=5747 * x64 - https://www.microsoft.com/en-us/download/details.aspx?id=7435 It is important to follow these version guidelines as it was found installing the newer version of the URL rewrite module on older versions of IIS (IIS 8.5 and lower) can cause IIS and Exchange to become unstable. If you find yourself in a scenario where a newer version of the IIS URL rewrite module was installed on an older version of IIS, uninstalling the URL rewrite module and reinstalling the recommended version listed above should resolve any instability issues. .PARAMETER FullPathToMSI This is string parameter is used to specify path of MSI file of URL Rewrite Module. .PARAMETER WebSiteNames This is string parameter is used to specify name of Default Web Site. .PARAMETER ApplyAllMitigations This is a switch parameter is used to apply all 4 mitigations: BackendCookieMitigation, UnifiedMessagingMitigation, ECPAppPoolMitigation and OABAppPoolMitigation in one go. .PARAMETER RollbackAllMitigations This is a switch parameter is used to rollback all 4 mitigations: BackendCookieMitigation, UnifiedMessagingMitigation, ECPAppPoolMitigation and OABAppPoolMitigation in one go. .PARAMETER ApplyBackendCookieMitigation This is a switch parameter is used to apply the Backend Cookie Mitigation .PARAMETER RollbackBackendCookieMitigation This is a switch parameter is used to roll back the Backend Cookie Mitigation .PARAMETER ApplyUnifiedMessagingMitigation This is a switch parameter is used to apply the Unified Messaging Mitigation .PARAMETER RollbackUnifiedMessagingMitigation This is a switch parameter is used to roll back the Unified Messaging Mitigation .PARAMETER ApplyECPAppPoolMitigation This is a switch parameter is used to apply the ECP App Pool Mitigation .PARAMETER RollbackECPAppPoolMitigation This is a switch parameter is used to roll back the ECP App Pool Mitigation .PARAMETER ApplyOABAppPoolMitigation This is a switch parameter is used to apply the OAB App Pool Mitigation .PARAMETER RollbackOABAppPoolMitigation This is a switch parameter is used to roll back the OAB App Pool Mitigation .PARAMETER operationTimeOutDuration operationTimeOutDuration is the max duration (in seconds) we wait for each mitigation/rollback before timing it out and throwing. .PARAMETER AutoDownloadURLRewrite If set will automatically download/install the IIS URL Rewrite Module. .PARAMETER Verbose The Verbose switch can be used to view the changes that occurs during script execution. .EXAMPLE PS C:\> ExchangeMitigations.ps1 -FullPathToMSI "FullPathToMSI" -WebSiteNames "Default Web Site" -ApplyAllMitigations -Verbose To apply all mitigations and install the IIS URL Rewrite Module. .EXAMPLE PS C:\> ExchangeMitigations.ps1 -AutoDownloadURLRewrite -WebSiteNames "Default Web Site" -ApplyAllMitigations -Verbose To apply all mitigations, download, and install the IIS URL Rewrite Module. .EXAMPLE PS C:\> ExchangeMitigations.ps1 -WebSiteNames "Default Web Site" -ApplyAllMitigation -Verbose To apply all mitigations without installing the IIS URL Rewrite Module. .EXAMPLE PS C:\> ExchangeMitigations.ps1 -WebSiteNames "Default Web Site" -RollbackAllMitigations -Verbose To rollback all mitigations .EXAMPLE PS C:\> ExchangeMitigations.ps1 -WebSiteNames "Default Web Site" -ApplyECPAppPoolMitigation -ApplyOABAppPoolMitigation -Verbose To apply multiple mitigations (out of the 4) .EXAMPLE PS C:\> ExchangeMitigations.ps1 -WebSiteNames "Default Web Site" -RollbackECPAppPoolMitigation -RollbackOABAppPoolMitigation -Verbose To rollback multiple mitigations (out of the 4) .Link https://aka.ms/exchangevulns https://www.iis.net/downloads/microsoft/url-rewrite https://www.microsoft.com/en-us/download/details.aspx?id=5747 https://www.microsoft.com/en-us/download/details.aspx?id=7435 #> [CmdLetBinding()] [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSReviewUnusedParameter', '', Justification = 'Incorrect rule result')] param( [switch]$ApplyAllMitigations, [switch]$ApplyBackendCookieMitigation, [switch]$ApplyUnifiedMessagingMitigation, [switch]$ApplyECPAppPoolMitigation, [switch]$ApplyOABAppPoolMitigation, [switch]$RollbackAllMitigations, [switch]$RollbackBackendCookieMitigation, [switch]$RollbackUnifiedMessagingMitigation, [switch]$RollbackECPAppPoolMitigation, [switch]$RollbackOABAppPoolMitigation, [int]$operationTimeOutDuration = 120, [ValidateNotNullOrEmpty()][string[]]$WebSiteNames = $(throw "WebSiteNames is mandatory, please provide valid value."), [System.IO.FileInfo]$FullPathToMSI, [switch]$AutoDownloadURLRewrite ) function BackendCookieMitigation { [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '', Justification = 'Invalid rule result')] param( [string]$WebSiteName = "Default Web Site", [switch]$RollbackMitigation ) function Get-MsiProductVersion { param ( [string]$filename ) try { $windowsInstaller = New-Object -com WindowsInstaller.Installer $database = $windowsInstaller.GetType().InvokeMember( "OpenDatabase", "InvokeMethod", $Null, $windowsInstaller, @($filename, 0) ) $q = "SELECT Value FROM Property WHERE Property = 'ProductVersion'" $View = $database.GetType().InvokeMember( "OpenView", "InvokeMethod", $Null, $database, ($q) ) try { $View.GetType().InvokeMember("Execute", "InvokeMethod", $Null, $View, $Null) | Out-Null $record = $View.GetType().InvokeMember( "Fetch", "InvokeMethod", $Null, $View, $Null ) $productVersion = $record.GetType().InvokeMember( "StringData", "GetProperty", $Null, $record, 1 ) return $productVersion } finally { if ($View) { $View.GetType().InvokeMember("Close", "InvokeMethod", $Null, $View, $Null) | Out-Null } } } catch { throw "Failed to get MSI file version the error was: {0}." -f $_ } } function Get-InstalledSoftwareVersion { param ( [ValidateNotNullOrEmpty()] [string[]]$Name ) try { $UninstallKeys = @( "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall", "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" ) New-PSDrive -Name HKU -PSProvider Registry -Root Registry::HKEY_USERS | Out-Null $UninstallKeys += Get-ChildItem HKU: | Where-Object { $_.Name -match 'S-\d-\d+-(\d+-){1,14}\d+$' } | ForEach-Object { "HKU:\$($_.PSChildName)\Software\Microsoft\Windows\CurrentVersion\Uninstall" } foreach ($UninstallKey in $UninstallKeys) { $SwKeys = Get-ChildItem -Path $UninstallKey -ErrorAction SilentlyContinue foreach ($n in $Name) { $SwKeys = $SwKeys | Where-Object { $_.GetValue('DisplayName') -like "$n" } } if ($SwKeys) { foreach ($SwKey in $SwKeys) { if ($SwKey.GetValueNames().Contains("DisplayVersion")) { return $SwKey.GetValue("DisplayVersion") } } } } } catch { Write-Error -Message "Error: $($_.Exception.Message) - Line Number: $($_.InvocationInfo.ScriptLineNumber)" } } function Test-IIS10 { $iisRegPath = "hklm:\SOFTWARE\Microsoft\InetStp" if (Test-Path $iisRegPath) { $properties = Get-ItemProperty $iisRegPath if ($properties.MajorVersion -eq 10) { return $true } } return $false } function Get-URLRewriteLink { $DownloadLinks = @{ "x86" = @{ "de-DE" = "https://download.microsoft.com/download/D/8/1/D81E5DD6-1ABB-46B0-9B4B-21894E18B77F/rewrite_x86_de-DE.msi" "en-US" = "https://download.microsoft.com/download/D/8/1/D81E5DD6-1ABB-46B0-9B4B-21894E18B77F/rewrite_x86_en-US.msi" "es-ES" = "https://download.microsoft.com/download/D/8/1/D81E5DD6-1ABB-46B0-9B4B-21894E18B77F/rewrite_x86_es-ES.msi" "fr-FR" = "https://download.microsoft.com/download/D/8/1/D81E5DD6-1ABB-46B0-9B4B-21894E18B77F/rewrite_x86_fr-FR.msi" "it-IT" = "https://download.microsoft.com/download/D/8/1/D81E5DD6-1ABB-46B0-9B4B-21894E18B77F/rewrite_x86_it-IT.msi" "ja-JP" = "https://download.microsoft.com/download/D/8/1/D81E5DD6-1ABB-46B0-9B4B-21894E18B77F/rewrite_x86_ja-JP.msi" "ko-KR" = "https://download.microsoft.com/download/D/8/1/D81E5DD6-1ABB-46B0-9B4B-21894E18B77F/rewrite_x86_ko-KR.msi" "ru-RU" = "https://download.microsoft.com/download/D/8/1/D81E5DD6-1ABB-46B0-9B4B-21894E18B77F/rewrite_x86_ru-RU.msi" "zh-CN" = "https://download.microsoft.com/download/D/8/1/D81E5DD6-1ABB-46B0-9B4B-21894E18B77F/rewrite_x86_zh-CN.msi" "zh-TW" = "https://download.microsoft.com/download/D/8/1/D81E5DD6-1ABB-46B0-9B4B-21894E18B77F/rewrite_x86_zh-TW.msi" } "x64" = @{ "de-DE" = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_de-DE.msi" "en-US" = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_en-US.msi" "es-ES" = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_es-ES.msi" "fr-FR" = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_fr-FR.msi" "it-IT" = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_it-IT.msi" "ja-JP" = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_ja-JP.msi" "ko-KR" = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_ko-KR.msi" "ru-RU" = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_ru-RU.msi" "zh-CN" = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_zh-CN.msi" "zh-TW" = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_zh-TW.msi" } } if ([Environment]::Is64BitOperatingSystem) { $Architecture = "x64" } else { $Architecture = "x86" } if ((Get-Culture).Name -in @("de-DE", "en-US", "es-ES", "fr-FR", "it-IT", "ja-JP", "ko-KR", "ru-RU", "zn-CN", "zn-TW")) { $Language = (Get-Culture).Name } else { $Language = "en-US" } return $DownloadLinks[$Architecture][$Language] } function Confirm-Signature { param( [string]$Filepath, [string]$Stage ) $MicrosoftSigningRoot2010 = 'CN=Microsoft Root Certificate Authority 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US' $MicrosoftSigningRoot2011 = 'CN=Microsoft Root Certificate Authority 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US' $IsValid = $false $failMsg = "Signature of $Filepath not as expected. " try { if (!(Test-Path $Filepath)) { $IsValid = $false $failMsg += "Filepath does not exist" throw } $sig = Get-AuthenticodeSignature -FilePath $Filepath if ($sig.Status -ne 'Valid') { $IsValid = $false $failMsg += "Signature is not trusted by machine as Valid, status: $($sig.Status)" throw } $chain = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Chain $chain.ChainPolicy.VerificationFlags = "IgnoreNotTimeValid" $chainsCorrectly = $chain.Build($sig.SignerCertificate) if (!