Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v0.7.1 public release #34

Merged
merged 6 commits into from
Mar 15, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion AsBuiltReport.Microsoft.AD.psd1
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
RootModule = 'AsBuiltReport.Microsoft.AD.psm1'

# Version number of this module.
ModuleVersion = '0.7.0'
ModuleVersion = '0.7.1'

# Supported PSEditions
# CompatiblePSEditions = @()
Expand Down
11 changes: 11 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,16 @@
# :arrows_counterclockwise: Microsoft AD As Built Report Changelog

## [0.7.1] - 2022-03-14

### Added

- Added Kerberos Audit section.
- Added Health Check condition and explanatione

### Fixed

- Fix release workflows to include PSSharedGoods module.

## [0.7.0] - 2022-03-14

### Added
Expand Down
127 changes: 127 additions & 0 deletions Src/Private/Get-AbrADKerberosAudit.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
function Get-AbrADKerberosAudit {
<#
.SYNOPSIS
Used by As Built Report to retrieve Microsoft AD Kerberos Audit information.
.DESCRIPTION

.NOTES
Version: 0.7.1
Author: Jonathan Colon
Twitter: @jcolonfzenpr
Github: rebelinux
.EXAMPLE

.LINK

#>
[CmdletBinding()]
param (
[Parameter (
Position = 0,
Mandatory)]
[string]
$Domain
)

begin {
Write-PscriboMessage "Discovering Kerberos Audit information on $Domain."
}

process {
if ($HealthCheck.Domain.Security) {
try {
$DC = Invoke-Command -Session $TempPssSession {Get-ADDomain -Identity $using:Domain | Select-Object -ExpandProperty ReplicaDirectoryServers | Select-Object -First 1}
$Unconstrained = Invoke-Command -Session $TempPssSession {Get-ADComputer -Filter { (TrustedForDelegation -eq $True) -AND (PrimaryGroupID -ne '516') -AND (PrimaryGroupID -ne '521') } -Server $using:DC -Searchbase (Get-ADDomain -Identity $using:Domain).distinguishedName}
Write-PscriboMessage "Discovered Unconstrained Kerberos Delegation information from $Domain."
if ($Unconstrained) {
Section -Style Heading4 'Health Check - Unconstrained Kerberos Delegation' {
Paragraph "The following section provide a summary of unconstrained kerberos delegation on Domain $($Domain.ToString().ToUpper())."
BlankLine
$OutObj = @()
Write-PscriboMessage "Collecting Unconstrained Kerberos delegation information from $($Domain)."
foreach ($Item in $Unconstrained) {
try {
$inObj = [ordered] @{
'Name' = $Item.Name
'Distinguished Name' = $Item.DistinguishedName
}
$OutObj += [pscustomobject]$inobj
}
catch {
Write-PscriboMessage -IsWarning "$($_.Exception.Message) (Unconstrained Kerberos delegation Item)"
}
}

if ($HealthCheck.Domain.Security) {
$OutObj | Set-Style -Style Warning
}

$TableParams = @{
Name = "Unconstrained Kerberos Delegation - $($Domain.ToString().ToUpper())"
List = $false
ColumnWidths = 40, 60
}

if ($Report.ShowTableCaptions) {
$TableParams['Caption'] = "- $($TableParams.Name)"
}
$OutObj | Table @TableParams
Paragraph "Health Check:" -Italic -Bold -Underline
Paragraph "Corrective Actions: Ensure there aren't any unconstrained kerberos delegation in Active Directory." -Italic -Bold
try {
$DC = Invoke-Command -Session $TempPssSession {Get-ADDomain -Identity $using:Domain | Select-Object -ExpandProperty ReplicaDirectoryServers | Select-Object -First 1}
$KRBTGT = Invoke-Command -Session $TempPssSession { Get-ADUser -Properties 'msds-keyversionnumber',Created,PasswordLastSet -Server $using:DC -Searchbase (Get-ADDomain -Identity $using:Domain).distinguishedName -Filter * | Where-Object {$_.Name -eq 'krbtgt'}}
Write-PscriboMessage "Discovered Unconstrained Kerberos Delegation information from $Domain."
if ($KRBTGT) {
Section -Style Heading4 'Health Check - KRBTGT Account Audit' {
Paragraph "The following section provide a summary of KRBTGT account on Domain $($Domain.ToString().ToUpper())."
BlankLine
$OutObj = @()
Write-PscriboMessage "Collecting KRBTGT account information from $($Domain)."
try {
$inObj = [ordered] @{
'Name' = $KRBTGT.Name
'Created' = $KRBTGT.Created
'Password Last Set' = $KRBTGT.PasswordLastSet
'Distinguished Name' = $KRBTGT.DistinguishedName
}
$OutObj += [pscustomobject]$inobj
}
catch {
Write-PscriboMessage -IsWarning "$($_.Exception.Message) (KRBTGT account Item)"
}

if ($HealthCheck.Domain.Security) {
$OutObj | Set-Style -Style Warning -Property 'Password Last Set'
}

$TableParams = @{
Name = "KRBTGT Account Audit - $($Domain.ToString().ToUpper())"
List = $true
ColumnWidths = 40, 60
}

if ($Report.ShowTableCaptions) {
$TableParams['Caption'] = "- $($TableParams.Name)"
}
$OutObj | Table @TableParams
Paragraph "Health Check:" -Italic -Bold -Underline
Paragraph "Best Practice: Microsoft advises changing the krbtgt account password at regular intervals to keep the environment more secure." -Italic -Bold
}
}
}
catch {
Write-PscriboMessage -IsWarning "$($_.Exception.Message) (Unconstrained Kerberos delegation Table)"
}
}
}
}
catch {
Write-PscriboMessage -IsWarning "$($_.Exception.Message) (Unconstrained Kerberos delegation Table)"
}
}
}

end {}

}
1 change: 1 addition & 0 deletions Src/Public/Invoke-AsBuiltReport.Microsoft.AD.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@ function Invoke-AsBuiltReport.Microsoft.AD {
Get-AbrADTrust -Domain $Domain
Get-AbrADDomainObject -Domain $Domain
Get-AbrADSecurityAssessment -Domain $Domain
Get-AbrADKerberosAudit -Domain $Domain
Get-AbrADDuplicateObject -Domain $Domain
if ($Domain -like $ADSystem.RootDomain) {
Get-AbrADDuplicateSPN
Expand Down