Skip to content

Commit

Permalink
Merge pull request #90 from TrimarcJake/testing
Browse files Browse the repository at this point in the history
v2023.12 Release
  • Loading branch information
TrimarcJake authored Dec 16, 2023
2 parents ab54643 + 0a6003e commit c99cc02
Show file tree
Hide file tree
Showing 15 changed files with 932 additions and 729 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ ADCSRemediation.CSV
Artefacts/*
Examples/Output/*
Ignore/*
Invoke-RevertLocksmith.ps1
Lib/Core/*
Lib/Default/*
Lib/Standard/*
Expand Down
10 changes: 5 additions & 5 deletions Build/Build-Module.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,13 @@ Import-Module -Name PSPublishModule -Force
Build-Module -ModuleName 'Locksmith' {
# Usual defaults as per standard module
$Manifest = [ordered] @{
ModuleVersion = '2023.11'
ModuleVersion = '2023.12'
CompatiblePSEditions = @('Desktop', 'Core')
GUID = 'b1325b42-8dc4-4f17-aa1f-dcb5984ca14a'
Author = 'Jake Hildreth'
Copyright = "(c) 2022 - $((Get-Date).Year). All rights reserved."
Description = 'A small tool to find and fix common misconfigurations in Active Directory Certificate Services.'
ProjectUri = 'https://github.com/TrimarcJake/Locksmith'
PowerShellVersion = '5.1'
Tags = @('Windows', 'Locksmith', 'CA', 'PKI', 'ActiveDirectory', 'CertificateServices','ADCS')
}
Expand All @@ -40,8 +41,7 @@ Build-Module -ModuleName 'Locksmith' {
# those modules are builtin in PowerShell so no need to install them
# could as well be ignored with New-ConfigurationModuleSkip
'Microsoft.PowerShell.Utility'
'Microsoft.PowerShell.LocalAccounts',
'Microsoft.PowerShell.Utility'
'Microsoft.PowerShell.LocalAccounts'
'Microsoft.PowerShell.Management'
'CimCmdlets'
'Dism'
Expand All @@ -54,8 +54,8 @@ Build-Module -ModuleName 'Locksmith' {
# Ignore missing modules or cmdlets during build process
New-ConfigurationModuleSkip -IgnoreFunctionName @('Out-ConsoleGridView') -IgnoreModuleName @('Microsoft.PowerShell.ConsoleGuiTools')

# Tells the script to exclude Out-ConsoleGridView command from functions if the module is not available to be loaded
New-ConfigurationCommand -CommandName @('Out-ConsoleGridView') -ModuleName 'Microsoft.PowerShell.ConsoleGuiTools'
# Tells the script to exclude commands from functions if the module is not available to be loaded
# New-ConfigurationCommand -CommandName @('') -ModuleName @('') # Populate arrays or remove empty example.

$ConfigurationFormat = [ordered] @{
RemoveComments = $false
Expand Down
Binary file added Images/locksmith-sticker.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
1,318 changes: 700 additions & 618 deletions Invoke-Locksmith.ps1

Large diffs are not rendered by default.

