2024.3 Release

2024.3 Release

Build/Build-Module.ps1

@@ -17,14 +17,14 @@ Import-Module -Name PSPublishModule -Force
 Build-Module -ModuleName 'Locksmith' {
     # Usual defaults as per standard module
     $Manifest = [ordered] @{
-        ModuleVersion        = '2024.1'
+        ModuleVersion        = (Get-Date -Format yyyy.M)
         CompatiblePSEditions = @('Desktop', 'Core')
         GUID                 = 'b1325b42-8dc4-4f17-aa1f-dcb5984ca14a'
         Author               = 'Jake Hildreth'
         Copyright            = "(c) 2022 - $((Get-Date).Year). All rights reserved."
         Description          = 'A small tool to find and fix common misconfigurations in Active Directory Certificate Services.'
         ProjectUri           = 'https://github.com/TrimarcJake/Locksmith'
-        IconUri              = 'https://github.com/TrimarcJake/Locksmith/Images/locksmith.ico'
+        IconUri              = 'https://raw.githubusercontent.com/TrimarcJake/Locksmith/main/Images/locksmith.ico'
         PowerShellVersion    = '5.1'
         Tags                 = @('Windows', 'Locksmith', 'CA', 'PKI', 'ActiveDirectory', 'CertificateServices','ADCS')
     }

Docs/Flowcharts/Auditing.md

@@ -0,0 +1,8 @@
+``` mermaid
+---
+title: Auditing
+---
+flowchart LR
+    FullyEnabled[Fully Enabled] -- Yes --> NoFinding[No Finding]
+    FullyEnabled -- No --> Info
+```

Docs/Flowcharts/ESC1.md

@@ -0,0 +1,20 @@
+```mermaid
+---
+title: ESC1 - Subject Alternative Name (SAN)
+---
+flowchart LR
+    PrincipalType{PrincipalType} -->|User| UserType["User Type"];
+            UserType == AD Admin ==> ADAUPriority(Low);
+            UserType -- Builtin/PKI Admin --> BIAUPriority(Medium);
+            UserType -- User --> UserPriority(High);
+    PrincipalType -->|Group| GroupType("Group Type");
+            GroupType -- AD Admins --> ADASize(No Finding);
+            GroupType -- Builtin/PKI Admins --> BIASize(BIA Group Size);
+                BIASize -- Empty/Small --> BIAEGPriority(Low);
+                BIASize -- Medium/Large --> BIAMGPriority(Medium);
+            GroupType -- Regular Users --> UsersSize(User Group Size);
+                UsersSize -- Empty/Small --> UsersEGPriority(High);
+                UsersSize -- Medium/Large --> UsersMGPriority(Critical);
+    PrincipalType -->|gMSA| gMSAType(gMSA Type);
+            gMSAType -- Any --> gMSAPriority((No Finding));
+```

Docs/Flowcharts/ESC2.md

@@ -0,0 +1,20 @@
+```mermaid
+---
+title: ESC2 - Subordinate Certification Authority (SubCA)
+---
+flowchart LR
+    PrincipalType -->|User| UserType["User Type"];
+            UserType -- AD Admin --> ADAUPriority(Low);
+            UserType -- Builtin/PKI Admin --> BIAUPriority(Medium);
+            UserType -- User --> UserPriority(High);
+    PrincipalType -->|Group| GroupType("Group Type");
+            GroupType -- AD Admins --> ADASize(No Finding);
+            GroupType -- Builtin/PKI Admins --> BIASize(BIA Group Size);
+                BIASize -- Empty/Small --> BIAEGPriority(Info);
+                BIASize -- Medium/Large --> BIAMGPriority(Low);
+            GroupType -- Regular Users --> UsersSize(User Group Size);
+                UsersSize -- Empty/Small --> UsersEGPriority(Medium);
+                UsersSize -- Medium/Large --> UsersMGPriority(High);
+    PrincipalType -->|gMSA| gMSAType(gMSA Type);
+            gMSAType -- Any --> gMSAPriority(No Finding);
+```

