Updated ESC4 Remediations To Be More Flexible

Invoke-Locksmith.ps1

@@ -472,7 +472,8 @@ function Find-ESC4 {
         [Parameter(Mandatory = $true)]
         $SafeUsers,
         [Parameter(Mandatory = $true)]
-        $SafeObjectTypes
+        $SafeObjectTypes,
+        [int]$Mode
     )
     $ADCSObjects | ForEach-Object {
         $Principal = New-Object System.Security.Principal.NTAccount($_.nTSecurityDescriptor.Owner)
@@ -521,6 +522,11 @@ function Find-ESC4 {
                     Revert                = '[TODO]'
                     Technique             = 'ESC4'
                 }
+
+                if ( $Mode -in @(1, 3, 4) ) {
+                    Update-ESC4Remediation -Issue $Issue
+                }
+
                 $Issue
             }
         }
@@ -1495,7 +1501,8 @@ function Invoke-Scans {
         # Could split Scans and PromptMe into separate parameter sets.
         [Parameter()]
         [ValidateSet('Auditing', 'ESC1', 'ESC2', 'ESC3', 'ESC4', 'ESC5', 'ESC6', 'ESC8', 'All', 'PromptMe')]
-        [array]$Scans = 'All'
+        [array]$Scans = 'All',
+        [int]$Mode
     )
 
