Grant Killian grant-killian

## SitecoreSecurityPatch.SC2019-001-302938.ps1
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Import-Module WebAdministration

$url = "https://kb.sitecore.net/~/media/7A638A36A71D4494981A8655E297AD23.ashx?la=en"
$tempLocation = "C:\tempLocation"
$zippedPatch = "$tempLocation\SitecoreSupportPackage.302938.zip"
$unzippedPatch = "$tempLocation\SitecoreSupportPackage"
$sitecoreRoot = "C:\InetPub\Your\Sitecore\Website"

if (!(Test-Path $tempLocation))

## UpdateIdentityServerHashAlgorithm.ps1

$siteNamePrompt = Read-Host "enter Identity Server website name"
$site = get-website -name $siteNamePrompt

$appSettingsPath = "{0}\wwwroot\appsettings.json" -f $site.physicalPath

<# replace:
     "PasswordHashAlgorithm":"SHA1"},
   with:
     "PasswordHashAlgorithm":"SHA512"},

## ReferenceSample.sc.publishing.xml


<?xml version="1.0" encoding="UTF-8"?>
<Settings>
   <Sitecore>
      <Publishing>
         <InstanceName>${SITECORE_InstanceName}</InstanceName>
         <ConnectionStrings>
            <Service>${Sitecore:Publishing:ConnectionStrings:Master}</Service>
            <!-- Add any additional publishing targets you may use (first location for changes to this file) -->

## ArtifactTableRetentionPatch.config
<?xml version="1.0" encoding="utf-8" ?>
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
  <sitecore>
    <scheduling>
      <agent type="Sitecore.Tasks.CleanupEventQueue, Sitecore.Kernel">
        <patch:delete />
      </agent>
      <agent type="Sitecore.Tasks.CleanupEventQueue, Sitecore.Kernel" method="Run" interval="01:00:00">
            <IntervalToKeep>06:00:00</IntervalToKeep>
      </agent>

## Rackspace9stepSitecoreSecurityHardening.ps1
<#
Author(s): Bruce Lee, Grant Killian, Kelly Rusk, Jimmy Rudley

Created Date: August 4, 2016
Modified Date: May 3, 2017

This is the Rackspace Managed Services for Sitecore (https://www.rackspace.com/digital/sitecore) script for security hardening a Sitecore environment

If the Execution Policy does not allow execution, you may need to run the following interactively to allow a scoped session bypass.
This is secure as it requires interaction on server and cannot be executed from a script:

## ConfigureSitecoreCommerceJSON.ps1
<#
Author: Grant Killian
Created Date: Sept 1, 2017
Ease the human-error potential in step 3 and 4 covered at http://commercesdn.sitecore.net/SitecoreCommerce/DeploymentGuide/en-us/index.html#Concepts/c_M_ChangesToDefaultSettings.html
For repetitive installs, it's a pattern that can be used to update a site name etc, too.  Here I focus on the SQL Server and Sitecore credentials but other settings could be updated too (just be certain you have the right pattern to match/replace).
#>

$dbServer ="your db server" #for Azure SQL, something like "qa2-proj-sql.database.windows.net,1433" is what you'd use
$dbuser ="SQLuser"
$dbpwd = "secret"

## SecureSitecoreConnectionStrings.ps1
<#
Note:
  -  The encyption is specific to each server, so this needs to be run separately on every IIS server
  -  ASPNet_RegIIS requires a web.config file to operate, so we have to massage our Sitecore .config into a web.config format it will understand

Steps:
1) Copy current Connectionstrings.config to a file named "web.config"
2) insert <configuration> node surrounding the <connectionStrings> XML
3) run this new web.config file through aspNet_RegIIS...

## ResetSitecorePassword.aspx
<%@ Page Language="C#" AutoEventWireup="true" %>


<script runat="server">

    protected void Page_Load(object sender, EventArgs e)
    {
            MembershipUser user = Membership.GetUser(@"sitecore\admin", false);

            /*

## gist:c734e7287f7c27182182ed9d17d29730
$zipFileURI = "https://your.cdn.with.the.Sitecore.zip.resources/sitecorecounters%207.5.zip"
$stageFolder = "C:\staging"
if( !(test-path $stageFolder) )
{
    mkdir $stageFolder
}

$downLoadZipPath = $stageFolder + "/SitecoreCounters.zip"
Invoke-WebRequest -Uri $zipFileURI -OutFile $downLoadZipPath

