Apply CVE-2020-1350 (SIG-RED) Workaround for Windows DC/DNS with PowerShell

Apply-DNS-Workaround-CVE-2020-1350.ps1

<# by diecknet  
 #  This script is mostly based on code by reddit users /u/bernys and /u/Lanathell
 #  I added checks to see if DNS service is running again.
 # Also see: 
 # - https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability
 # - https://www.reddit.com/r/sysadmin/comments/hr5dfe/keep_your_eyes_out_for_a_critical/
 #>

Import-Module ActiveDirectory
$AllDomainControllers = (Get-ADForest).Domains | %{ Get-ADDomainController -Filter * -Server $_ }
ForEach ($DC in $AllDomainControllers) {
    $DCServer = $DC.name
    write-host "Configuring DNS service on $($DCServer)" -ForegroundColor Green
    Invoke-Command -ComputerName $DCServer -Command {
            If ((Get-ItemProperty -Path 'HKLM:SYSTEM\CurrentControlSet\Services\DNS\Parameters' -Name 'TcpReceivePacketSize' -ErrorAction SilentlyContinue).TcpReceivePacketSize -ne '65280') {
                Write-Host "Setting Registry Key on $($DCServer)" -ForegroundColor Yellow
                Set-Itemproperty -path 'HKLM:SYSTEM\CurrentControlSet\Services\DNS\Parameters' -Name 'TcpReceivePacketSize' -value '65280' -Type DWord
            } else {
                Write-Host "Registry Key was already set on $($DCServer)" -ForegroundColor Green
            }
        }
    Write-Host "Restarting DNS service on $($DCServer)" -ForegroundColor Yellow
    Get-Service DNS -ComputerName $DCServer | Restart-Service -PassThru
    Start-Sleep -Seconds 5
    for($wait=1; $wait -lt 10; $wait++) {
        if((Get-Service DNS -ComputerName $DCServer).Status -eq "Running") {
            Write-Host "DNS service on $($DCServer) is running!" -ForegroundColor Green
            break;
        }
        Start-Sleep -Seconds 1
    }
    if((Get-Service DNS -ComputerName $DCServer).Status -ne "Running") {
        Write-Host "DNS service on $($DCServer) is still not running. Please check manually!" -ForegroundColor Red
    }
}