From 865495a45d01a1f44c0368ffa83cc5edb3b0ce5b Mon Sep 17 00:00:00 2001 From: Jonathan Colon Date: Mon, 14 Mar 2022 16:19:48 -0400 Subject: [PATCH 1/4] Added kerberos audit section --- Src/Private/Get-AbrADKerberosAudit.ps1 | 125 ++++++++++++++++++ .../Invoke-AsBuiltReport.Microsoft.AD.ps1 | 1 + 2 files changed, 126 insertions(+) create mode 100644 Src/Private/Get-AbrADKerberosAudit.ps1 diff --git a/Src/Private/Get-AbrADKerberosAudit.ps1 b/Src/Private/Get-AbrADKerberosAudit.ps1 new file mode 100644 index 0000000..629c1a7 --- /dev/null +++ b/Src/Private/Get-AbrADKerberosAudit.ps1 @@ -0,0 +1,125 @@ +function Get-AbrADKerberosAudit { + <# + .SYNOPSIS + Used by As Built Report to retrieve Microsoft AD Kerberos Audit information. + .DESCRIPTION + + .NOTES + Version: 0.7.0 + Author: Jonathan Colon + Twitter: @jcolonfzenpr + Github: rebelinux + .EXAMPLE + + .LINK + + #> + [CmdletBinding()] + param ( + [Parameter ( + Position = 0, + Mandatory)] + [string] + $Domain + ) + + begin { + Write-PscriboMessage "Discovering Kerberos Audit information on $Domain." + } + + process { + if ($HealthCheck.Domain.Security) { + try { + $DC = Invoke-Command -Session $TempPssSession {Get-ADDomain -Identity $using:Domain | Select-Object -ExpandProperty ReplicaDirectoryServers | Select-Object -First 1} + $Unconstrained = Invoke-Command -Session $TempPssSession {Get-ADComputer -Filter { (TrustedForDelegation -eq $True) -AND (PrimaryGroupID -ne '516') -AND (PrimaryGroupID -ne '521') } -Server $using:DC -Searchbase (Get-ADDomain -Identity $using:Domain).distinguishedName} + Write-PscriboMessage "Discovered Unconstrained Kerberos Delegation information from $Domain." + if ($Unconstrained) { + Section -Style Heading4 'Health Check - Unconstrained Kerberos Delegation' { + Paragraph "The following section provide a summary of unconstrained kerberos delegation on Domain $($Domain.ToString().ToUpper())." + BlankLine + $OutObj = @() + Write-PscriboMessage "Collecting Unconstrained Kerberos delegation information from $($Domain)." + try { + $inObj = [ordered] @{ + 'Name' = $Unconstrained.Name + 'Distinguished Name' = $Unconstrained.DistinguishedName + } + $OutObj += [pscustomobject]$inobj + } + catch { + Write-PscriboMessage -IsWarning "$($_.Exception.Message) (Unconstrained Kerberos delegation Item)" + } + + if ($HealthCheck.Domain.Security) { + $OutObj | Set-Style -Style Warning + } + + $TableParams = @{ + Name = "Unconstrained Kerberos Delegation - $($Domain.ToString().ToUpper())" + List = $false + ColumnWidths = 40, 60 + } + + if ($Report.ShowTableCaptions) { + $TableParams['Caption'] = "- $($TableParams.Name)" + } + $OutObj | Table @TableParams + Paragraph "Health Check:" -Italic -Bold -Underline + Paragraph "Corrective Actions: Ensure there aren't any unconstrained kerberos delegation in Active Directory." -Italic -Bold + try { + $DC = Invoke-Command -Session $TempPssSession {Get-ADDomain -Identity $using:Domain | Select-Object -ExpandProperty ReplicaDirectoryServers | Select-Object -First 1} + $KRBTGT = Invoke-Command -Session $TempPssSession { Get-ADUser -Properties 'msds-keyversionnumber',Created,PasswordLastSet -Server $using:DC -Searchbase (Get-ADDomain -Identity $using:Domain).distinguishedName -Filter * | Where-Object {$_.Name -eq 'krbtgt'}} + Write-PscriboMessage "Discovered Unconstrained Kerberos Delegation information from $Domain." + if ($KRBTGT) { + Section -Style Heading4 'Health Check - KRBTGT Account Audit' { + Paragraph "The following section provide a summary of KRBTGT account on Domain $($Domain.ToString().ToUpper())." + BlankLine + $OutObj = @() + Write-PscriboMessage "Collecting KRBTGT account information from $($Domain)." + try { + $inObj = [ordered] @{ + 'Name' = $KRBTGT.Name + 'Created' = $KRBTGT.Created + 'Password Last Set' = $KRBTGT.PasswordLastSet + 'Distinguished Name' = $KRBTGT.DistinguishedName + } + $OutObj += [pscustomobject]$inobj + } + catch { + Write-PscriboMessage -IsWarning "$($_.Exception.Message) (KRBTGT account Item)" + } + + if ($HealthCheck.Domain.Security) { + $OutObj | Set-Style -Style Warning -Property 'Password Last Set' + } + + $TableParams = @{ + Name = "KRBTGT Account Audit - $($Domain.ToString().ToUpper())" + List = $true + ColumnWidths = 40, 60 + } + + if ($Report.ShowTableCaptions) { + $TableParams['Caption'] = "- $($TableParams.Name)" + } + $OutObj | Table @TableParams + Paragraph "Health Check:" -Italic -Bold -Underline + Paragraph "Best Practice: Microsoft advises changing the krbtgt account password at regular intervals to keep the environment more secure." -Italic -Bold + } + } + } + catch { + Write-PscriboMessage -IsWarning "$($_.Exception.Message) (Unconstrained Kerberos delegation Table)" + } + } + } + } + catch { + Write-PscriboMessage -IsWarning "$($_.Exception.Message) (Unconstrained Kerberos delegation Table)" + } + } + } + + end {} + +} \ No newline at end of file diff --git a/Src/Public/Invoke-AsBuiltReport.Microsoft.AD.ps1 b/Src/Public/Invoke-AsBuiltReport.Microsoft.AD.ps1 index 7ae10c1..b7f9e5e 100644 --- a/Src/Public/Invoke-AsBuiltReport.Microsoft.AD.ps1 +++ b/Src/Public/Invoke-AsBuiltReport.Microsoft.AD.ps1 @@ -110,6 +110,7 @@ function Invoke-AsBuiltReport.Microsoft.AD { Get-AbrADTrust -Domain $Domain Get-AbrADDomainObject -Domain $Domain Get-AbrADSecurityAssessment -Domain $Domain + Get-AbrADKerberosAudit -Domain $Domain Get-AbrADDuplicateObject -Domain $Domain if ($Domain -like $ADSystem.RootDomain) { Get-AbrADDuplicateSPN From af3e76b6edd66466496d11887ab7e5d7595e2b55 Mon Sep 17 00:00:00 2001 From: Jonathan Colon Date: Mon, 14 Mar 2022 16:20:34 -0400 Subject: [PATCH 2/4] bumped file version --- AsBuiltReport.Microsoft.AD.psd1 | 2 +- Src/Private/Get-AbrADKerberosAudit.ps1 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/AsBuiltReport.Microsoft.AD.psd1 b/AsBuiltReport.Microsoft.AD.psd1 index d4c72bc..4601576 100644 --- a/AsBuiltReport.Microsoft.AD.psd1 +++ b/AsBuiltReport.Microsoft.AD.psd1 @@ -12,7 +12,7 @@ RootModule = 'AsBuiltReport.Microsoft.AD.psm1' # Version number of this module. -ModuleVersion = '0.7.0' +ModuleVersion = '0.7.1' # Supported PSEditions # CompatiblePSEditions = @() diff --git a/Src/Private/Get-AbrADKerberosAudit.ps1 b/Src/Private/Get-AbrADKerberosAudit.ps1 index 629c1a7..0eb0b05 100644 --- a/Src/Private/Get-AbrADKerberosAudit.ps1 +++ b/Src/Private/Get-AbrADKerberosAudit.ps1 @@ -5,7 +5,7 @@ function Get-AbrADKerberosAudit { .DESCRIPTION .NOTES - Version: 0.7.0 + Version: 0.7.1 Author: Jonathan Colon Twitter: @jcolonfzenpr Github: rebelinux From 0fd2a13515fa1663a2b1b1ba19f7ce72c458f000 Mon Sep 17 00:00:00 2001 From: Jonathan Colon Date: Mon, 14 Mar 2022 16:25:05 -0400 Subject: [PATCH 3/4] Update changelog with v0.7.1 changes --- CHANGELOG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 68b6b6e..24f5954 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,16 @@ # :arrows_counterclockwise: Microsoft AD As Built Report Changelog +## [0.7.1] - 2022-03-14 + +### Added + +- Added Kerberos Audit section. + - Added Health Check condition and explanatione + +### Fixed + +- Fix release workflows to include PSSharedGoods module. + ## [0.7.0] - 2022-03-14 ### Added From 763005c70e11d51cdfbaea59e6f1b27da1d0c99d Mon Sep 17 00:00:00 2001 From: Jonathan Colon Date: Mon, 14 Mar 2022 20:14:50 -0400 Subject: [PATCH 4/4] Fix table displaying only one record --- Src/Private/Get-AbrADKerberosAudit.ps1 | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/Src/Private/Get-AbrADKerberosAudit.ps1 b/Src/Private/Get-AbrADKerberosAudit.ps1 index 0eb0b05..ddd3ab3 100644 --- a/Src/Private/Get-AbrADKerberosAudit.ps1 +++ b/Src/Private/Get-AbrADKerberosAudit.ps1 @@ -39,15 +39,17 @@ function Get-AbrADKerberosAudit { BlankLine $OutObj = @() Write-PscriboMessage "Collecting Unconstrained Kerberos delegation information from $($Domain)." - try { - $inObj = [ordered] @{ - 'Name' = $Unconstrained.Name - 'Distinguished Name' = $Unconstrained.DistinguishedName + foreach ($Item in $Unconstrained) { + try { + $inObj = [ordered] @{ + 'Name' = $Item.Name + 'Distinguished Name' = $Item.DistinguishedName + } + $OutObj += [pscustomobject]$inobj + } + catch { + Write-PscriboMessage -IsWarning "$($_.Exception.Message) (Unconstrained Kerberos delegation Item)" } - $OutObj += [pscustomobject]$inobj - } - catch { - Write-PscriboMessage -IsWarning "$($_.Exception.Message) (Unconstrained Kerberos delegation Item)" } if ($HealthCheck.Domain.Security) {