$chainsCorrectly) { $IsValid = $false $failMsg += "Signer certificate doesn't chain correctly" throw } if ($chain.ChainElements.Count -le 1) { $IsValid = $false $failMsg += "Certificate Chain shorter than expected" throw } $rootCert = $chain.ChainElements[$chain.ChainElements.Count - 1] if ($rootCert.Certificate.Subject -ne $rootCert.Certificate.Issuer) { $IsValid = $false $failMsg += "Top-level certifcate in chain is not a root certificate" throw } if ($rootCert.Certificate.Subject -eq $MicrosoftSigningRoot2010 -or $rootCert.Certificate.Subject -eq $MicrosoftSigningRoot2011) { $IsValid = $true Write-Verbose "[INFO] $Filepath is signed by Microsoft as expected, trusted by machine as Valid, signed by: $($sig.SignerCertificate.Subject), Issued by: $($sig.SignerCertificate.Issuer), with Root certificate: $($rootCert.Certificate.Subject)" -Verbose } else { $IsValid = $false $failMsg += "Unexpected root cert. Expected $MicrosoftSigningRoot2010 or $MicrosoftSigningRoot2011, but found $($rootCert.Certificate.Subject)" throw $failMsg } } catch { $IsValid = $false throw $failMsg } return $IsValid } #Configure Rewrite Rule consts $HttpCookieInput = '{HTTP_COOKIE}' $root = 'system.webServer/rewrite/rules' $inbound = '.*' $name = 'X-AnonResource-Backend Abort - inbound' $name2 = 'X-BEResource Abort - inbound' $pattern = '(.*)X-AnonResource-Backend(.*)' $pattern2 = '(.*)X-BEResource=(.+)/(.+)~(.+)' $filter = "{0}/rule[@name='{1}']" -f $root, $name $filter2 = "{0}/rule[@name='{1}']" -f $root, $name2 Import-Module WebAdministration if ($RollbackMitigation) { Write-Verbose "[INFO] Starting mitigation rollback process on $env:computername" $site = "IIS:\Sites\$WebSiteName" $mitigationFound = $false foreach ($f in @($filter, $filter2)) { if (Get-WebConfiguration -Filter $f -PSPath $site) { $mitigationFound = $true Clear-WebConfiguration -Filter $f -PSPath $site } } if ($mitigationFound) { $Rules = Get-WebConfiguration -Filter 'system.webServer/rewrite/rules/rule' -Recurse if ($null -eq $Rules) { Clear-WebConfiguration -PSPath $site -Filter 'system.webServer/rewrite/rules' } Write-Verbose "[OK] Rewrite rule mitigation removed for $env:COMPUTERNAME :: $website" } else { Write-Verbose "[INFO] Rewrite rule mitigation does not exist for $env:COMPUTERNAME :: $website" } } else { Write-Verbose "[INFO] Starting mitigation process on $env:computername" -Verbose Write-Verbose "[INFO] Checking for IIS URL Rewrite Module on $env:computername" -Verbose $RewriteModule = Get-InstalledSoftwareVersion -Name "*IIS*", "*URL*", "*2*" if ($RewriteModule) { Write-Verbose "[INFO] IIS URL Rewrite Module already installed on $env:computername" -Verbose } else { if ($AutoDownloadURLRewrite) { Write-Verbose -Message "ExchangeMitigations.ps1 will now attempt to download and install the IIS URL Rewrite Module on $env:computername" -Verbose try { # Force TLS1.2 to make sure we can download from HTTPS [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $ProgressPreference = "SilentlyContinue" $DownloadLink = Get-URLRewriteLink $DownloadDir = Join-Path $env:TEMP "IISUrlRewrite" $RewriteModuleInstallLog = Join-Path $DownloadDir "\RewriteModuleInstall.log" $FullPathToMSI = Join-Path $DownloadDir "\$($DownloadLink.Split("/")[-1])" if (!(Test-Path $DownloadDir)) { New-Item -ItemType Directory $DownloadDir | Out-Null } Write-Verbose -Message "Downloading IIS URLRewrite MSI here: $FullPathToMSI" -Verbose $response = Invoke-WebRequest $DownloadLink -UseBasicParsing [IO.File]::WriteAllBytes($FullPathToMSI, $response.Content) } catch { throw "[ERROR] $_" } } elseif ($FullPathToMSI -and (Test-Path $FullPathToMSI)) { try { $MSIPath = (Resolve-Path $FullPathToMSI).Path $RewriteModuleInstallLog = Join-Path (Get-Item $MSIPath).DirectoryName -ChildPath "RewriteModuleInstall.log" } catch { throw "[ERROR $_" } } $MSIProductVersion = Get-MsiProductVersion -filename $FullPathToMSI if ($MSIProductVersion -lt "7.2.1993") { throw "[ERROR] Incorrect IIS URL Rewrite Module downloaded on $env:computername" } #KB2999226 required for IIS Rewrite 2.1 on IIS ver under 10 if (!(Test-IIS10) -and !(Get-HotFix -Id "KB2999226" -ErrorAction SilentlyContinue)) { throw "[ERROR] Did not detect the KB2999226 on $env:computername. Please review the pre-reqs for this KB and download from https://support.microsoft.com/en-us/topic/update-for-universal-c-runtime-in-windows-c0514201-7fe6-95a3-b0a5-287930f3560c" } Write-Verbose "Installing the IIS URL Rewrite Module on $env:computername" -Verbose $arguments = "/i `"$FullPathToMSI`" /quiet /log `"$RewriteModuleInstallLog`"" $msiexecPath = $env:WINDIR + "\System32\msiexec.exe" if (!