changelog.txt

3.3.0.1
* fix an issue where rule is not displayed when impacted users/computers count is less than 100.

3.3.0.0
* adjusted the rules S-DesEnabled, S-PwdNotRequired, S-PwdNeverExpires, P-Delegated, A-PreWin2000Other, S-PrimaryGroup, P-ServiceDomainAdmin, 
  A-AdminSDHolder to display directly the list of impacted users in the rule if the number is limited (hardcoded to 100) so Pro / Enterprise users can set accounts in exceptions
* handle the case where the property ms-DS-MachineAccountQuota has been removed (you can add as many computers as you want)
* ignore RPC coerce test if the computer used to run PingCastle is the DC (false positive)
* added the rule S-FirewallScript which recommends firewall rules against script engines (suggestion of Steen Poulsen)
* added the rule S-TerminalServicesGPO which recommends session timeout for RDP (suggestion of Steen Poulsen)
* Upgraded .NET Framework version to 4.7.2
* Release will contain version for 4.5.2 and 4.7.2
* Upgraded nuget packages
* Security improvements

3.2.1.0
* adjust P-DisplaySpecifier to be more relaxed when foreign path are used
* P-DNSAdmin is not triggered anymore (following our previous notification)
* added troubleshooting tests in case PingCastle is asked to connect to LDAPS and if the remote certificate is untrusted
* adjust powershell requests in S-OS-* rules descriptions
* fix a problem when with S-PwdLastSet-45 / S-PwdLastSet-90 when the DC has an incorrect date and set lastlogondate in the future
* add support for ms-LAPS-EncryptedPassword
* fix a problem in AzureAD when PRT was used even if manual credential was provided
* disabled the rule UserConsentCompanyData because the AAD changed drastically
* remove computer inherited class (managed service account) from AES missing control
* added the rule A-SmartCardPwdRotation checking for msDS-ExpirePasswordsOnSmartCardOnlyAccounts
* added the rule P-RODCKrbtgtOrphan checking for krbtgt_* account associated to RODC that are orphans
* added the rule S-AesNotEnabled checking for AES not enabled on service accounts
* added the rule S-PwdLastSet-Cluster checking for password change on clusters (at least every 3 years)
* added the rule A-RootDseAnonBinding to check for anonymous binding on rootDse for DC with Windows 2019+
* added the rule S-FolderOptions to recommend to open .js .jse files using notepad instead of the default script engine
* added the rule S-DefenderASR to implement Defender ASR rules. Even if another AV is installed, it will cover computers in a default state
* Pro: added a workaround to fix issues when ClientSecret is not defined for AAD authentication

3.2.0.1
* fix a regression in S-ADRegistration if multiple SeMachineAccountPrivilege have been defined, including Everyone like group and if MachineAccountQuota is not zero

3.2.0.0
* added a RPC scanner for DC (python coercer like script but without exploiting) and --skip-dc-rpc to disable this scan
* added the rule A-DC-Coerce matching the RPC scanner output
* changed S-OldNtlm and S-ADRegistration to take in account GPO overwriting settings

3.1.5.0
* exclude cluster objects (which looks like computers) from healthcheck analysis. In export computers, new column is added to reflect the cluster status
* fix an issue with restricted group membership
* excluded gmsa from P-ProtectedUsers and P-Delegated
* added a message in the console if the custom rule failed to load (instead of just being logged)
* adjusted the implementation logic of P-AdminLogin for better adjustment of customization
* rewrote the collection logic for admin last login to avoid S4USelf side effect (aka collect it on all DC instead of relying on lastlogontimestamp)
* added whenChanged to the user export function
* fix a bug when the replication metadata of some objects is denied
* fix an issue relative to parallele work for msi analysis
* clarify the rationale of S-OS-W10 by adding the number of active computers
* display the list of accounts in S-PwdNeverExpires if the count is less than 100 (hardcoded) so I can be added in exception for licensed version
* change the logic to handle AzureADKerberos accounts for S-DC-NotUpdated and S-DC-Inactive
* added a remark in the report about the impossibility to reach 100% LAPS deployment given the collected stats
* add Windows OS details (such as SP or release) on the consolidation report

3.1.0.1
* fix local membership if many settings are defined
* fix LAPS collection (signed / unsigned bug)

