Merge pull request #90 from TrimarcJake/testing

v2023.12 Release
TrimarcJake · Dec 16, 2023 · c99cc02 · c99cc02
2 parents ab54643 + 0a6003e
commit c99cc02
Show file tree

Hide file tree

Showing 15 changed files with 932 additions and 729 deletions.
diff --git a/.gitignore b/.gitignore
@@ -6,6 +6,7 @@ ADCSRemediation.CSV
 Artefacts/*
 Examples/Output/*
 Ignore/*
+Invoke-RevertLocksmith.ps1
 Lib/Core/*
 Lib/Default/*
 Lib/Standard/*

diff --git a/Build/Build-Module.ps1 b/Build/Build-Module.ps1
@@ -17,12 +17,13 @@ Import-Module -Name PSPublishModule -Force
 Build-Module -ModuleName 'Locksmith' {
     # Usual defaults as per standard module
     $Manifest = [ordered] @{
-        ModuleVersion        = '2023.11'
+        ModuleVersion        = '2023.12'
         CompatiblePSEditions = @('Desktop', 'Core')
         GUID                 = 'b1325b42-8dc4-4f17-aa1f-dcb5984ca14a'
         Author               = 'Jake Hildreth'
         Copyright            = "(c) 2022 - $((Get-Date).Year). All rights reserved."
         Description          = 'A small tool to find and fix common misconfigurations in Active Directory Certificate Services.'
+        ProjectUri           = 'https://github.com/TrimarcJake/Locksmith'
         PowerShellVersion    = '5.1'
         Tags                 = @('Windows', 'Locksmith', 'CA', 'PKI', 'ActiveDirectory', 'CertificateServices','ADCS')
     }
@@ -40,8 +41,7 @@ Build-Module -ModuleName 'Locksmith' {
         # those modules are builtin in PowerShell so no need to install them
         # could as well be ignored with New-ConfigurationModuleSkip
         'Microsoft.PowerShell.Utility'
-        'Microsoft.PowerShell.LocalAccounts',
-        'Microsoft.PowerShell.Utility'
+        'Microsoft.PowerShell.LocalAccounts'
         'Microsoft.PowerShell.Management'
         'CimCmdlets'
         'Dism'
@@ -54,8 +54,8 @@ Build-Module -ModuleName 'Locksmith' {
     # Ignore missing modules or cmdlets during build process
     New-ConfigurationModuleSkip -IgnoreFunctionName @('Out-ConsoleGridView') -IgnoreModuleName @('Microsoft.PowerShell.ConsoleGuiTools')
 
-    # Tells the script to exclude Out-ConsoleGridView command from functions if the  module is not available to be loaded
-    New-ConfigurationCommand -CommandName @('Out-ConsoleGridView') -ModuleName 'Microsoft.PowerShell.ConsoleGuiTools'
+    # Tells the script to exclude commands from functions if the module is not available to be loaded
+    # New-ConfigurationCommand -CommandName @('') -ModuleName @('') # Populate arrays or remove empty example.
 
     $ConfigurationFormat = [ordered] @{
         RemoveComments                              = $false