Docs/Flowcharts/ESC3.md

@@ -0,0 +1,20 @@
+```mermaid
+---
+title: ESC3 Condition 1 - Enrollment Agent
+---
+flowchart LR
+    PrincipalType -->|User| UserType["User Type"];
+            UserType -- AD Admin --> ADAUPriority(Low);
+            UserType -- Builtin/PKI Admin --> BIAUPriority(Medium);
+            UserType -- User --> UserPriority(High);
+    PrincipalType -->|Group| GroupType("Group Type");
+            GroupType -- AD Admins --> ADASize(No Finding);
+            GroupType -- Builtin/PKI Admins --> BIASize(BIA Group Size);
+                BIASize -- Empty/Small --> BIAEGPriority(No Info);
+                BIASize -- Medium/Large --> BIAMGPriority(Low);
+            GroupType -- Regular Users --> UsersSize(User Group Size);
+                UsersSize -- Empty/Small --> UsersEGPriority(Low);
+                UsersSize -- Medium/Large --> UsersMGPriority(Medium);
+    PrincipalType -->|gMSA| gMSAType(gMSA Type);
+            gMSAType -- Any --> gMSAPriority(No Finding);
+```

Docs/Flowcharts/ESC4.md

@@ -0,0 +1,20 @@
+```mermaid
+---
+title: ESC4 - Templates w/Dangerous ACLs or Ownership
+---
+flowchart LR
+    PrincipalType -->|User| UserType["User Type"];
+            UserType -- AD Admin --> ADAUPriority(Low);
+            UserType -- Builtin/PKI Admin --> BIAUPriority(Medium);
+            UserType -- User --> UserPriority(High);
+    PrincipalType -->|Group| GroupType("Group Type");
+            GroupType -- AD Admins --> ADASize(No Finding);
+            GroupType -- Builtin/PKI Admins --> BIASize(BIA Group Size);
+                BIASize -- Empty/Small --> BIAEGPriority(Info);
+                BIASize -- Medium/Large --> BIAMGPriority(Low);
+            GroupType -- Regular Users --> UsersSize(User Group Size);
+                UsersSize -- Empty/Small --> UsersEGPriority(Medium);
+                UsersSize -- Medium/Large --> UsersMGPriority(High);
+    PrincipalType -->|gMSA| gMSAType(gMSA Type);
+            gMSAType -- Any --> gMSAPriority(No Finding);
+```

Docs/Flowcharts/ESC5.md

@@ -0,0 +1,23 @@
+```mermaid
+---
+title: ESC5 - Objects w/Dangerous ACLs or Ownership
+---
+flowchart LR
+    PrincipalType -->|User| UserType["User Type"];
+            UserType -- AD Admin --> ADAUPriority(Low);
+            UserType -- Builtin/PKI Admin --> BIAUPriority(Medium);
+            UserType -- User --> UserPriority(High);
+    PrincipalType -->|Group| GroupType("Group Type");
+            GroupType -- AD Admins --> ADASize(No Finding);
+            GroupType -- Builtin/PKI Admins --> BIASize(BIA Group Size);
+                BIASize -- Empty/Small --> BIAEGPriority(Info);
+                BIASize -- Medium/Large --> BIAMGPriority(Low);
+            GroupType -- Regular Users --> UsersSize(User Group Size);
+                UsersSize -- Empty/Small --> UsersEGPriority(Medium);
+                UsersSize -- Medium/Large --> UsersMGPriority(High);
+    PrincipalType -->|gMSA| gMSAType(gMSA Type);
+            gMSAType -- Any --> gMSAPriority(No Finding);
+```
+```
+Note: The severity of this check is highly dependent on the object with the issue.
+```

Docs/Flowcharts/ESC6.md

@@ -0,0 +1,12 @@
+``` mermaid
+---
+title: ESC6 - Dangerous Flag on CA
+---
+flowchart LR
+    FlagSet["Flag Set"] -- Yes --> High
+    FlagSet["Flag Set"] -- No --> NoFinding[No Finding]
+```
+```
+* This check can be improved by checking Domain Controller registries. (Coming soon!)  
+If StrongMapping is manually disabled on any DC, this becomes a Critical issue.
+```

Docs/Flowcharts/ESC8.md

@@ -0,0 +1,14 @@
+``` mermaid
+---
+title: ESC8 - HTTP/S Enrollment Endpoints
+---
+flowchart LR
+    HTTP/S(HTTP or HTTPS?) -- HTTP --> Critical
+    HTTP/S(HTTP or HTTPS?) -- HTTPS --> Medium["Possible: No Finding, Medium\nCurrent: Medium*"]
+```
+```
+* With current collection methods, we cannot determine true severity of this configuration.
+  - If NTLM authentication is completely disabled (available at host level or IIS level), this is not a finding.
+  - If EPA is enabled on IIS, the severity is Info.
+  - Otherwise, this is a Medium severity issue.
+```