     # Is this needed?
@@ -1565,7 +1572,7 @@ function Invoke-Scans {
             [array]$ESC3 = Find-ESC3Condition1 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers
             [array]$ESC3 += Find-ESC3Condition2 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers
             Write-Host 'Identifying AD CS template and other objects with poor access control (ESC4)...'
-            [array]$ESC4 = Find-ESC4 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeObjectTypes $SafeObjectTypes
+            [array]$ESC4 = Find-ESC4 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeObjectTypes $SafeObjectTypes -Mode $Mode
             Write-Host 'Identifying AD CS template and other objects with poor access control (ESC5)...'
             [array]$ESC5 = Find-ESC5 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeObjectTypes $SafeObjectTypes
             Write-Host 'Identifying Certificate Authorities configured with dangerous flags (ESC6)...'
@@ -2184,6 +2191,161 @@ function Test-IsRSATInstalled {
         $false
     }
 }
+function Update-ESC4Remediation {
+    <#
+    .SYNOPSIS
+        This function asks the user a set of questions to provide the most appropriate remediation for ESC4 issues.
+
+    .DESCRIPTION
+
+
+    .PARAMETER Issue
+
+
+    .PARAMETER Mode
+
+
+    .OUTPUTS
+        This function updates ESC4 remediations customized to the user's needs.
+
+    .EXAMPLE
+        $Target = Get-Target
+        $ADCSObjects = Get-ADCSObject -Target $Target
+        $DangerousRights = @('GenericAll', 'WriteProperty', 'WriteOwner', 'WriteDacl')
+        $SafeOwners = '-512$|-519$|-544$|-18$|-517$|-500$'
+        $SafeUsers = '-512$|-519$|-544$|-18$|-517$|-500$|-516$|-9$|-526$|-527$|S-1-5-10'
+        $SafeObjectTypes = '0e10c968-78fb-11d2-90d4-00c04f79dc55|a05b8cc2-17bc-4802-a710-e7c15ab866a2'
+        $ESC4Issues = Find-ESC4 -ADCSObjects $ADCSObjects -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeUsers $SafeUsers -SafeObjectTypes $SafeObjectTypes
+        Update-ESC4Remediation -ESC4Issues $ESC4Issues
+    #>
+    [CmdletBinding()]
+    param(
+        $Issue
+    )
+
+    $Header = "`n[!] ESC4 Issue detected in $($Issue.Name)"
+    Write-Host $Header -ForegroundColor Yellow
+    Write-Host $('-' * $Header.Length) -ForegroundColor Yellow
+    Write-Host "$($Issue.IdentityReference) has $($Issue.ActiveDirectoryRights) rights on this template.`n"
+    Write-Host 'To provide the most appropriate remediation for this issue, Locksmith will now ask you a few questions.'
+
+    $Admin = ''
+    do {
+        $Admin = Read-Host "`nDoes $($Issue.IdentityReference) administer and/or maintain the $($Issue.Name) template? [y/n]"
+    } while ( ($Admin -ne 'y') -and ($Admin -ne 'n') )
+
+    if ($Admin -eq 'y') {
+        $Issue.Issue = "$($Issue.IdentityReference) has $($Issue.ActiveDirectoryRights) rights on this template, but this is expected."
+        $Issue.Fix = "No immediate remediation required."
+    }
+    elseif ($Issue.Issue -match 'GenericAll') {
+        $RightsToRestore = 0
+        while ($RightsToRestore -notin 1..5) {
+            [string]$Question = @"
+
+Does $($Issue.IdentityReference) need to Enroll and/or AutoEnroll in the $($Issue.Name) template?"
+
+  1. Enroll
+  2. AutoEnroll
+  3. Both
+  4. Neither
+  5. Unsure
+
+  Enter your selection [1-5]
+"@
+            $RightsToRestore = Read-Host $Question
+        }
+
+        switch ($RightsToRestore) {
+            1 {
+                $Issue.Fix = @"
+`$Path = 'AD:$($Issue.DistinguishedName)'
+`$ACL = Get-Acl -Path `$Path
+`$IdentityReference = [System.Security.Principal.NTAccount]::New('$($Issue.IdentityReference)')
+`$EnrollGuid = [System.Guid]::New('0e10c968-78fb-11d2-90d4-00c04f79dc55')
+`$ExtendedRight = [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
+`$AccessType = [System.Security.AccessControl.AccessControlType]::Allow
+`$InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::All
+`$NewRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule `$IdentityReference, `$ExtendedRight, `$AccessType, `$EnrollGuid, `$InheritanceType
+foreach ( `$ace in `$ACL.access ) {
+    if ( (`$ace.IdentityReference.Value -like '$($Issue.IdentityReference)' ) -and ( `$ace.ActiveDirectoryRights -notmatch '^ExtendedRight$') ) {
+        `$ACL.RemoveAccessRule(`$ace) | Out-Null
+    }
+}
+`$ACL.AddAccessRule(`$NewRule)
+Set-Acl -Path `$Path -AclObject `$ACL
+"@
+            }
+            2 {
+                $Issue.Fix = @"
+`$Path = 'AD:$($Issue.DistinguishedName)'
+`$ACL = Get-Acl -Path `$Path
+`$IdentityReference = [System.Security.Principal.NTAccount]::New('$($Issue.IdentityReference)')
+`$AutoEnrollGuid = [System.Guid]::New('a05b8cc2-17bc-4802-a710-e7c15ab866a2')
+`$ExtendedRight = [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
+`$AccessType = [System.Security.AccessControl.AccessControlType]::Allow
+`$InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::All
+`$AutoEnrollRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule `$IdentityReference, `$ExtendedRight, `$AccessType, `$AutoEnrollGuid, `$InheritanceType
+foreach ( `$ace in `$ACL.access ) {
+    if ( (`$ace.IdentityReference.Value -like '$($Issue.IdentityReference)' ) -and ( `$ace.ActiveDirectoryRights -notmatch '^ExtendedRight$') ) {
+        `$ACL.RemoveAccessRule(`$ace) | Out-Null
+    }
+}
+`$ACL.AddAccessRule(`$AutoEnrollRule)
+Set-Acl -Path `$Path -AclObject `$ACL
+"@
+            }
+            3 {
+                $Issue.Fix = @"
+`$Path = 'AD:$($Issue.DistinguishedName)'
+`$ACL = Get-Acl -Path `$Path
+`$IdentityReference = [System.Security.Principal.NTAccount]::New('$($Issue.IdentityReference)')
+`$EnrollGuid = [System.Guid]::New('0e10c968-78fb-11d2-90d4-00c04f79dc55')
+`$AutoEnrollGuid = [System.Guid]::New('a05b8cc2-17bc-4802-a710-e7c15ab866a2')
+`$ExtendedRight = [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
+`$AccessType = [System.Security.AccessControl.AccessControlType]::Allow
+`$InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::All
+`$EnrollRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule `$IdentityReference, `$ExtendedRight, `$AccessType, `$EnrollGuid, `$InheritanceType
+`$AutoEnrollRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule `$IdentityReference, `$ExtendedRight, `$AccessType, `$AutoEnrollGuid, `$InheritanceType
+foreach ( `$ace in `$ACL.access ) {
+    if ( (`$ace.IdentityReference.Value -like '$($Issue.IdentityReference)' ) -and ( `$ace.ActiveDirectoryRights -notmatch '^ExtendedRight$') ) {
+        `$ACL.RemoveAccessRule(`$ace) | Out-Null
+    }
+}
+`$ACL.AddAccessRule(`$EnrollRule)
+`$ACL.AddAccessRule(`$AutoEnrollRule)
+Set-Acl -Path `$Path -AclObject `$ACL
+"@
+            }
+            4 {
+                break 
+            }
+            5 {
+                $Issue.Fix = @"
+`$Path = 'AD:$($Issue.DistinguishedName)'
+`$ACL = Get-Acl -Path `$Path
+`$IdentityReference = [System.Security.Principal.NTAccount]::New('$($Issue.IdentityReference)')
+`$EnrollGuid = [System.Guid]::New('0e10c968-78fb-11d2-90d4-00c04f79dc55')
+`$AutoEnrollGuid = [System.Guid]::New('a05b8cc2-17bc-4802-a710-e7c15ab866a2')
+`$ExtendedRight = [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
+`$AccessType = [System.Security.AccessControl.AccessControlType]::Allow
+`$InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::All
+`$EnrollRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule `$IdentityReference, `$ExtendedRight, `$AccessType, `$EnrollGuid, `$InheritanceType
+`$AutoEnrollRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule `$IdentityReference, `$ExtendedRight, `$AccessType, `$AutoEnrollGuid, `$InheritanceType
+foreach ( `$ace in `$ACL.access ) {
+    if ( (`$ace.IdentityReference.Value -like '$($Issue.IdentityReference)' ) -and ( `$ace.ActiveDirectoryRights -notmatch '^ExtendedRight$') ) {
+        `$ACL.RemoveAccessRule(`$ace) | Out-Null
+    }
+}
+`$ACL.AddAccessRule(`$EnrollRule)
+`$ACL.AddAccessRule(`$AutoEnrollRule)
+Set-Acl -Path `$Path -AclObject `$ACL
+"@
+            }
+        }
+    }
+}
+
 function Invoke-Locksmith {
     <#
     .SYNOPSIS
@@ -2364,7 +2526,7 @@ function Invoke-Locksmith {
 