diff --git a/Images/locksmith-sticker.png b/Images/locksmith-sticker.png
diff --git a/Invoke-Locksmith.ps1 b/Invoke-Locksmith.ps1
diff --git a/Locksmith.psd1 b/Locksmith.psd1
@@ -1,4 +1,4 @@
-@{
+@{
     AliasesToExport      = @('*')
     Author               = 'Jake Hildreth'
     CmdletsToExport      = @()
@@ -7,14 +7,15 @@
     Description          = 'A small tool to find and fix common misconfigurations in Active Directory Certificate Services.'
     FunctionsToExport    = @('*')
     GUID                 = 'b1325b42-8dc4-4f17-aa1f-dcb5984ca14a'
-    ModuleVersion        = '2023.11'
+    ModuleVersion        = '2023.12'
     PowerShellVersion    = '5.1'
     PrivateData          = @{
         PSData = @{
-            ExternalModuleDependencies = @('ActiveDirectory', 'ServerManager', 'Microsoft.PowerShell.Utility', 'Microsoft.PowerShell.LocalAccounts', 'Microsoft.PowerShell.Utility', 'Microsoft.PowerShell.Management', 'CimCmdlets', 'Dism')
             Tags                       = @('Windows', 'Locksmith', 'CA', 'PKI', 'ActiveDirectory', 'CertificateServices', 'ADCS')
+            ProjectUri                 = 'https://github.com/TrimarcJake/Locksmith'
+            ExternalModuleDependencies = @('ActiveDirectory', 'ServerManager', 'Microsoft.PowerShell.Utility', 'Microsoft.PowerShell.LocalAccounts', 'Microsoft.PowerShell.Management', 'CimCmdlets', 'Dism')
         }
     }
-    RequiredModules      = @('ActiveDirectory', 'ServerManager', 'Microsoft.PowerShell.Utility', 'Microsoft.PowerShell.LocalAccounts', 'Microsoft.PowerShell.Utility', 'Microsoft.PowerShell.Management', 'CimCmdlets', 'Dism')
+    RequiredModules      = @('ActiveDirectory', 'ServerManager', 'Microsoft.PowerShell.Utility', 'Microsoft.PowerShell.LocalAccounts', 'Microsoft.PowerShell.Management', 'CimCmdlets', 'Dism')
     RootModule           = 'Locksmith.psm1'
 }
diff --git a/Locksmith.psm1 b/Locksmith.psm1
@@ -1,4 +1,4 @@
-# Get public and private function definition files.
+# Get public and private function definition files.
 $Public = @( Get-ChildItem -Path $PSScriptRoot\Public\*.ps1 -ErrorAction SilentlyContinue -Recurse )
 $Private = @( Get-ChildItem -Path $PSScriptRoot\Private\*.ps1 -ErrorAction SilentlyContinue -Recurse )
 $Classes = @( Get-ChildItem -Path $PSScriptRoot\Classes\*.ps1 -ErrorAction SilentlyContinue -Recurse )

diff --git a/Private/Find-AuditingIssue.ps1 b/Private/Find-AuditingIssue.ps1
@@ -19,7 +19,7 @@
             $Issue | Add-Member -MemberType NoteProperty -Name 'Technique' -Value 'DETECT' -Force
         }
         else {
-            $Issue | Add-Member -MemberType NoteProperty -Name 'Issue' -Value "Auditing is not fully enabled. Current value is $($_.AuditFilter)" -Force
+            $Issue | Add-Member -MemberType NoteProperty -Name 'Issue' -Value "Auditing is not fully enabled on $($_.CAFullName). Current value is $($_.AuditFilter)" -Force
             $Issue | Add-Member -MemberType NoteProperty -Name 'Fix' `
                 -Value "certutil.exe -config `'$($_.CAFullname)`' -setreg `'CA\AuditFilter`' 127; Invoke-Command -ComputerName `'$($_.dNSHostName)`' -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force
             $Issue | Add-Member -MemberType NoteProperty -Name 'Revert' `

diff --git a/Private/Find-ESC1.ps1 b/Private/Find-ESC1.ps1
@@ -10,7 +10,7 @@
         ($_.objectClass -eq 'pKICertificateTemplate') -and
         ($_.pkiExtendedKeyUsage -match $ClientAuthEKUs) -and
         ($_.'msPKI-Certificate-Name-Flag' -eq 1) -and
-        ($_.'msPKI-Enrollment-Flag' -ne 2) -and
+        !($_.'msPKI-Enrollment-Flag' -band 2) -and
         ( ($_.'msPKI-RA-Signature' -eq 0) -or ($null -eq $_.'msPKI-RA-Signature') )
     } | ForEach-Object {
         foreach ($entry in $_.nTSecurityDescriptor.Access) {

