Skip to content

v2024.3
Compare
Choose a tag to compare
@jakehildreth jakehildreth released this 03 Mar 12:35
· 344 commits to main since this release
v2024.3
ed5bcb7
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

A Little Icing but Mostly Cake

Cake: Fixing bugs, adding new functionality
Icing: Making things look better for the end user or easier to use for developers

Improvements:

  • Eliminated duplicated ownership check in ESC4/5. We can and should have opinions, and the opinion is that only AD Admins should own PKS objects and templates. (Cake, @TrimarcJake)
  • Filtered Deny ACEs from ESC4/5. This is not an Effective Access check, but it does cut down on false positives. (Cake, @TrimarcJake)
  • Added flowcharts that explain severity for each finding. (Icing, @TrimarcJake)
  • Added comment-based help to every function. (Icing, @TrimarcJake and Copilot)
  • Added instructions for Scans parameter to the README. (Icing, @SamErde)

In Progress:

  • Check to see if Locksmith is up to date. Provide links for latest version if not up to date. (Icing, @SamErde)
  • Check to see if user running Locksmith is a member of the Protected Users group. PUG membership will impact ESC8 checks. (Cake, @SamErde)
  • Check for ESC9. It was announced in August 2022, so Locksmith is late to the game. (Cake, @SamErde)

Known Issues:

  • msPKI-Certificate-Name-Flag check in ESC1-3 currently uses a direct comparison (-eq) instead of a bitwise comparison (-band) which could result in false negatives.

Contributors

SamErde and jakehildreth
Assets 4
Loading