(Confirm-Signature -filepath $FullPathToMSI -Stage $stage)) { throw "[ERROR] File present at $FullPathToMSI does not seem to be signed as expected, stopping execution." } Start-Process -FilePath $msiexecPath -ArgumentList $arguments -Wait Start-Sleep -Seconds 15 $RewriteModule = Get-InstalledSoftwareVersion -Name "*IIS*", "*URL*", "*2*" if ($RewriteModule) { Write-Verbose "[OK] IIS URL Rewrite Module installed on $env:computername" } else { throw "[ERROR] Issue installing IIS URL Rewrite Module, please review $($RewriteModuleInstallLog)" } } Write-Verbose "[INFO] Applying URL Rewrite configuration to $env:COMPUTERNAME :: $WebSiteName" -Verbose $site = "IIS:\Sites\$WebSiteName" try { if ((Get-WebConfiguration -Filter $filter -PSPath $site).name -eq $name) { Clear-WebConfiguration -Filter $filter -PSPath $site } if ((Get-WebConfiguration -Filter $filter2 -PSPath $site).name -eq $name2) { Clear-WebConfiguration -Filter $filter2 -PSPath $site } Add-WebConfigurationProperty -PSPath $site -filter $root -name '.' -value @{name = $name; patternSyntax = 'Regular Expressions'; stopProcessing = 'False' } Set-WebConfigurationProperty -PSPath $site -filter "$filter/match" -name 'url' -value $inbound Set-WebConfigurationProperty -PSPath $site -filter "$filter/conditions" -name '.' -value @{input = $HttpCookieInput; matchType = '0'; pattern = $pattern; ignoreCase = 'True'; negate = 'False' } Set-WebConfigurationProperty -PSPath $site -filter "$filter/action" -name 'type' -value 'AbortRequest' Add-WebConfigurationProperty -PSPath $site -filter $root -name '.' -value @{name = $name2; patternSyntax = 'Regular Expressions'; stopProcessing = 'True' } Set-WebConfigurationProperty -PSPath $site -filter "$filter2/match" -name 'url' -value $inbound Set-WebConfigurationProperty -PSPath $site -filter "$filter2/conditions" -name '.' -value @{input = $HttpCookieInput; matchType = '0'; pattern = $pattern2; ignoreCase = 'True'; negate = 'False' } Set-WebConfigurationProperty -PSPath $site -filter "$filter2/action" -name 'type' -value 'AbortRequest' Write-Verbose "[OK] Rewrite rule configuration complete for $env:COMPUTERNAME :: $website" } catch { throw "[ERROR] Mitigation failed on $env:COMPUTERNAME :: $WebSiteName - $_" } } } Function UnifiedMessagingMitigation { [CmdLetBinding()] param( [switch]$ApplyMitigation, [switch]$RollbackMitigation ) # UM doesn't apply to Exchange Server 2019 $exchangeVersion = (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\ExchangeServer\v15\Setup\') if ($exchangeVersion.OwaVersion -notmatch "15\.[01]") { Write-Verbose "[INFO] Skipping UM Mitigation for Exchange 2019" return } if ($ApplyMitigation) { StopAndCheckHM Stop-Service MSExchangeUM Set-Service MSExchangeUM -StartupType Disabled Stop-Service MSExchangeUMCR Set-Service MSExchangeUMCR -StartupType Disabled CheckOperationSuccess -conditions '((Get-Service MSExchangeUM).Status -eq "Stopped") -and ` ((Get-Service MSExchangeUMCR).Status -eq "Stopped") -and ` ((gwmi -Class win32_service | ? {$_.name -eq "MSExchangeUM"}).StartMode -eq "Disabled" ) -and ` ((gwmi -Class win32_service | ? {$_.name -eq "MSExchangeUMCR"}).StartMode -eq "Disabled" )' ` -unSuccessfullMessage 'Unified Messaging Mitigation Failed. You can increase time out duration by adding -operationTimeOutDuration ' Get-Service MSExchangeUM Get-Service MSExchangeUMCR } if ($RollbackMitigation) { if (-not(((Get-WebAppPoolState -Name "MSExchangeECPAppPool").value -eq "Stopped") -or ((Get-WebAppPoolState -Name "MSExchangeOABAppPool").value -eq "Stopped"))) { StartAndCheckHM } Set-Service MSExchangeUM -StartupType Automatic Start-Service MSExchangeUM Set-Service MSExchangeUMCR -StartupType Automatic Start-Service MSExchangeUMCR CheckOperationSuccess -conditions '((Get-Service MSExchangeUM).Status -eq "Running") -and ` ((Get-Service MSExchangeUMCR).Status -eq "Running") -and ` ((gwmi -Class win32_service | ? {$_.name -eq "MSExchangeUM"}).StartMode -eq "Auto" ) -and ` ((gwmi -Class win32_service | ? {$_.name -eq "MSExchangeUMCR"}).StartMode -eq "Auto" )' ` -unSuccessfullMessage 'Unified Messaging Rollback Failed. You can increase time out duration by adding -operationTimeOutDuration ' Get-Service MSExchangeUM Get-Service MSExchangeUMCR } } Function ECPAppPoolMitigation { [CmdLetBinding()] param( [switch]$ApplyMitigation, [switch]$RollbackMitigation ) if ($ApplyMitigation) { StopAndCheckHM Import-Module WebAdministration $AppPoolName = "MSExchangeECPAppPool" $AppPool = Get-Item IIS:\AppPools\$AppPoolName $AppPool.startMode = "OnDemand" $AppPool.autoStart = $false $AppPool | Set-Item -Verbose if ((Get-WebAppPoolState -Name $AppPoolName).Value -ne "Stopped") { Stop-WebAppPool -Name $AppPoolName } CheckOperationSuccess -conditions '((Get-WebAppPoolState -Name "MSExchangeECPAppPool").value -eq "Stopped")' ` -unSuccessfullMessage 'ECPAppPool Mitigation Failed. You can increase time out duration by adding -operationTimeOutDuration ' Write-Verbose "Status of $AppPoolName" -Verbose Get-WebAppPoolState -Name $AppPoolName } if ($RollbackMitigation) { $exchangeVersion = (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\ExchangeServer\v15\Setup\') if ($exchangeVersion.OwaVersion -notlike "15.0.