3.1.0.0
* fix a bug for machineaccountquote when GPO has been rewritten to remove all users
* fix a regression introduced in previous version in P-TrustedCredManAccessPrivilege
* added a password distribution chart in consolidation report (reserved for licensee)
* added LAPS last change date for "export computers"
* using new LAPS attribute ms-LAPS-Password
* wording change for A-SmartCardRequired
* added the rule A-DCLdapsProtocolAdvanced for Tls 1.0 and Tls 1.1 detection (informational)
* added the rule S-DefaultOUChanged for informational use of redircmp - thanks to Andy Wendel
* changed the rule A-MembershipEveryone to check for "Local Users and group" assignation
* added the rule P-AdminEmailOn to check if privileged accounts have an email (informative & maturity level 3)
* added the rule P-UnprotectedOU to check for unprotected OU (informative & maturity level 4)
* added the rule S-OS-2012 and S-DC-2012 that will trigger after Oct 10 2023 (unless --I-swear-... is set)

3.0.0.4
* fix channel binding issue (if server was configured with only TLS1.2 and client was not configured for TLS1.2 in the default algorithm it was not tested)
* fix integrity bug for paid subscriptions

3.0.0.3
* fix T-AlgsAES to not be enforced for unidirectional trust (trusdirection=2)
* removed rule P-DNSDelegation as it has no meaning anymore
* added LAPS usage analysis & statictics (for paid customers)
* change the timeout of TlsCheck from 10ms to 1s
* fix setintegrity missing
* fix kerberos armoring detection bug - thanks to Andy Wendel
* change timeout for Tls check (was only 10ms) to 1s

3.0.0.0
* migrate from .net 3 to .net 4.5
* integrated PingCastleCloud project
* fix rule A-CertEnrollChannelBinding which was triggering even if CB is enabled
* fix test ldap signature on ldap and not ldaps
* fix a logic issue when testing for integrity in LDAP
* fix sorting and filtering issue
* collect exchange info and display it and sccm in the report
* migration from .net 3 to .net 4.5
* added the rule S-KerberosArmoring and S-KerberosArmoringDC
* fix visibility on DNS zone replicated on DC only (not the DomainDns zone)
* fix HTTP ConnectionTester for NTLM only websites (refusing Negotiate)
* changed A-WeakRSARootCert2 to be triggered in 2031 instead of 2030
* added the rule P-DisplaySpecifier to check for DisplaySpecifier abuse
* align S-ADRegistrationSchema with ANSSI rule
* added the rule S-FunctionalLevel1/3/4 to check the functional level of the domain / forest
* parallelize PKI checks for environments with several ADCS entries
* fix a bug in T-SIDHistoryDangerous which made it ineffective
* added the hidden option --doNotTestSMBv1 to not trigger SOC when testing for SMB v1
* adapt the rule S-ADRegistration in case there is no GPO settings SeMachineAccountPrivilege
* adjust the label of the rule A-WeakRSARootCert2 to clarify that certificate with 2048 bits module should expires before 2030
* fix a regression with server containing * pattern
* disabled --I-swear-I-paid-win7-support because extended support is not available anymore
* fixed P-AdminPwdTooOld and P-ProtectedUsers which were checking also disabled accounts
* fixed A-WSUS-SslProtocol incorrect LDAP reference in rule description
* license can be pushed using API but only the banner for the embedded license was shown leading to customer confusing. Added a message to avoid that
* added the rule S-OldNtlm to hunt DC accepting NTLMv1 and used in coerced authenthication attacks

2.11.0.0
* fix: the rule S-OS-W10 was triggering even if there is no enabled Windows 10
* added the rules A-DCLdapSign and A-DCLdapsChannelBinding
* added the rules A-CertEnrollHttp and A-CertEnrollChannelBinding
* if an api key is provided, test it at the beginning of the processing (instead of doing at the end)
* enable custom rules processing for Pro / Enterprise versions
* added the rule T-AlgsAES to check for trust algorithms
* fix a problem when Users container has been removed
* fix P-AdminLogin when administrator login date is in the future (can happen when reloading backups)
* fix perform PKI tests only if the PKI is installed
* reworked the rule set to be more performant
* fix a problem when a OU used for PKI has been manually removed
* fix S-PwdNeverExpires - HealthMailbox* accounts with a password change within 40 days are excluded
* fix S-Inactive - change 6*31 days to 6 months. If a password change occured within 6 months (no login) the password is now considered as active
* added for auditor licenses, a feature to have a dashboard for RC4 to AES migration in Kerberos
* change the powershell command to check for S-DesEnabled
* added SCCM listing
* added the possibility to specify honeypot accounts by a DN (the setting is "distinguishedName")
* migrate to bootstrap 5, popperjs 2 and bootstrap-table (instead of datatables)
* added table export for licensed users
* fix rules checking for external path location (server.domain.fqdn) when uri is based on IP instead of FQDN
* fix the computation of constrained delegation with protocol transition (this impacts rule P-DelegationDCt2a4d)
* added a note for P-AdminLogin about S4u2Self
* added the rule A-CertTempNoSecurity
* changed A-CertTempAnyone and other rules so the program considers that the group Domain Computers is like Everyone if ms-DS-MachineAccountQuota is non zero
* added the rule A-DC-WebClient to hunt for WebClient service enabled on domain controllers
* modifed P-Delegated to add HoneyPot account checks
* fix change the evaluation order for Embedded systems (vs Winows 7) when reducing OS name into a short description
* modify delegations gathering: filter entreprise domain controllers and check base of configuration partition