9 changes: 5 additions & 4 deletions Locksmith.psd1
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
@{
@{
AliasesToExport = @('*')
Author = 'Jake Hildreth'
CmdletsToExport = @()
Expand All @@ -7,14 +7,15 @@
Description = 'A small tool to find and fix common misconfigurations in Active Directory Certificate Services.'
FunctionsToExport = @('*')
GUID = 'b1325b42-8dc4-4f17-aa1f-dcb5984ca14a'
ModuleVersion = '2023.11'
ModuleVersion = '2023.12'
PowerShellVersion = '5.1'
PrivateData = @{
PSData = @{
ExternalModuleDependencies = @('ActiveDirectory', 'ServerManager', 'Microsoft.PowerShell.Utility', 'Microsoft.PowerShell.LocalAccounts', 'Microsoft.PowerShell.Utility', 'Microsoft.PowerShell.Management', 'CimCmdlets', 'Dism')
Tags = @('Windows', 'Locksmith', 'CA', 'PKI', 'ActiveDirectory', 'CertificateServices', 'ADCS')
ProjectUri = 'https://github.com/TrimarcJake/Locksmith'
ExternalModuleDependencies = @('ActiveDirectory', 'ServerManager', 'Microsoft.PowerShell.Utility', 'Microsoft.PowerShell.LocalAccounts', 'Microsoft.PowerShell.Management', 'CimCmdlets', 'Dism')
}
}
RequiredModules = @('ActiveDirectory', 'ServerManager', 'Microsoft.PowerShell.Utility', 'Microsoft.PowerShell.LocalAccounts', 'Microsoft.PowerShell.Utility', 'Microsoft.PowerShell.Management', 'CimCmdlets', 'Dism')
RequiredModules = @('ActiveDirectory', 'ServerManager', 'Microsoft.PowerShell.Utility', 'Microsoft.PowerShell.LocalAccounts', 'Microsoft.PowerShell.Management', 'CimCmdlets', 'Dism')
RootModule = 'Locksmith.psm1'
}
2 changes: 1 addition & 1 deletion Locksmith.psm1
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Get public and private function definition files.
# Get public and private function definition files.
$Public = @( Get-ChildItem -Path $PSScriptRoot\Public\*.ps1 -ErrorAction SilentlyContinue -Recurse )
$Private = @( Get-ChildItem -Path $PSScriptRoot\Private\*.ps1 -ErrorAction SilentlyContinue -Recurse )
$Classes = @( Get-ChildItem -Path $PSScriptRoot\Classes\*.ps1 -ErrorAction SilentlyContinue -Recurse )
Expand Down
2 changes: 1 addition & 1 deletion Private/Find-AuditingIssue.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
$Issue | Add-Member -MemberType NoteProperty -Name 'Technique' -Value 'DETECT' -Force
}
else {
$Issue | Add-Member -MemberType NoteProperty -Name 'Issue' -Value "Auditing is not fully enabled. Current value is $($_.AuditFilter)" -Force
$Issue | Add-Member -MemberType NoteProperty -Name 'Issue' -Value "Auditing is not fully enabled on $($_.CAFullName). Current value is $($_.AuditFilter)" -Force
$Issue | Add-Member -MemberType NoteProperty -Name 'Fix' `
-Value "certutil.exe -config `'$($_.CAFullname)`' -setreg `'CA\AuditFilter`' 127; Invoke-Command -ComputerName `'$($_.dNSHostName)`' -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force
$Issue | Add-Member -MemberType NoteProperty -Name 'Revert' `
Expand Down
2 changes: 1 addition & 1 deletion Private/Find-ESC1.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
($_.objectClass -eq 'pKICertificateTemplate') -and
($_.pkiExtendedKeyUsage -match $ClientAuthEKUs) -and
($_.'msPKI-Certificate-Name-Flag' -eq 1) -and
($_.'msPKI-Enrollment-Flag' -ne 2) -and
!($_.'msPKI-Enrollment-Flag' -band 2) -and
( ($_.'msPKI-RA-Signature' -eq 0) -or ($null -eq $_.'msPKI-RA-Signature') )
} | ForEach-Object {
foreach ($entry in $_.nTSecurityDescriptor.Access) {
Expand Down
4 changes: 2 additions & 2 deletions Private/Find-ESC2.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
($_.ObjectClass -eq 'pKICertificateTemplate') -and
( (!$_.pkiExtendedKeyUsage) -or ($_.pkiExtendedKeyUsage -match '2.5.29.37.0') )-and
($_.'msPKI-Certificate-Name-Flag' -eq 1) -and
($_.'msPKI-Enrollment-Flag' -ne 2) -and
!($_.'msPKI-Enrollment-Flag' -band 2) -and
( ($_.'msPKI-RA-Signature' -eq 0) -or ($null -eq $_.'msPKI-RA-Signature') )
} | ForEach-Object {
foreach ($entry in $_.nTSecurityDescriptor.Access) {
Expand Down Expand Up @@ -40,4 +40,4 @@
}
}
}
}
}
4 changes: 2 additions & 2 deletions Private/Find-ESC3Condition1.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
$ADCSObjects | Where-Object {
($_.objectClass -eq 'pKICertificateTemplate') -and
($_.pkiExtendedKeyUsage -match $EnrollmentAgentEKU) -and
($_.'msPKI-Enrollment-Flag' -ne 2) -and
!($_.'msPKI-Enrollment-Flag' -band 2) -and
( ($_.'msPKI-RA-Signature' -eq 0) -or ($null -eq $_.'msPKI-RA-Signature') )
} | ForEach-Object {
foreach ($entry in $_.nTSecurityDescriptor.Access) {
Expand Down Expand Up @@ -39,4 +39,4 @@
}
}
}
}
}
4 changes: 2 additions & 2 deletions Private/Find-ESC3Condition2.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
($_.objectClass -eq 'pKICertificateTemplate') -and
($_.pkiExtendedKeyUsage -match $ClientAuthEKU) -and
($_.'msPKI-Certificate-Name-Flag' -eq 1) -and
($_.'msPKI-Enrollment-Flag' -ne 2) -and
!($_.'msPKI-Enrollment-Flag' -band 2) -and
($_.'msPKI-RA-Application-Policies' -eq '1.3.6.1.4.1.311.20.2.1') -and
( ($_.'msPKI-RA-Signature' -eq 1) )
} | ForEach-Object {
Expand Down Expand Up @@ -41,4 +41,4 @@
}
}
}
}
}
17 changes: 9 additions & 8 deletions Private/Find-ESC4.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,8 @@
} else {
$SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
}
if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) {