## Rackspace.SecurityHardening.Step8.ProtectMediaRequests.config
    <configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
      <sitecore>
        <settings>
          <setting name="Media.RequestProtection.SharedSecret">
            <patch:attribute name="value">your-implementation-custom-guid-here</patch:attribute>
          </setting>
        </settings>
      </sitecore>
      </configuration>
	Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
	Import-Module WebAdministration

	$url = "https://kb.sitecore.net/~/media/7A638A36A71D4494981A8655E297AD23.ashx?la=en"
	$tempLocation = "C:\tempLocation"
	$zippedPatch = "$tempLocation\SitecoreSupportPackage.302938.zip"
	$unzippedPatch = "$tempLocation\SitecoreSupportPackage"
	$sitecoreRoot = "C:\InetPub\Your\Sitecore\Website"

	if (!(Test-Path $tempLocation))

	$siteNamePrompt = Read-Host "enter Identity Server website name"
	$site = get-website -name $siteNamePrompt

	$appSettingsPath = "{0}\wwwroot\appsettings.json" -f $site.physicalPath

	<# replace:
	"PasswordHashAlgorithm":"SHA1"},
	with:
	"PasswordHashAlgorithm":"SHA512"},


	<?xml version="1.0" encoding="UTF-8"?>
	<Settings>
	<Sitecore>
	<Publishing>
	<InstanceName>${SITECORE_InstanceName}</InstanceName>
	<ConnectionStrings>
	<Service>${Sitecore:Publishing:ConnectionStrings:Master}</Service>
	<!-- Add any additional publishing targets you may use (first location for changes to this file) -->
	<?xml version="1.0" encoding="utf-8" ?>
	<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
	<sitecore>
	<scheduling>
	<agent type="Sitecore.Tasks.CleanupEventQueue, Sitecore.Kernel">
	<patch:delete />
	</agent>
	<agent type="Sitecore.Tasks.CleanupEventQueue, Sitecore.Kernel" method="Run" interval="01:00:00">
	<IntervalToKeep>06:00:00</IntervalToKeep>
	</agent>
	<#
	Author(s): Bruce Lee, Grant Killian, Kelly Rusk, Jimmy Rudley

	Created Date: August 4, 2016
	Modified Date: May 3, 2017

	This is the Rackspace Managed Services for Sitecore (https://www.rackspace.com/digital/sitecore) script for security hardening a Sitecore environment

	If the Execution Policy does not allow execution, you may need to run the following interactively to allow a scoped session bypass.
	This is secure as it requires interaction on server and cannot be executed from a script:
	<#
	Author: Grant Killian
	Created Date: Sept 1, 2017
	Ease the human-error potential in step 3 and 4 covered at http://commercesdn.sitecore.net/SitecoreCommerce/DeploymentGuide/en-us/index.html#Concepts/c_M_ChangesToDefaultSettings.html
	For repetitive installs, it's a pattern that can be used to update a site name etc, too. Here I focus on the SQL Server and Sitecore credentials but other settings could be updated too (just be certain you have the right pattern to match/replace).
	#>

	$dbServer ="your db server" #for Azure SQL, something like "qa2-proj-sql.database.windows.net,1433" is what you'd use
	$dbuser ="SQLuser"
	$dbpwd = "secret"
	<#
	Note:
	- The encyption is specific to each server, so this needs to be run separately on every IIS server
	- ASPNet_RegIIS requires a web.config file to operate, so we have to massage our Sitecore .config into a web.config format it will understand

	Steps:
	1) Copy current Connectionstrings.config to a file named "web.config"
	2) insert <configuration> node surrounding the <connectionStrings> XML
	3) run this new web.config file through aspNet_RegIIS...
	<%@ Page Language="C#" AutoEventWireup="true" %>


	<script runat="server">

	protected void Page_Load(object sender, EventArgs e)
	{
	MembershipUser user = Membership.GetUser(@"sitecore\admin", false);

	/*
	$zipFileURI = "https://your.cdn.with.the.Sitecore.zip.resources/sitecorecounters%207.5.zip"
	$stageFolder = "C:\staging"
	if( !(test-path $stageFolder) )
	{
	mkdir $stageFolder
	}

	$downLoadZipPath = $stageFolder + "/SitecoreCounters.zip"
	Invoke-WebRequest -Uri $zipFileURI -OutFile $downLoadZipPath