2.10.1.1
* for guest enablement, check if useraccountcontrol is not zero (can be the case when checked on a DC)
* change maturity level for rule P-DNSAdmin, the score and the description

2.10.1.0
* fix more readable error message if the xml file is corrupted
* fix a bug in P-DNSDelegation to avoid false positive when the computer is in another language than english
* fix LTSC vs LTSB for older version of Windows 10
* reimplemented RPC calls to avoid AV false positive
* fix a bug in the ui if the export menu is cancelled
* added the rule A-HardenedPaths related to STIG V-63577 (MS15-011 and MS15-014)
* modify the report to hightlight in particular for delegations DCSync / AADConnect rights
* added "Add access check for current user in the share scanner"
* fix problem if there is a conflict replication when defining FSMO roles
* fix: Do not fail if the .config file has being modified with bugged honeypot data
* adding option --quota to limit the LDAP query speed
* add a warning if there is a misconfiguration in the schema
* added benchmark button
* fix a modelisation issue when a child domain cannot reach its forest root
* added the rule S-JavaSchema to check the presence of the RFC 2713 schema extension (java objects representation in LDAP)
* modified the rule S-PwdLastSet-45 and S-PwdLastSet-90 to be applicable only on server data (lot of false positive for user computers connected once in a while)
* added a section in the report to display certificate template delegations (excluded admins for clarity as other delegations)
* added the rules S-WSUS-NoPinning, S-WSUS-UserProxy, S-WSUS-HTTP, A-WSUS-SslProtocol for WSUS configuration
* modified the wording of the explanation of the rule P-ServiceDomainAdmin
* added a function in export to save in a file (and on screen) all changes that occurs in real time (modulo the replication time)
* fixed a typo in UnixPassword check which was clearing the data
* added azure ad configuration & AzureADConnect info in the report if found
* fixed S-DC-Inactive to not display an error about the AzureAD Kerberos account
* fixed a bug when reloading very old PingCastle reports
* added the rule A-DsHeuristicsDoNotVerifyUniqueness if the mitigation for CVE-2021-42282 has been disabled
* added the rule A-DsHeuristicsLDAPSecurity if the mitigation for CVE-2021-42291 has been disabled
* updated S-OS-W10 with new end of support dates
* added the rule S-OS-Win8 for Windows 8 / 8.1 which is out of regular support
* added the rule A-Guest to be sure the guest account is disabled
* added the rule A-DnsZoneAUCreateChild for level 4 hardening about dnszone