if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) {
$Issue = New-Object -TypeName pscustomobject
$Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force
$Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force
Expand All @@ -26,14 +27,13 @@
$Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force
$Issue | Add-Member -MemberType NoteProperty -Name Issue `
-Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" -Force
$Issue | Add-Member -MemberType NoteProperty -Name Fix -Value '[TODO]' -Force
$Issue | Add-Member -MemberType NoteProperty -Name Revert -Value '[TODO]' -Force
$Issue | Add-Member -MemberType NoteProperty -Name Fix -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force
$Issue | Add-Member -MemberType NoteProperty -Name Revert -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force
$Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC4'
$Severity = Set-Severity -Issue $Issue
$Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity
$Issue
}
if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) {
} elseif ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) {
$Issue = New-Object -TypeName pscustomobject
$Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force
$Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force
Expand All @@ -42,13 +42,14 @@
$Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force
$Issue | Add-Member -MemberType NoteProperty -Name Issue `
-Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" -Force
$Issue | Add-Member -MemberType NoteProperty -Name Fix -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force
$Issue | Add-Member -MemberType NoteProperty -Name Revert -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force
$Issue | Add-Member -MemberType NoteProperty -Name Fix -Value '[TODO]' -Force
$Issue | Add-Member -MemberType NoteProperty -Name Revert -Value '[TODO]' -Force
$Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC4'
$Severity = Set-Severity -Issue $Issue
$Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity
$Issue
}