     if ( $Scans ) {
         # If the Scans parameter was used, Invoke-Scans with the specified checks.
-        $Results = Invoke-Scans -Scans $Scans
+        $Results = Invoke-Scans -Scans $Scans -Mode $Mode
         # Re-hydrate the findings arrays from the Results hash table
         $AllIssues = $Results['AllIssues']
         $AuditingIssues = $Results['AuditingIssues']

Private/Find-ESC4.ps1

@@ -46,7 +46,8 @@
         [Parameter(Mandatory = $true)]
         $SafeUsers,
         [Parameter(Mandatory = $true)]
-        $SafeObjectTypes
+        $SafeObjectTypes,
+        [int]$Mode
     )
     $ADCSObjects | ForEach-Object {
         $Principal = New-Object System.Security.Principal.NTAccount($_.nTSecurityDescriptor.Owner)
@@ -93,6 +94,11 @@
                     Revert                = '[TODO]'
                     Technique             = 'ESC4'
                 }
+
+                if ( $Mode -in @(1,3,4) ) {
+                    Update-ESC4Remediation -Issue $Issue
+                }
+
                 $Issue
             }
         }

Private/Invoke-Scans.ps1

@@ -44,7 +44,8 @@ function Invoke-Scans {
     # Could split Scans and PromptMe into separate parameter sets.
     [Parameter()]
         [ValidateSet('Auditing','ESC1','ESC2','ESC3','ESC4','ESC5','ESC6','ESC8','All','PromptMe')]
-        [array]$Scans = 'All'
+        [array]$Scans = 'All',
+        [int]$Mode
     )
 
     # Is this needed?
@@ -114,7 +115,7 @@ function Invoke-Scans {
             [array]$ESC3 = Find-ESC3Condition1 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers
             [array]$ESC3 += Find-ESC3Condition2 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers
             Write-Host 'Identifying AD CS template and other objects with poor access control (ESC4)...'
-            [array]$ESC4 = Find-ESC4 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeObjectTypes $SafeObjectTypes
+            [array]$ESC4 = Find-ESC4 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeObjectTypes $SafeObjectTypes -Mode $Mode
             Write-Host 'Identifying AD CS template and other objects with poor access control (ESC5)...'
             [array]$ESC5 = Find-ESC5 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeObjectTypes $SafeObjectTypes
             Write-Host 'Identifying Certificate Authorities configured with dangerous flags (ESC6)...'