Create Get-PublishedTemplates #161
Conversation
Get-PublishedTemplates pulls a list of published templates with their name, OID, flags, enrollment flag, last modified date, revision, and minor revision. This should help us check if vulnerable templates are published and also ultimately check if the vulnerable version is in use by issued certificate requests.
| Get-PublishedTemplates | ||
|
|
||
| .NOTES | ||
| If either of these flags are set, the template is considered published: |
There was a problem hiding this comment.
Your logic doesn't seem consistent with what's actually published, but it's very possible I'm missing something.
Your code returns this from my lab CA:
But the Certificate Templates list on my lab CA looks like this:
Which matches CA's object's cetificateTemplates attribute expanded:
Note: The Certificate Templates pane shows the templates displayName attribute while the expanded certificateTemplates list shows the name attribute.
This function should be rewritten to see if the template name exists within the certificateTemplates attribute on any pKIEnrollmentService object. We already collect the required attribute in Get-ADCSObject, so I think you could:
- Collect all the published template
names from all the CA objects - De-duplicate the list and store it as
$PublishedTemplates - Loop through the templates to see if
$PublishedTemplates -contains $TemplateName - Return
$trueor$falseto enrich the template object as a custom attribute.
Or whatever you want to do. You probably have a more elegant way of doing it.
There was a problem hiding this comment.
Thinking about de-duplicating the list and the possibility of different versions of a template being published on different CAs. Is that possible, and if so: does a published template on multiple CAs have the same OID for each instance, or a unique one per CA?
EDIT: I think I found that the answer is no to both questions. One version across all CAs and the same OID for the template on all CAs.
WIP - Rewriting to just use ADCSObjects
I made a mistake creating the release. It should've contained the .zip version of the script, so I fixed it.
Add Prerequisites
|
@SamErde what's the status on this? The current version seems to return no result. |
|
Will try to find time to revive and resolve this week. |
Get-PublishedTemplates pulls a list of published templates with their name, OID, flags, enrollment flag, whenModified, revision, and minor revision. This should help us check if vulnerable templates are published and also ultimately check if the vulnerable version is in use by issued certificate requests.
Please review the bitwise checks for the template's
flagsandmspki-enrollment-flagproperties to see if the logic is correct and returns all published templates in your test environments.Contributes to #87.