2.10.0.0
* change pre-win 2000 compabitility group to handle group rename
* added a setting to change the LDAP page size (to test when the AD corruption message is showing)
* update to bootstrap 4.6.0
* add the ability to see the rules for each level in the maturity report
* be more scoped when looking for sites GPO
* fix: replace "admins" string in code, because they were some strings unmatched (especially in P-Kerberoasting & P-ServiceDomainAdmin)
* fix S-PwdLastSet-45 S-PwdLastSet-90: the check was made against inactive computers instead of active ones
* added the rule A-DnsZoneTransfert which checks for DNS Zone Transfers
* added the rule A-LAPS-Joined-Computers which checks for manually joined computers - the owner of the computer objects see the LAPS password - thanks to Andy Wendel
* fix P-AdminNum for a better wording if it matches
* fix unixpassword LDAP search query for optimization (looks only on active user account)
* added the MS FAQ for Krbtgt reset in the A-Krbtgt rule links
* fix a non timeout issue when SSL connection are "suspensed" by a network device
* fix when using a custom identity, forward the impersonation token to all threads launched by the application
* added the rule A-CertTempAgent, A-CertTempAnyPurpose, A-CertTempAnyone, A-CertTempCustomSubject for certificate template abuse
* added Mitre Att&ck mapping & reports
* added the rule A-PreWin2000AuthenticatedUsers for information for the printnightmare problem
* added a detail by OS (Windows 10 edition / Windows 2008 R2)
* added the rule S-OS-W10 for Windows 10 non supported versions
* added details for DC certificate
* added DC certificates to A-CertROCA and A-WeakRSARootCert
* change the algorithm which finds the DnsAdmin group to be more flexible for translation and moves
* fix password authentication that was not working in some cases
* for honeypot accounts, change P-Kerberoasting to take it into account
* fix NetCease check to be case insensitive (thanks to @ralish)
* added an option for scanners to use a file as input instead of querying the AD
* added an export section to export users or computers (a scanner was already present and moved to this section)
* added the rule S-ADRegistrationSchema for schema class check à la CVE-2021-34470
* fixed P-AdminLogin that wasn't effective (this check was active only during the first 35 days of the domain)
* defer DataTable initialization (css for table) to avoid any problem in table stop javascript
* fix a bug when msDS-GroupManagedServiceAccount and msDS-ManagedServiceAccount were not counted as group member
* fix a problem in P-ServiceDomainAdmin to look individually at each password change and to set them as exception if needed
* change the rule detail rendering to avoid issues with strange items
* added the option --datefile

2.9.2.0
* modify P-UnkownDelegation to not be triggered with SID having their RID < 1000 (RID is the last number)
* modify A-AuditDC to not request simple audit policies anymore and removing the need for Other Account Logon Events reserved for future use
* modify S-PwdNeverExpires description to take in account linux servers which do not change their machine password
* modify P-ProtectedUsers to change the limit from 1 to 2
* added exception for AzureADKerberos in S-DCRegistration and AzureADKerberos
* Fix user scanner which where filtering only admincount users
* Fix authentication by user/password when the user was submitted as UPN
* Fix the program was resilient for control characters when serializing to xml, but not to non existing character
* Fix a problem when duplicated SID (\0CNF:) were used in permissions
* Add gpo applied order property (aka gpo precedence)
* rewrote the way subnets are collect to avoid the 1500 items limit (MS-ADTS 3.1.1.3.4.6 aka MaxValRange)
* Add in the report lDAPIPDenyList (IP denied for LDAP communication) if any found
* Fix: the GPO full info was not displayed in the report in the section Obfuscated Passwords
* Add linked GPO to site when browsing GPO info
* Added the new service for the remote scanner based on github PR
* Be more resilient if the security of DC objects cannot be examined
* Fix documentation links
* Add scanner computer version
* Added a comment in PingCastle.exe.config about uploading reports using the API with TLS 1.2 and next vs testing old protocols
* Fix some gallery.technet.microsoft.com link (other need to be fixed)

2.9.1.0
* added options for the scanner to select only dc, servers, workstations
* added the privilege SeManageVolumePrivilege to the list of dangerous privileges
* when a rule crashes, continue the execution but with a message asking the user to call the support
* fix a problem when RODC Denied Users are from a domain PingCastle can't access
* group SID History data was not analyzed regarding its creation date
* added a zerologon scanner (not in healthcheck because it will trigger IDS & AV in the future
* fix a bug when a SID being duplicated is used as member of a group
* Do not raise an alert when the account sensitive checkbox is not checked but the user is in protected users. Thanks Fanaw.
* Do not raise an alert if there is only one user not in protected users as this is a regular admin practice. Thanks Oliver-André
* Add the possibility to have DC in the honeyPot account. Typically used for riverbed devices for example
* specify in the rule A-NTFRSOnSysvol that NTFRS is supported up to Windows 2022 at this time - also match only if there is a DC < win 2019
* add new definition of the ESET AV for AV scanner module

