Enable redirection guard during service setup (#808)

tgauth · web-flow · commit 92326c0a6290 · 2025-10-16T09:50:18.000-04:00
* add RedirectionGuard to installer

* add RedirectionGuard to install script
diff --git a/contrib/win32/install/server.wxs b/contrib/win32/install/server.wxs
@@ -1,5 +1,10 @@
 <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi" xmlns:firewall="http://schemas.microsoft.com/wix/FirewallExtension" xmlns:util="http://schemas.microsoft.com/wix/UtilExtension">
     <Fragment>
+        <!-- Registry search to check if key for RedirectionGuard exists -->
+        <Property Id="SSHDREGKEYEXISTS">
+            <RegistrySearch Id="SearchSSHDRegKey" Root="HKLM" Key="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sshd.exe" Name="MitigationOptions" Type="raw" />
+        </Property>
+
         <!-- KeyPath is necessary for multi-file components to identify the key file - preferrably versioned. -->
         <ComponentGroup Id="Server" Directory="INSTALLFOLDER">
             <ComponentGroupRef Id="Shared" />
@@ -62,6 +67,13 @@
                     <PermissionEx Sddl="O:BAG:SYD:PAI(A;;FA;;;SY)(A;;FA;;;BA)" />
                 </File>
             </Component>
+            <!-- Permanent registry component - will persist through uninstall -->
+            <Component Id="SSHDInstallFlagComponent" Guid="*" Permanent="yes">
+                <Condition><![CDATA[NOT SSHDREGKEYEXISTS]]></Condition>
+                    <RegistryKey Root="HKLM" Key="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sshd.exe" ForceCreateOnInstall="yes">
+                        <RegistryValue Name="MitigationOptions" Type="binary" Value="00000000000000000000000000000000000010" KeyPath="yes" />
+                    </RegistryKey>
+            </Component>
         </ComponentGroup>
 
         <!-- Automatically add custom actions if referencing the Server component group. -->
diff --git a/contrib/win32/install/shared.wxs b/contrib/win32/install/shared.wxs
@@ -1,5 +1,10 @@
 <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi" xmlns:util="http://schemas.microsoft.com/wix/UtilExtension">
     <Fragment>
+        <!-- Registry search to check if key for RedirectionGuard exists -->
+        <Property Id="AGENTREGKEYEXISTS">
+            <RegistrySearch Id="SearchAgentRegKey" Root="HKLM" Key="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ssh-agent.exe" Name="MitigationOptions" Type="raw" />
+        </Property>
+
         <!-- KeyPath is necessary for multi-file components to identify the key file - preferrably versioned. -->
         <ComponentGroup Id="Shared" Directory="INSTALLFOLDER">
             <Component>
@@ -68,6 +73,13 @@
                     Stop="both"
                     Remove="uninstall" />
             </Component>
+            <!-- Permanent registry component - will persist through uninstall -->
+            <Component Id="AgentInstallFlagComponent" Guid="*" Permanent="yes">
+                <Condition><![CDATA[NOT AGENTREGKEYEXISTS]]></Condition>
+                    <RegistryKey Root="HKLM" Key="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ssh-agent.exe" ForceCreateOnInstall="yes">
+                        <RegistryValue Name="MitigationOptions" Type="binary" Value="00000000000000000000000000000000000010" KeyPath="yes" />
+                    </RegistryKey>
+            </Component>
         </ComponentGroup>
 
         <!-- Automatically add custom actions if referencing the Shared component group. -->
diff --git a/contrib/win32/openssh/install-sshd.ps1 b/contrib/win32/openssh/install-sshd.ps1
@@ -89,6 +89,38 @@ if (Test-Path $sshAgentRegPath)
     Set-Acl $sshAgentRegPath  $sshAgentAcl
 }
 
+# Create MitigationOptions registry key if it doesn't exist for RedirectionGuard
+$sshdMitigationRegPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sshd.exe"
+if (-not (Test-Path $sshdMitigationRegPath)) {
+    New-Item -Path $sshdMitigationRegPath -Force | Out-Null
+    Write-Host "Created registry key: $sshdMitigationRegPath"
+}
+
+# Check if MitigationOptions value exists
+$mitigationValue = Get-ItemProperty -Path $sshdMitigationRegPath -Name "MitigationOptions" -ErrorAction SilentlyContinue
+if (-not $mitigationValue) {
+    # Create binary value: 19 bytes with 0x10 at the end (RedirectionGuard mitigation)
+    $binaryData = [byte[]](0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10)
+    New-ItemProperty -Path $sshdMitigationRegPath -Name "MitigationOptions" -PropertyType Binary -Value $binaryData -Force | Out-Null
+    Write-Host "Created registry value for sshd.exe to enable RedirectionGuard"
+}
+
+# Create MitigationOptions registry key if it doesn't exist for RedirectionGuard
+$agentMitigationRegPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ssh-agent.exe"
+if (-not (Test-Path $agentMitigationRegPath)) {
+    New-Item -Path $agentMitigationRegPath -Force | Out-Null
+    Write-Host "Created registry key: $agentMitigationRegPath"
+}
+
+# Check if MitigationOptions value exists
+$mitigationValue = Get-ItemProperty -Path $agentMitigationRegPath -Name "MitigationOptions" -ErrorAction SilentlyContinue
+if (-not $mitigationValue) {
+    # Create binary value: 19 bytes with 0x10 at the end (RedirectionGuard mitigation)
+    $binaryData = [byte[]](0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10)
+    New-ItemProperty -Path $agentMitigationRegPath -Name "MitigationOptions" -PropertyType Binary -Value $binaryData -Force | Out-Null
+    Write-Host "Created registry value for ssh-agent.exe to enable RedirectionGuard"
+}
+
 #Fix permissions for moduli file
 $moduliPath = Join-Path $PSScriptRoot "moduli"
 if (Test-Path $moduliPath -PathType Leaf)