*") { if (-not((Get-WebAppPoolState -Name "MSExchangeOABAppPool").value -eq "Stopped")) { StartAndCheckHM } } else { if (-not( ((Get-WebAppPoolState -Name "MSExchangeOABAppPool").value -eq "Stopped") -or ((Get-Service MSExchangeUM).Status -eq "Stopped") -or ((Get-Service MSExchangeUMCR).Status -eq "Stopped"))) { StartAndCheckHM } } Import-Module WebAdministration $AppPoolName = "MSExchangeECPAppPool" $AppPool = Get-Item IIS:\AppPools\$AppPoolName $AppPool.startMode = "OnDemand" $AppPool.autoStart = $true $AppPool | Set-Item -Verbose Start-WebAppPool -Name $AppPoolName CheckOperationSuccess -conditions '((Get-WebAppPoolState -Name "MSExchangeECPAppPool").value -eq "Started")' ` -unSuccessfullMessage 'ECPAppPool Rollback Failed. You can increase time out duration by adding -operationTimeOutDuration ' Write-Verbose "Status of $AppPoolName" -Verbose Get-WebAppPoolState -Name $AppPoolName } } Function OABAppPoolMitigation { [CmdLetBinding()] param( [switch]$ApplyMitigation, [switch]$RollbackMitigation ) if ($ApplyMitigation) { StopAndCheckHM Import-Module WebAdministration $AppPoolName = "MSExchangeOABAppPool" $AppPool = Get-Item IIS:\AppPools\$AppPoolName $AppPool.startMode = "OnDemand" $AppPool.autoStart = $false $AppPool | Set-Item -Verbose if ((Get-WebAppPoolState -Name $AppPoolName).Value -ne "Stopped") { Stop-WebAppPool -Name $AppPoolName } CheckOperationSuccess -conditions '((Get-WebAppPoolState -Name "MSExchangeOABAppPool").value -eq "Stopped")' ` -unSuccessfullMessage 'OABAppPool Mitigation Failed. You can increase time out duration by adding -operationTimeOutDuration ' Write-Verbose "Status of $AppPoolName" -Verbose Get-WebAppPoolState -Name $AppPoolName } if ($RollbackMitigation) { $exchangeVersion = (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\ExchangeServer\v15\Setup\') if ($exchangeVersion.OwaVersion -notlike "15.0.*") { if (-not((Get-WebAppPoolState -Name "MSExchangeECPAppPool").value -eq "Stopped")) { StartAndCheckHM } } else { if (-not( ((Get-WebAppPoolState -Name "MSExchangeECPAppPool").value -eq "Stopped") -or ((Get-Service MSExchangeUM).Status -eq "Stopped") -or ((Get-Service MSExchangeUMCR).Status -eq "Stopped"))) { StartAndCheckHM } } Import-Module WebAdministration $AppPoolName = "MSExchangeOABAppPool" $AppPool = Get-Item IIS:\AppPools\$AppPoolName $AppPool.startMode = "OnDemand" $AppPool.autoStart = $true $AppPool | Set-Item -Verbose Start-WebAppPool -Name $AppPoolName CheckOperationSuccess -conditions '((Get-WebAppPoolState -Name "MSExchangeOABAppPool").value -eq "Started")' ` -unSuccessfullMessage 'OABAppPool Rollback Failed. You can increase time out duration by adding -operationTimeOutDuration ' Write-Verbose "Status of $AppPoolName" -Verbose Get-WebAppPoolState -Name $AppPoolName } } Function CheckOperationSuccess { [CmdletBinding()] [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingInvokeExpression', '', Justification = 'TBD')] param( [string]$conditions, [string]$unSuccessfullMessage ) $operationSuccessful = $false $attemptNumber = 0 DO { Start-Sleep -Seconds 1 $operationSuccessful = Invoke-Expression $conditions $attemptNumber += 1 } While ( (-not $operationSuccessful) -and $attemptNumber -le $operationTimeOutDuration ) if ( -not $operationSuccessful ) { throw $unSuccessfullMessage } } Function StopAndCheckHM { $MSExchangeHM = Get-Service MSExchangeHM if ($MSExchangeHM.Status -ne "Stopped") { Stop-Service MSExchangeHM } If (((gwmi -Class win32_service | Where-Object { $_.name -eq "msexchangehm" }).StartMode -ne "Disabled" )) { Set-Service MSExchangeHM -StartupType Disabled } $exchangeVersion = (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\ExchangeServer\v15\Setup\') if ($exchangeVersion.OwaVersion -notlike "15.0.*") { $MSExchangeHMR = Get-Service MSExchangeHMRecovery if ($MSExchangeHMR.Status -ne "Stopped") { Stop-Service MSExchangeHMRecovery } If (((gwmi -Class win32_service | Where-Object { $_.name -eq "MSExchangeHMRecovery" }).StartMode -ne "Disabled")) { Set-Service MSExchangeHMRecovery -StartupType Disabled } CheckOperationSuccess -conditions '((Get-Service MSExchangeHM).Status -eq "Stopped") -and ` ((gwmi -Class win32_service | ? {$_.name -eq "msexchangehm"}).StartMode -eq "Disabled" ) -and ` ((Get-Service MSExchangeHMRecovery).Status -eq "Stopped") -and ` ((gwmi -Class win32_service | ? {$_.name -eq "MSExchangeHMRecovery"}).StartMode -eq "Disabled" )' ` -unSuccessfullMessage 'Mitigation Failed. HealthMonitoring or HealthMonitoringRecovery Service is running/not disabled. You can increase time out duration by adding -operationTimeOutDuration ' } else { CheckOperationSuccess -conditions '((Get-Service MSExchangeHM).Status -eq "Stopped") -and ` ((gwmi -Class win32_service | ? {$_.name -eq "msexchangehm"}).StartMode -eq "Disabled" )' ` -unSuccessfullMessage 'Mitigation Failed. HealthMonitoring Service is running/not disabled. You can increase time out duration by adding -operationTimeOutDuration ' } Get-Service MSExchangeHM if ($exchangeVersion.OwaVersion -notlike "15.0.*") { Get-Service MSExchangeHMRecovery } } Function StartAndCheckHM { $MSExchangeHM = Get-Service MSExchangeHM If (((gwmi -Class win32_service | Where-Object { $_.name -eq "msexchangehm" }).StartMode -ne "Auto" )) { Set-Service MSExchangeHM -StartupType Automatic } if ($MSExchangeHM.Status -ne "Running") { Start-Service MSExchangeHM } $exchangeVersion = (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\ExchangeServer\v15\Setup\') if ($exchangeVersion.OwaVersion -notlike "15.0.