Skip to content

Commit

Permalink
Merge pull request #34 from AsBuiltReport/dev
Browse files Browse the repository at this point in the history 
v0.7.1 public release
  • Loading branch information
@rebelinux
rebelinux authored Mar 15, 2022
2 parents beacb16 + 8c67e4d commit 1646c09
Show file tree
Hide file tree
Showing 4 changed files with 140 additions and 1 deletion.
2 changes: 1 addition & 1 deletion AsBuiltReport.Microsoft.AD.psd1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
RootModule = 'AsBuiltReport.Microsoft.AD.psm1'

# Version number of this module.
ModuleVersion = '0.7.0'
ModuleVersion = '0.7.1'

# Supported PSEditions
# CompatiblePSEditions = @()
Expand Down
11 changes: 11 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,16 @@
# :arrows_counterclockwise: Microsoft AD As Built Report Changelog

## [0.7.1] - 2022-03-14

### Added

- Added Kerberos Audit section.
- Added Health Check condition and explanatione

### Fixed

- Fix release workflows to include PSSharedGoods module.

## [0.7.0] - 2022-03-14

### Added
Expand Down
127 changes: 127 additions & 0 deletions Src/Private/Get-AbrADKerberosAudit.ps1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
function Get-AbrADKerberosAudit {
<#
.SYNOPSIS
Used by As Built Report to retrieve Microsoft AD Kerberos Audit information.
.DESCRIPTION
.NOTES
Version: 0.7.1
Author: Jonathan Colon
Twitter: @jcolonfzenpr
Github: rebelinux
.EXAMPLE
.LINK
#>
[CmdletBinding()]
param (
[Parameter (
Position = 0,
Mandatory)]
[string]
$Domain
)

begin {
Write-PscriboMessage "Discovering Kerberos Audit information on $Domain."
}

process {
if ($HealthCheck.Domain.Security) {
try {
$DC = Invoke-Command -Session $TempPssSession {Get-ADDomain -Identity $using:Domain | Select-Object -ExpandProperty ReplicaDirectoryServers | Select-Object -First 1}
$Unconstrained = Invoke-Command -Session $TempPssSession {Get-ADComputer -Filter { (TrustedForDelegation -eq $True) -AND (PrimaryGroupID -ne '516') -AND (PrimaryGroupID -ne '521') } -Server $using:DC -Searchbase (Get-ADDomain -Identity $using:Domain).distinguishedName}
Write-PscriboMessage "Discovered Unconstrained Kerberos Delegation information from $Domain."
if ($Unconstrained) {
Section -Style Heading4 'Health Check - Unconstrained Kerberos Delegation' {
Paragraph "The following section provide a summary of unconstrained kerberos delegation on Domain $($Domain.ToString().ToUpper())."
BlankLine
$OutObj = @()
Write-PscriboMessage "Collecting Unconstrained Kerberos delegation information from $($Domain)."
foreach ($Item in $Unconstrained) {
try {
$inObj = [ordered] @{
'Name' = $Item.Name
'Distinguished Name' = $Item.DistinguishedName
}
$OutObj += [pscustomobject]$inobj
}
catch {
Write-PscriboMessage -IsWarning "$($_.Exception.Message) (Unconstrained Kerberos delegation Item)"
}
}

if ($HealthCheck.Domain.Security) {
$OutObj | Set-Style -Style Warning
}

$TableParams = @{
Name = "Unconstrained Kerberos Delegation - $($Domain.ToString().ToUpper())"
List = $false
ColumnWidths = 40, 60
}

if ($Report.ShowTableCaptions) {
$TableParams['Caption'] = "- $($TableParams.Name)"
}
$OutObj | Table @TableParams
Paragraph "Health Check:" -Italic -Bold -Underline
Paragraph "Corrective Actions: Ensure there aren't any unconstrained kerberos delegation in Active Directory." -Italic -Bold
try {
$DC = Invoke-Command -Session $TempPssSession {Get-ADDomain -Identity $using:Domain | Select-Object -ExpandProperty ReplicaDirectoryServers | Select-Object -First 1}
$KRBTGT = Invoke-Command -Session $TempPssSession { Get-ADUser -Properties 'msds-keyversionnumber',Created,PasswordLastSet -Server $using:DC -Searchbase (Get-ADDomain -Identity $using:Domain).distinguishedName -Filter * | Where-Object {$_.Name -eq 'krbtgt'}}
Write-PscriboMessage "Discovered Unconstrained Kerberos Delegation information from $Domain."
if ($KRBTGT) {
Section -Style Heading4 'Health Check - KRBTGT Account Audit' {
Paragraph "The following section provide a summary of KRBTGT account on Domain $($Domain.ToString().ToUpper())."
BlankLine
$OutObj = @()
Write-PscriboMessage "Collecting KRBTGT account information from $($Domain)."
try {
$inObj = [ordered] @{
'Name' = $KRBTGT.Name
'Created' = $KRBTGT.Created
'Password Last Set' = $KRBTGT.PasswordLastSet
'Distinguished Name' = $KRBTGT.DistinguishedName
}
$OutObj += [pscustomobject]$inobj
}
catch {
Write-PscriboMessage -IsWarning "$($_.Exception.Message) (KRBTGT account Item)"
}

if ($HealthCheck.Domain.Security) {
$OutObj | Set-Style -Style Warning -Property 'Password Last Set'
}

$TableParams = @{
Name = "KRBTGT Account Audit - $($Domain.ToString().ToUpper())"
List = $true
ColumnWidths = 40, 60
}

if ($Report.ShowTableCaptions) {
$TableParams['Caption'] = "- $($TableParams.Name)"
}
$OutObj | Table @TableParams
Paragraph "Health Check:" -Italic -Bold -Underline
Paragraph "Best Practice: Microsoft advises changing the krbtgt account password at regular intervals to keep the environment more secure." -Italic -Bold
}
}
}
catch {
Write-PscriboMessage -IsWarning "$($_.Exception.Message) (Unconstrained Kerberos delegation Table)"
}
}
}
}
catch {
Write-PscriboMessage -IsWarning "$($_.Exception.Message) (Unconstrained Kerberos delegation Table)"
}
}
}

end {}

}
1 change: 1 addition & 0 deletions Src/Public/Invoke-AsBuiltReport.Microsoft.AD.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@ function Invoke-AsBuiltReport.Microsoft.AD {
Get-AbrADTrust -Domain $Domain
Get-AbrADDomainObject -Domain $Domain
Get-AbrADSecurityAssessment -Domain $Domain
Get-AbrADKerberosAudit -Domain $Domain
Get-AbrADDuplicateObject -Domain $Domain
if ($Domain -like $ADSystem.RootDomain) {
Get-AbrADDuplicateSPN
Expand Down

0 comments on commit 1646c09

Please sign in to comment.