2.9.0.0
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Information: the 3.0 version of PingCastle will run by default on .net 4 instead of .net 2 (this may break the compatibiliy with Windows 2000)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
* when building the map, the program was taking the first part of the FQDN as a shortname. Now it uses the Netbios name if it is available
* change tooltip description for the trust section of the healthcheck report
* added the rule S-DC-2008 and S-OS-2008 to check for obsolete 2008 servers which are no longer supported
* Fix: A-AuditDC - GPO at the root level was ignored and OU specific too. Now the GPO is checked per DC.
* Fix: A-AuditDC - Reword the rule A-AuditDC for better understanding
* change A-Krbtgt to be triggered only after 1 year (previously 40 days)
* Fix: In some scanners, the comma was used instead of a tab
* Fix: Avoid a crash if the security descriptor of the msi files cannot be retrieved
* Fix: better switch in case of failure of ADWS to LDAP
* Added the rule A-CertROCA to check for recoverable public key (ROCA vulnerability) [ANSSI: vuln1_certificates_vuln]
* Added the rule A-CertWeakDSA to check for DSA key use in certificate used for digital signature [ANSSI: vuln1_certificates_vuln]
* Added the rule A-CertWeakRsaComponent to check for low RSA exponent
* Added the rule A-WeakRSARootCert2 to check for rsa module length between 1024 & 2048 (friend of A-WeakRSARootCert)
* Added the rule A-DsHeuristicsAllowAnonNSPI to check if the heuristics fAllowAnonNSPI is enabled
* Added the rule P-RODCAllowedGroup to check for the Allowed RODC Password Replication Group group
* Added the rule P-RODCDeniedGroup to check for the Denied RODC Password Replication Group group
* Added the rule A-NTFRSOnSysvol to check the usage of the old protocol NTFRS on SYSVOL replication
* Added the rules A-DnsZoneUpdate1 and A-DnsZoneUpdate2 about DNS unsecure updates
* Added the rule S-DC-Inactive to check for inactive DC
* Added the rule S-PwdLastSet-DC to check for regular password change on DC
* Added the rule T-SIDHistoryDangerous to check for SID lower than 1000 or well known in SIDHistory
* Added the rule S-PwdNeverExpires to check for accounts with never expiring passwords
* Added the rule S-DCRegistration to check if DC are well registered (aka detect fake DC)
* Added the rule P-DelegationDCt2a4d P-DelegationDCa2d2 and P-DelegationDCsourcedeleg for DC delegation analysis
* Added the rule A-PreWin2000Other to be the companion of A-PreWin2000Anonymous
* Added the rule P-ProtectedUsers to check if all privileged accounts are member of the protected users group
* Added the rule S-PwdLastSet-45 and S-PwdLastSet-90 for workstations without the automatic password change disabled
* Added the rule P-AdminPwdTooOld to check for admin passwords older than 3 years
* Added the rule S-NoPreAuthAdmin, which is a split of the rule S-NoPreAuth, to match admins
* Added the rule P-DNSAdmin to check for members of the DNS Admins group
* Added the rule P-RODCRevealOnDemand P-RODCNeverReveal and P-RODCAdminRevealed for RODC checks
* Added the rule P-RODCSYSVOLWrite to check for RODC write access to the SYSVOL volume
* Added the rule A-NoNetSessionHardening to check if the NetCease mitigation has been applied
* Added the rule A-UnixPwd to check for attributes known to contains password
* Added the rule T-AzureADSSO to check for password rotation with AzureAD SSO (AZUREADSSOACC)
* Added the rule S-OS-Win7 to check for Windows 7. PingCastle is looking for support purchased from MS.
* Change the rule reports to include ANSSI rules
* Change the threshold of S-Inactive from 15 to 25% to match user_accounts_dormant rule
* Change the category of P-ControlPathIndirectMany and P-ControlPathIndirectEveryone to the new Control Path category
* Change the rule P-AdminNum to add a new limit of 50 admins
* Change the cagory of the rule P-DelegationEveryone, P-PrivilegeEveryone, P-TrustedCredManAccessPrivilege, P-UnconstrainedDelegation, P-UnkownDelegation
* Change the rule A-MinPwdLen to check only GPO applied to something
* Change the way GPO are evaluated in rules: if the GPO is disabled or not applied, no anomaly is found
* Change the rule A-MembershipEveryone to not trigger an alert when Authenticated users is a member of BUILTIN\Users
* Adding features exclusive for our customers, such as maturity evaluation, and charts
* Added the scanner export_user for a quick user analysis
* Added pagination and search in healthcheck report
* For AdminSDHolder users check, added the date in the report (written as 'Event') when the attribute admincount has been set (via replication metadata)
* Auditor & Enterprise licensee can now brand the report by using Appsettings/BrandLogo for base64 logo and Appsettings/BrandCss & BrandJs for raw Css & Js to inject
* make visible the rule ID in the healthcheck report in the rule description
* Removed BSI reference as the document is not online anymore
* Added ms-mcs-admpwd read check in delegations
* Fix members of admin groups outside the AD were not visible in the report
* Add some VPAT / RGAA V4 compability
* update the rule P-DNSDelegation to informative as it was assigned the identifier CVE-2021-40469 and fixed by a patch in October 2021