diff --git a/Private/Find-ESC2.ps1 b/Private/Find-ESC2.ps1
@@ -10,7 +10,7 @@
         ($_.ObjectClass -eq 'pKICertificateTemplate') -and
         ( (!$_.pkiExtendedKeyUsage) -or ($_.pkiExtendedKeyUsage -match '2.5.29.37.0') )-and
         ($_.'msPKI-Certificate-Name-Flag' -eq 1) -and
-        ($_.'msPKI-Enrollment-Flag' -ne 2) -and
+        !($_.'msPKI-Enrollment-Flag' -band 2) -and
         ( ($_.'msPKI-RA-Signature' -eq 0) -or ($null -eq $_.'msPKI-RA-Signature') )
     } | ForEach-Object {
         foreach ($entry in $_.nTSecurityDescriptor.Access) {
@@ -40,4 +40,4 @@
             }
         }
     }
-}
+}
diff --git a/Private/Find-ESC3Condition1.ps1 b/Private/Find-ESC3Condition1.ps1
@@ -9,7 +9,7 @@
     $ADCSObjects | Where-Object {
         ($_.objectClass -eq 'pKICertificateTemplate') -and
         ($_.pkiExtendedKeyUsage -match $EnrollmentAgentEKU) -and
-        ($_.'msPKI-Enrollment-Flag' -ne 2) -and
+        !($_.'msPKI-Enrollment-Flag' -band 2) -and
         ( ($_.'msPKI-RA-Signature' -eq 0) -or ($null -eq $_.'msPKI-RA-Signature') )
     } | ForEach-Object {
         foreach ($entry in $_.nTSecurityDescriptor.Access) {
@@ -39,4 +39,4 @@
             }
         }
     }
-}
+}
diff --git a/Private/Find-ESC3Condition2.ps1 b/Private/Find-ESC3Condition2.ps1
@@ -10,7 +10,7 @@
         ($_.objectClass -eq 'pKICertificateTemplate') -and
         ($_.pkiExtendedKeyUsage -match $ClientAuthEKU) -and
         ($_.'msPKI-Certificate-Name-Flag' -eq 1) -and
-        ($_.'msPKI-Enrollment-Flag' -ne 2) -and
+        !($_.'msPKI-Enrollment-Flag' -band 2) -and
         ($_.'msPKI-RA-Application-Policies' -eq '1.3.6.1.4.1.311.20.2.1') -and
         ( ($_.'msPKI-RA-Signature' -eq 1) )
     } | ForEach-Object {
@@ -41,4 +41,4 @@
             }
         }
     }
-}
+}
diff --git a/Private/Find-ESC4.ps1 b/Private/Find-ESC4.ps1
@@ -17,7 +17,8 @@
         } else {
             $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
         }
-        if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) {
+
+        if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) {
             $Issue = New-Object -TypeName pscustomobject
             $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force
             $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force
@@ -26,14 +27,13 @@
             $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force
             $Issue | Add-Member -MemberType NoteProperty -Name Issue `
                 -Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" -Force
-            $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value '[TODO]' -Force
-            $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value '[TODO]'  -Force
+            $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force
+            $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force
             $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC4'
             $Severity = Set-Severity -Issue $Issue
             $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity
             $Issue
-        }
-        if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) {
+        } elseif ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) {
             $Issue = New-Object -TypeName pscustomobject
             $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force
             $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force
@@ -42,13 +42,14 @@
             $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force
             $Issue | Add-Member -MemberType NoteProperty -Name Issue `
                 -Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" -Force
-            $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force
-            $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force
+            $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value '[TODO]' -Force
+            $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value '[TODO]'  -Force
             $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC4'
             $Severity = Set-Severity -Issue $Issue
             $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity
             $Issue
         }
+
         foreach ($entry in $_.nTSecurityDescriptor.Access) {
             $Principal = New-Object System.Security.Principal.NTAccount($entry.IdentityReference)
             if ($Principal -match '^(S-1|O:)') {
@@ -78,4 +79,4 @@
             }
         }
     }
-}
+}
diff --git a/Private/Find-ESC5.ps1 b/Private/Find-ESC5.ps1
@@ -17,41 +17,41 @@
         } else {
             $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
         }
-        if ( ($_.objectClass -ne 'pKICertificateTemplate') -and 
-            ($SID -notmatch $SafeOwners) -and
-            ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes)            
-            ) {
+        if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) {
             $Issue = New-Object -TypeName pscustomobject
             $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force
             $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force
             $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force