foreach ($entry in $_.nTSecurityDescriptor.Access) {
$Principal = New-Object System.Security.Principal.NTAccount($entry.IdentityReference)
if ($Principal -match '^(S-1|O:)') {
Expand Down Expand Up @@ -78,4 +79,4 @@
}
}
}
}
}
26 changes: 13 additions & 13 deletions Private/Find-ESC5.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -17,41 +17,41 @@
} else {
$SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
}
if ( ($_.objectClass -ne 'pKICertificateTemplate') -and
($SID -notmatch $SafeOwners) -and
($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes)
) {
if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) {
$Issue = New-Object -TypeName pscustomobject
$Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force
$Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force
$Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force
$Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force
$Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force
$Issue | Add-Member -MemberType NoteProperty -Name Issue `
-Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object" -Force
$Issue | Add-Member -MemberType NoteProperty -Name Fix -Value '[TODO]' -Force
$Issue | Add-Member -MemberType NoteProperty -Name Revert -Value '[TODO]' -Force
-Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" -Force
$Issue | Add-Member -MemberType NoteProperty -Name Fix -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force
$Issue | Add-Member -MemberType NoteProperty -Name Revert -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force
$Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC5'
$Severity = Set-Severity -Issue $Issue
$Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity
$Issue
}
if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) {
} elseif ( ($_.objectClass -ne 'pKICertificateTemplate') -and
($SID -notmatch $SafeOwners) -and
($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes)
) {
$Issue = New-Object -TypeName pscustomobject
$Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force
$Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force
$Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force
$Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force
$Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force
$Issue | Add-Member -MemberType NoteProperty -Name Issue `
-Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" -Force
$Issue | Add-Member -MemberType NoteProperty -Name Fix -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force
$Issue | Add-Member -MemberType NoteProperty -Name Revert -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force
-Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object" -Force
$Issue | Add-Member -MemberType NoteProperty -Name Fix -Value '[TODO]' -Force
$Issue | Add-Member -MemberType NoteProperty -Name Revert -Value '[TODO]' -Force
$Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC5'
$Severity = Set-Severity -Issue $Issue
$Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity
$Issue
}

foreach ($entry in $_.nTSecurityDescriptor.Access) {
$Principal = New-Object System.Security.Principal.NTAccount($entry.IdentityReference)
if ($Principal -match '^(S-1|O:)') {
Expand Down Expand Up @@ -79,4 +79,4 @@
}
}
}
}
}
69 changes: 69 additions & 0 deletions Private/Test-IsProtectedUser.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
function Test-IsMemberOfProtectedUsers {
<#
.SYNOPSIS
Check to see if a user is a member of the Protected Users group.
.DESCRIPTION
This function checks to see if a specified user or the current user is a member of the Protected Users group in AD.
.PARAMETER User
The user that will be checked for membership in the Protected Users group. This parameter accepts input from the pipeline.
.EXAMPLE
This example will check if JaneDoe is a member of the Protected Users group.
Test-IsMemberOfProtectedUsers -User JaneDoe
.EXAMPLE
This example will check if the current user is a member of the Protected Users group.
Test-IsMemberOfProtectedUsers
.INPUTS
Active Directory user object, user SID, SamAccountName, etc
.OUTPUTS
Boolean
.NOTES
Membership in Active Directory's Protect Users group can have implications for anything that relies on NTLM authentication.
#>

[CmdletBinding()]
param (
# User parameter accepts any input that is valid for Get-ADUser
[Parameter(
ValueFromPipeline = $true
)]
$User
)

Import-Module ActiveDirectory

# Use the currently logged in user if none is specified
# Get the user from Active Directory
if (-not($User)) {
$CurrentUser = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name).Split('\')[-1]
$CheckUser = Get-ADUser $CurrentUser
}
else {
$CheckUser = Get-ADUser $User
}

# Get the Protected Users group by SID instead of by its name to ensure compatibility with any locale or language.
$DomainSID = (Get-ADDomain).DomainSID.Value
$ProtectedUsersSID = "$DomainSID-525"

# Get members of the Protected Users group for the current domain. Recuse in case groups are nested in it.
$ProtectedUsers = Get-ADGroupMember -Identity $ProtectedUsersSID -Recursive | Select-Object -Unique

# Check if the current user is in the 'Protected Users' group
if ($ProtectedUsers -contains $CheckUser) {
Write-Verbose "$($CheckUser.Name) ($($CheckUser.DistinguishedName)) is a member of the Protected Users group."
$true
} else {
Write-Verbose "$($CheckUser.Name) ($($CheckUser.DistinguishedName)) is not a member of the Protected Users group."
$false
}
}
Loading

0 comments on commit c99cc02

Please sign in to comment.