*") { $MSExchangeHMR = Get-Service MSExchangeHMRecovery If (((gwmi -Class win32_service | Where-Object { $_.name -eq "MSExchangeHMRecovery" }).StartMode -ne "Auto" )) { Set-Service MSExchangeHMRecovery -StartupType Automatic } if ($MSExchangeHMR.Status -ne "Running") { Start-Service MSExchangeHMRecovery } CheckOperationSuccess -conditions '((Get-Service MSExchangeHM).Status -eq "Running") -and ` ((gwmi -Class win32_service | ? {$_.name -eq "msexchangehm"}).StartMode -eq "Auto" ) -and ` ((Get-Service MSExchangeHMRecovery).Status -eq "Running") -and ` ((gwmi -Class win32_service | ? {$_.name -eq "MSExchangeHMRecovery"}).StartMode -eq "Auto" )' ` -unSuccessfullMessage 'Rollback Failed. HealthMonitoring or HealthMonitoringRecovery Service is stopped/disabled. You can increase time out duration by adding -operationTimeOutDuration ' } else { CheckOperationSuccess -conditions '((Get-Service MSExchangeHM).Status -eq "Running") -and ` ((gwmi -Class win32_service | ? {$_.name -eq "msexchangehm"}).StartMode -eq "Auto" )' ` -unSuccessfullMessage 'Rollback Failed. HealthMonitoring Service is stopped/disabled. You can increase time out duration by adding -operationTimeOutDuration ' } Get-Service MSExchangeHM if ($exchangeVersion.OwaVersion -notlike "15.0.*") { Get-Service MSExchangeHMRecovery } } $currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()) if (!$currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { throw "Script must be executed as administrator, please close and re-run Exchange Mangement Shell as administrator" return } if ($PSVersionTable.PSVersion.Major -lt 3) { throw "PowerShell does not meet the minimum requirements, system must have PowerShell 3 or later" } Import-Module WebAdministration if ($ApplyAllMitigations -or $ApplyBackendCookieMitigation) { if ($FullPathToMSI) { BackendCookieMitigation -FullPathToMSI $FullPathToMSI -WebSiteNames $WebSiteNames -ErrorAction Stop } else { BackendCookieMitigation -WebSiteNames $WebSiteNames -ErrorAction Stop } } if ($RollbackAllMitigations -or $RollbackBackendCookieMitigation) { BackendCookieMitigation -WebSiteNames $WebSiteNames -RollbackMitigation -ErrorAction Stop } if ($ApplyAllMitigations -or $ApplyUnifiedMessagingMitigation) { UnifiedMessagingMitigation -ApplyMitigation -ErrorAction Stop } if ($RollbackAllMitigations -or $RollbackUnifiedMessagingMitigation) { UnifiedMessagingMitigation -RollbackMitigation -ErrorAction Stop } if ($ApplyAllMitigations -or $ApplyECPAppPoolMitigation) { ECPAppPoolMitigation -ApplyMitigation -ErrorAction Stop } if ($RollbackAllMitigations -or $RollbackECPAppPoolMitigation) { ECPAppPoolMitigation -RollbackMitigation -ErrorAction Stop } if ($RollbackAllMitigations -or $RollbackOABAppPoolMitigation) { OABAppPoolMitigation -RollbackMitigation -ErrorAction Stop } if ($ApplyAllMitigations -or $ApplyOABAppPoolMitigation) { OABAppPoolMitigation -ApplyMitigation -ErrorAction Stop } # SIG # Begin signature block # MIIjmwYJKoZIhvcNAQcCoIIjjDCCI4gCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCrYaYbYaK3vBL2 # BbT3D+CSiNZeT4iOre3DTBGoMf2PuqCCDYEwggX/MIID56ADAgECAhMzAAAB32vw # LpKnSrTQAAAAAAHfMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjAxMjE1MjEzMTQ1WhcNMjExMjAyMjEzMTQ1WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQC2uxlZEACjqfHkuFyoCwfL25ofI9DZWKt4wEj3JBQ48GPt1UsDv834CcoUUPMn # s/6CtPoaQ4Thy/kbOOg/zJAnrJeiMQqRe2Lsdb/NSI2gXXX9lad1/yPUDOXo4GNw # PjXq1JZi+HZV91bUr6ZjzePj1g+bepsqd/HC1XScj0fT3aAxLRykJSzExEBmU9eS # yuOwUuq+CriudQtWGMdJU650v/KmzfM46Y6lo/MCnnpvz3zEL7PMdUdwqj/nYhGG # 3UVILxX7tAdMbz7LN+6WOIpT1A41rwaoOVnv+8Ua94HwhjZmu1S73yeV7RZZNxoh # EegJi9YYssXa7UZUUkCCA+KnAgMBAAGjggF+MIIBejAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUOPbML8IdkNGtCfMmVPtvI6VZ8+Mw # UAYDVR0RBEkwR6RFMEMxKTAnBgNVBAsTIE1pY3Jvc29mdCBPcGVyYXRpb25zIFB1 # ZXJ0byBSaWNvMRYwFAYDVQQFEw0yMzAwMTIrNDYzMDA5MB8GA1UdIwQYMBaAFEhu # ZOVQBdOCqhc3NyK1bajKdQKVMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly93d3cu # bWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY0NvZFNpZ1BDQTIwMTFfMjAxMS0w # Ny0wOC5jcmwwYQYIKwYBBQUHAQEEVTBTMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3 # Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvZFNpZ1BDQTIwMTFfMjAx # MS0wNy0wOC5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAnnqH # tDyYUFaVAkvAK0eqq6nhoL95SZQu3RnpZ7tdQ89QR3++7A+4hrr7V4xxmkB5BObS # 0YK+MALE02atjwWgPdpYQ68WdLGroJZHkbZdgERG+7tETFl3aKF4KpoSaGOskZXp # TPnCaMo2PXoAMVMGpsQEQswimZq3IQ3nRQfBlJ0PoMMcN/+Pks8ZTL1BoPYsJpok # t6cql59q6CypZYIwgyJ892HpttybHKg1ZtQLUlSXccRMlugPgEcNZJagPEgPYni4 # b11snjRAgf0dyQ0zI9aLXqTxWUU5pCIFiPT0b2wsxzRqCtyGqpkGM8P9GazO8eao # mVItCYBcJSByBx/pS0cSYwBBHAZxJODUqxSXoSGDvmTfqUJXntnWkL4okok1FiCD # Z4jpyXOQunb6egIXvkgQ7jb2uO26Ow0m8RwleDvhOMrnHsupiOPbozKroSa6paFt # VSh89abUSooR8QdZciemmoFhcWkEwFg4spzvYNP4nIs193261WyTaRMZoceGun7G # CT2Rl653uUj+F+g94c63AhzSq4khdL4HlFIP2ePv29smfUnHtGq6yYFDLnT0q/Y+ # Di3jwloF8EWkkHRtSuXlFUbTmwr/lDDgbpZiKhLS7CBTDj32I0L5i532+uHczw82 # oZDmYmYmIUSMbZOgS65h797rj5JJ6OkeEUJoAVwwggd6MIIFYqADAgECAgphDpDS # AAAAAAADMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMK # V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 # IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0 # ZSBBdXRob3JpdHkgMjAxMTAeFw0xMTA3MDgyMDU5MDlaFw0yNjA3MDgyMTA5MDla # MH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS # ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMT # H01pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTEwggIiMA0GCSqGSIb3DQEB # AQUAA4ICDwAwggIKAoICAQCr8PpyEBwurdhuqoIQTTS68rZYIZ9CGypr6VpQqrgG # OBoESbp/wwwe3TdrxhLYC/A4wpkGsMg51QEUMULTiQ15ZId+lGAkbK+eSZzpaF7S # 35tTsgosw6/ZqSuuegmv15ZZymAaBelmdugyUiYSL+erCFDPs0S3XdjELgN1q2jz # y23zOlyhFvRGuuA4ZKxuZDV4pqBjDy3TQJP4494HDdVceaVJKecNvqATd76UPe/7 # 4ytaEB9NViiienLgEjq3SV7Y7e1DkYPZe7J7hhvZPrGMXeiJT4Qa8qEvWeSQOy2u # M1jFtz7+MtOzAz2xsq+SOH7SnYAs9U5WkSE1JcM5bmR/U7qcD60ZI4TL9LoDho33 # X/DQUr+MlIe8wCF0JV8YKLbMJyg4JZg5SjbPfLGSrhwjp6lm7GEfauEoSZ1fiOIl # XdMhSz5SxLVXPyQD8NF6Wy/VI+NwXQ9RRnez+ADhvKwCgl/bwBWzvRvUVUvnOaEP # 6SNJvBi4RHxF5MHDcnrgcuck379GmcXvwhxX24ON7E1JMKerjt/sW5+v/N2wZuLB # l4F77dbtS+dJKacTKKanfWeA5opieF+yL4TXV5xcv3coKPHtbcMojyyPQDdPweGF # RInECUzF1KVDL3SV9274eCBYLBNdYJWaPk8zhNqwiBfenk70lrC8RqBsmNLg1oiM # CwIDAQABo4IB7TCCAekwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFEhuZOVQ # BdOCqhc3NyK1bajKdQKVMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1Ud # DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFHItOgIxkEO5FAVO # 4eqnxzHRI4k0MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwubWljcm9zb2Z0 # LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJodHRwOi8vd3d3Lm1p # Y3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcnQwgZ8GA1UdIASBlzCBlDCBkQYJKwYBBAGCNy4DMIGDMD8GCCsGAQUFBwIB # FjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2RvY3MvcHJpbWFyeWNw # cy5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AcABvAGwAaQBjAHkA # XwBzAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAGfyhqWY # 4FR5Gi7T2HRnIpsLlhHhY5KZQpZ90nkMkMFlXy4sPvjDctFtg/6+P+gKyju/R6mj # 82nbY78iNaWXXWWEkH2LRlBV2AySfNIaSxzzPEKLUtCw/WvjPgcuKZvmPRul1LUd # d5Q54ulkyUQ9eHoj8xN9ppB0g430yyYCRirCihC7pKkFDJvtaPpoLpWgKj8qa1hJ # Yx8JaW5amJbkg/TAj/NGK978O9C9Ne9uJa7lryft0N3zDq+ZKJeYTQ49C/IIidYf # wzIY4vDFLc5bnrRJOQrGCsLGra7lstnbFYhRRVg4MnEnGn+x9Cf43iw6IGmYslmJ # aG5vp7d0w0AFBqYBKig+gj8TTWYLwLNN9eGPfxxvFX1Fp3blQCplo8NdUmKGwx1j # NpeG39rz+PIWoZon4c2ll9DuXWNB41sHnIc+BncG0QaxdR8UvmFhtfDcxhsEvt9B # xw4o7t5lL+yX9qFcltgA1qFGvVnzl6UJS0gQmYAf0AApxbGbpT9Fdx41xtKiop96 # eiL6SJUfq/tHI4D1nvi/a7dLl+LrdXga7Oo3mXkYS//WsyNodeav+vyL6wuA6mk7 # r/ww7QRMjt/fdW1jkT3RnVZOT7+AVyKheBEyIXrvQQqxP/uozKRdwaGIm1dxVk5I # RcBCyZt2WwqASGv9eZ/BvW1taslScxMNelDNMYIVcDCCFWwCAQEwgZUwfjELMAkG # A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx # HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMfTWljcm9z # b2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAxMQITMwAAAd9r8C6Sp0q00AAAAAAB3zAN # BglghkgBZQMEAgEFAKCBxjAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIBBDAcBgor # BgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQgnvXlKM7x # ZXA8Zc7PeyYl5b5fX72Tz0aMX8I7kFiKcmYwWgYKKwYBBAGCNwIBDDFMMEqgGoAY # AEMAUwBTACAARQB4AGMAaABhAG4AZwBloSyAKmh0dHBzOi8vZ2l0aHViLmNvbS9t # aWNyb3NvZnQvQ1NTLUV4Y2hhbmdlIDANBgkqhkiG9w0BAQEFAASCAQAbEyyM+uq4 # DQGdQnrnaonPlfm0aXQ7bp0L5UOvJr6ZSQkmiRdjsaKIj27Rh9H7Z7jGBD/7j3Sk # goZMrx6jVYXQXFXCbWY3uan7VZzAVBdh2Cujsbgi1wf/iWXP4GWo/IFBkJVps4Sg # iWlVwA2WA5QFEYAsycyFbYYt3yjlLYSwpfQvvou0qm8nrUd62D3VU7WUtw4FYA5u # Z9T6Yq+TGiAPnPBukcwkwQmyhnSYKuB7I6aAc7VAvFPRYEx/iKxA8OniC1jVfznn # cMnQY3whAvi8sM+idbZMbnGvE9ii3wpw1x71UEEeUgUA3EB6qoRMrvTxnIuu7EWj # ObgvOvFj4zuEoYIS4jCCEt4GCisGAQQBgjcDAwExghLOMIISygYJKoZIhvcNAQcC # oIISuzCCErcCAQMxDzANBglghkgBZQMEAgEFADCCAVEGCyqGSIb3DQEJEAEEoIIB # QASCATwwggE4AgEBBgorBgEEAYRZCgMBMDEwDQYJYIZIAWUDBAIBBQAEIKRCESAH # 4wfgq5VtF1MoWUWT2O5n4uF/fU9RnapwVSxNAgZg+Zv9VTkYEzIwMjEwNzI4MDYy # ODI1Ljc0MVowBIACAfSggdCkgc0wgcoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpX # YXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQg # Q29ycG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlv # bnMxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOjNFN0EtRTM1OS1BMjVEMSUwIwYD # VQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNloIIOOTCCBPEwggPZoAMC # AQICEzMAAAFSMEtdiazmcEcAAAAAAVIwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE # BhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAc # BgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0 # IFRpbWUtU3RhbXAgUENBIDIwMTAwHhcNMjAxMTEyMTgyNjA1WhcNMjIwMjExMTgy # NjA1WjCByjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV # BAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjElMCMG # A1UECxMcTWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEmMCQGA1UECxMdVGhh # bGVzIFRTUyBFU046M0U3QS1FMzU5LUEyNUQxJTAjBgNVBAMTHE1pY3Jvc29mdCBU # aW1lLVN0YW1wIFNlcnZpY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQCuzG6EiZh0taCSbswMiupMTYnbboFzjj1DuDbbvT0RXKBCVl/umA+Uy214DmHi # FhkeuRdlLB0ya5S9um5aKr7lBBqZzvtKgGNgCRbDTG9Yu6kzDzPTzQRulVIvoWVy # 0gITnEyoJ1O3m5IPpsLBNQCdXsh+3TZF73JAcub21bnxm/4sxe4zTdbdttBrqX8/ # JJF2VEnAP+MBvF2UQSo6XUAaTKC/HPDPCce/IsNoAxxLDI1wHhIlqjRBnt4HM5Hc # KHrZrvH+vHnihikdlEzh3fjQFowk1fG7PVhmO60O5vVdqA+H9314hHENQI0cbo+S # kSi8SSJSLNixgj0eWePTh7pbAgMBAAGjggEbMIIBFzAdBgNVHQ4EFgQUhN2u2qwj # 1l2c2h/kULDuBRJsexQwHwYDVR0jBBgwFoAU1WM6XIoxkPNDe3xGG8UzaFqFbVUw # VgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9j # cmwvcHJvZHVjdHMvTWljVGltU3RhUENBXzIwMTAtMDctMDEuY3JsMFoGCCsGAQUF # BwEBBE4wTDBKBggrBgEFBQcwAoY+aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3Br # aS9jZXJ0cy9NaWNUaW1TdGFQQ0FfMjAxMC0wNy0wMS5jcnQwDAYDVR0TAQH/BAIw # ADATBgNVHSUEDDAKBggrBgEFBQcDCDANBgkqhkiG9w0BAQsFAAOCAQEAVcUncfFq # SazQbDEXf3d10/upiWQU5HdTbwG9v9beVIDaG4oELyIcNE6e6CbOBMlPU+smpYYc # nK3jucNqChwquLmxdi2iPy4iQ6vjAdBp9+VFWlrBqUsNXZzjCpgMCZj6bu8Xq0Nn # dl4WyBbI0Jku68vUNG4wsMdKP3dz+1Mzk9SUma3j7HyNA559do9nhKmoZMn5dtf0 # 3QvxlaEwMAaPk9xuUv9BN8cNvFnpWk4mLERQW6tA3rXK0soEISKTYG7Ose7oMXZD # YPWxf9oFhYKzZw/SwnhdBoj2S5eyYE3AuF/ZXzR3hdp3/XGzZeOdERfFy1rC7ZBw # hDIajeFMi53GnzCCBnEwggRZoAMCAQICCmEJgSoAAAAAAAIwDQYJKoZIhvcNAQEL # BQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH # EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNV # BAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMB4X # DTEwMDcwMTIxMzY1NVoXDTI1MDcwMTIxNDY1NVowfDELMAkGA1UEBhMCVVMxEzAR # BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p # Y3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3Rh # bXAgUENBIDIwMTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpHQ28 # dxGKOiDs/BOX9fp/aZRrdFQQ1aUKAIKF++18aEssX8XD5WHCdrc+Zitb8BVTJwQx # H0EbGpUdzgkTjnxhMFmxMEQP8WCIhFRDDNdNuDgIs0Ldk6zWczBXJoKjRQ3Q6vVH # gc2/JGAyWGBG8lhHhjKEHnRhZ5FfgVSxz5NMksHEpl3RYRNuKMYa+YaAu99h/EbB # Jx0kZxJyGiGKr0tkiVBisV39dx898Fd1rL2KQk1AUdEPnAY+Z3/1ZsADlkR+79BL # /W7lmsqxqPJ6Kgox8NpOBpG2iAg16HgcsOmZzTznL0S6p/TcZL2kAcEgCZN4zfy8 # wMlEXV4WnAEFTyJNAgMBAAGjggHmMIIB4jAQBgkrBgEEAYI3FQEEAwIBADAdBgNV # HQ4EFgQU1WM6XIoxkPNDe3xGG8UzaFqFbVUwGQYJKwYBBAGCNxQCBAweCgBTAHUA # YgBDAEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU # 1fZWy4/oolxiaNE9lJBb186aGMQwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDovL2Ny # bC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljUm9vQ2VyQXV0XzIw # MTAtMDYtMjMuY3JsMFoGCCsGAQUFBwEBBE4wTDBKBggrBgEFBQcwAoY+aHR0cDov # L3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXRfMjAxMC0w # Ni0yMy5jcnQwgaAGA1UdIAEB/wSBlTCBkjCBjwYJKwYBBAGCNy4DMIGBMD0GCCsG # AQUFBwIBFjFodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vUEtJL2RvY3MvQ1BTL2Rl # ZmF1bHQuaHRtMEAGCCsGAQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAFAAbwBsAGkA # YwB5AF8AUwB0AGEAdABlAG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQAH # 5ohRDeLG4Jg/gXEDPZ2joSFvs+umzPUxvs8F4qn++ldtGTCzwsVmyWrf9efweL3H # qJ4l4/m87WtUVwgrUYJEEvu5U4zM9GASinbMQEBBm9xcF/9c+V4XNZgkVkt070IQ # yK+/f8Z/8jd9Wj8c8pl5SpFSAK84Dxf1L3mBZdmptWvkx872ynoAb0swRCQiPM/t # A6WWj1kpvLb9BOFwnzJKJ/1Vry/+tuWOM7tiX5rbV0Dp8c6ZZpCM/2pif93FSguR # JuI57BlKcWOdeyFtw5yjojz6f32WapB4pm3S4Zz5Hfw42JT0xqUKloakvZ4argRC # g7i1gJsiOCC1JeVk7Pf0v35jWSUPei45V3aicaoGig+JFrphpxHLmtgOR5qAxdDN # p9DvfYPw4TtxCd9ddJgiCGHasFAeb73x4QDf5zEHpJM692VHeOj4qEir995yfmFr # b3epgcunCaw5u+zGy9iCtHLNHfS4hQEegPsbiSpUObJb2sgNVZl6h3M7COaYLeqN # 4DMuEin1wC9UJyH3yKxO2ii4sanblrKnQqLJzxlBTeCG+SqaoxFmMNO7dDJL32N7 # 9ZmKLxvHIa9Zta7cRDyXUHHXodLFVeNp3lfB0d4wwP3M5k37Db9dT+mdHhk4L7zP # WAUu7w2gUDXa7wknHNWzfjUeCLraNtvTX4/edIhJEqGCAsswggI0AgEBMIH4oYHQ # pIHNMIHKMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE # BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYD # VQQLExxNaWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25zMSYwJAYDVQQLEx1UaGFs # ZXMgVFNTIEVTTjozRTdBLUUzNTktQTI1RDElMCMGA1UEAxMcTWljcm9zb2Z0IFRp # bWUtU3RhbXAgU2VydmljZaIjCgEBMAcGBSsOAwIaAxUAv26eVJaumcmTchd6hqay # QMNDXluggYMwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv # bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0 # aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDANBgkq # hkiG9w0BAQUFAAIFAOSrWqgwIhgPMjAyMTA3MjgxMjI1MTJaGA8yMDIxMDcyOTEy # MjUxMlowdDA6BgorBgEEAYRZCgQBMSwwKjAKAgUA5KtaqAIBADAHAgEAAgIFEjAH # AgEAAgIROTAKAgUA5KysKAIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZ # CgMCoAowCAIBAAIDB6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEBBQUAA4GBAJpa # tjncKl48rdmzkaYEcA94Ntg7AsN23fPIuagsquPZt1cxJuQmEXYHvtLrq+24FW6z # Jfl+x//Nxs/Pt4/6c4H7/wgW6i6D4zypvbeLD7frDMUEgzXFLi7h02Z6OT6loFPx # RQnKYonbU1YFYPEjCMpvqWmjILv+E9TOLvPJhxGxMYIDDTCCAwkCAQEwgZMwfDEL # MAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1v # bmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWlj # cm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTACEzMAAAFSMEtdiazmcEcAAAAAAVIw # DQYJYIZIAWUDBAIBBQCgggFKMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAv # BgkqhkiG9w0BCQQxIgQgMeOO76ktRqsZnvyQsiekVokKNn3C02kxsPE/eB61b9kw # gfoGCyqGSIb3DQEJEAIvMYHqMIHnMIHkMIG9BCCT7lzHo4slUIxfEGp8LXQNik/e # cK6vuuGWIcmBrrsnpjCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpX # YXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQg # Q29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAy # MDEwAhMzAAABUjBLXYms5nBHAAAAAAFSMCIEIH/zWRfpb5FR2fXDc1cJPgtzcsEx # NtMHgObrpGY8nvVwMA0GCSqGSIb3DQEBCwUABIIBAD6nX/1APw1e8Ar1BUxjWk3V # TMU6bUAB5VwpQiDKnmEjULx1OLc81HfM613z9J2y/MmVuH0f3LuV6QWOOnjDEEt6 # LcKE1QSGBHB0kGeA1jeBRbr56QDBHlK/1jQntWTxwpWpV9HLOB3EJ+2E43DxUvI2 # 3zO0cFJDwJqcA7WuM1GSvdwevhmlmQ18Pxs/kfqkRKrIJ4D12+gzITIL8iHnyTrw # WTfMIRZYDkrzJGf+T7OROUQrc5/QxEBFatmbQScvdA0EaVAiH+s1HXce6q0PxTgf # t/8F5CuPfq48/6HjxfON1vcp6L46+EwDyRbxU7esUfZmuXkuyXx21wLyJctWvBw= # SIG # End signature block