             $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force
             $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force
             $Issue | Add-Member -MemberType NoteProperty -Name Issue `
-                -Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object" -Force
-            $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value '[TODO]' -Force
-            $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value '[TODO]'  -Force
+                -Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" -Force
+            $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force
+            $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force
             $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC5'
             $Severity = Set-Severity -Issue $Issue
             $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity
             $Issue
-        }
-        if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) {
+        } elseif ( ($_.objectClass -ne 'pKICertificateTemplate') -and
+            ($SID -notmatch $SafeOwners) -and
+            ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes)
+            ) {
             $Issue = New-Object -TypeName pscustomobject
             $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force
             $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force
             $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force
             $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force
             $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force
             $Issue | Add-Member -MemberType NoteProperty -Name Issue `
-                -Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" -Force
-            $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force
-            $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force
+                -Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object" -Force
+            $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value '[TODO]' -Force
+            $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value '[TODO]'  -Force
             $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC5'
             $Severity = Set-Severity -Issue $Issue
             $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity
             $Issue
         }
+
         foreach ($entry in $_.nTSecurityDescriptor.Access) {
             $Principal = New-Object System.Security.Principal.NTAccount($entry.IdentityReference)
             if ($Principal -match '^(S-1|O:)') {
@@ -79,4 +79,4 @@
             }
         }
     }
-}
+}
diff --git a/Private/Test-IsProtectedUser.ps1 b/Private/Test-IsProtectedUser.ps1
@@ -0,0 +1,69 @@
+function Test-IsMemberOfProtectedUsers {
+<#
+    .SYNOPSIS
+    Check to see if a user is a member of the Protected Users group.
+
+    .DESCRIPTION
+    This function checks to see if a specified user or the current user is a member of the Protected Users group in AD.
+
+    .PARAMETER User
+    The user that will be checked for membership in the Protected Users group. This parameter accepts input from the pipeline.
+
+    .EXAMPLE
+    This example will check if JaneDoe is a member of the Protected Users group.
+
+        Test-IsMemberOfProtectedUsers -User JaneDoe
+
+    .EXAMPLE
+    This example will check if the current user is a member of the Protected Users group.
+
+        Test-IsMemberOfProtectedUsers
+
+    .INPUTS
+    Active Directory user object, user SID, SamAccountName, etc
+
+    .OUTPUTS
+    Boolean
+
+    .NOTES
+    Membership in Active Directory's Protect Users group can have implications for anything that relies on NTLM authentication.
+
+#>
+
+    [CmdletBinding()]
+    param (
+        # User parameter accepts any input that is valid for Get-ADUser
+        [Parameter(
+            ValueFromPipeline = $true
+        )]
+        $User
+    )
+
+    Import-Module ActiveDirectory
+
+    # Use the currently logged in user if none is specified
+    # Get the user from Active Directory
+    if (-not($User)) {
+        $CurrentUser = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name).Split('\')[-1]
+        $CheckUser = Get-ADUser $CurrentUser
+    }
+    else {
+        $CheckUser = Get-ADUser $User
+    }
+
+    # Get the Protected Users group by SID instead of by its name to ensure compatibility with any locale or language.
+    $DomainSID = (Get-ADDomain).DomainSID.Value
+    $ProtectedUsersSID = "$DomainSID-525"
+
+    # Get members of the Protected Users group for the current domain. Recuse in case groups are nested in it.
+    $ProtectedUsers = Get-ADGroupMember -Identity $ProtectedUsersSID -Recursive | Select-Object -Unique
+
+    # Check if the current user is in the 'Protected Users' group
+    if ($ProtectedUsers -contains $CheckUser) {
+        Write-Verbose "$($CheckUser.Name) ($($CheckUser.DistinguishedName)) is a member of the Protected Users group."
+        $true
+    } else {
+        Write-Verbose "$($CheckUser.Name) ($($CheckUser.DistinguishedName)) is not a member of the Protected Users group."
+        $false
+    }
+}