2.8.0.0
* reworked the way third party components are included in reports for better html auditing (aka Content Security Policy)
* added the rule P-DNSDelegation to check delegation on the MS DNS server which can be used to take control of the domain
* show healthcheck rule detail in a table if possible
* remove the "network configuration operators" group from privileged groups as it has no impact on the domain by itself
* split the allow login / deny login settings from privileges and from DC to another dedicated section
* added the rule P-TrustedCredManAccessPrivilege to match STIG rule V-63843
* added Auto logon info if found in the GPO passwords section
* added the rule P-LogonDenied to check for tiers isolation. Only in application if more than 200 users & 200 computers
* be resilient if a new rule category is added in the future so future reports can be read by this PingCastle version
* fix a problem when control character is found in data (loginscript for example) and cannot be serialized in xml
* added an experimental bluekeep scanner. To avoid AV detection, the code is commented. Decomment and recompile to use it.
* added SeSecurityPrivilege (access to the security event log) in the list of privileges to monitor.
* merged the permission report and the healthcheck report
* added the rule P-ControlPathIndirectEveryone and P-ControlPathIndirectMany for control path analysis
* added the rule A-AuditDC for audit policy
* update to bootstrap 4.4.1
* change the algorithm to locate the server. Faster and compatible with kerberos only domains.
* added the rule A-DCLdapsProtocol looking for SSLv2 and SSLv3 active on DC
* added the rule A-AuditPowershell to check for powershell auditing (informative)
* added the rule S-OS-Vista to check for Vista presence (which is not supported anymore). Windows 7 & 2008 added after extended support stops.
* added honey pot setting to avoid honey pot accounts to be in error
* added a new view for the DC certificates

2.7.1.0
* update the TGT delegation algorithm after the July update (new flag CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION)

2.7.0.0
* added a network map inspired from hilbert curves
* fix a bug when doing a map with very complicated data
* adjust the krbtgt last password change when a replication set it to "not set"
* added the rule P-ExchangePrivEsc to check for Exchange misconfiguration at install
* added the rule P-LoginDCEveryone to check if everybody can logon to a DC
* added the rule P-RecycleBin to check for the Recycle Bin feature (at forest level)
* added the rule P-DsHeuristicsAdminSDExMask to check if AdminSDHolder has been disabled for some critical groups
* added the rule P-DsHeuristicsDoListObject to check if the feature DoListObject has been enabled (informative only)
* added the rule P-RecoveryModeUnprotected to check if any user can go into recovery mode without being admin
* added the rule A-LDAPSigningDisabled to check if the LDAP signing mode has been set to None
* added the rule A-DCRefuseComputerPwdChange to check that Domain Controllers don't deny the change of computers account password
* added the rule P-DelegationFileDeployed to check for deployed file via GPO (msi, file copied, ...)
* added the rule T-FileDeployedOutOfDomain to check for deployed file via GPO (msi, file copied, ...) from outside this domain
* added the rule A-NoGPOLLMNR which checks if LLMNR can be used to steal credentials
* added the rule T-TGTDelegation to check for TGT delegation on forest trusts
* added the rule P-Kerberoasting to check for keberoasting (SPN for admin account). A mitigation via a regular password change is allowed.
* update the score produced by the rule S-SMB-v1 from 1 to 10
* fix the scanner command line when targeting multiple computer (single and multiple were inverted)
* added the scanner antivirus
* added the scanner laps_bitlocker
* fix a bug in the graph report when multiple files were examinated in parallele
* add a transition msDS-AllowedToActOnBehalfOfOtherIdentity to the graph report
* fix a bug when computing msDS-Lockout* in PSO (time were divided by 5)
* fix rule A-LMHashAuthorized which were not triggering due to a bug and improved its documentation
* improve the healtcheck report and added a comment to locate the NTLMstore (certificate section)
* fix GPP Password for scheduled task - only 1 out of 4 kind of scheduled tasks were checked
* fix support for missing well known sid S-1-5-32-545 for rules
* fix a tedious bug when using LDAP and when requesting the property Objectclass - it is not available in the result using the native API
* fix a tedious bug when reading SMB2 data (input was inverted with output) which gave inaccurate results regarding signature
* PingCastle does now have a default license and can be run without the .config file
  In this case, the compatibility shims are removed and forced under .Net 2 engine. To run under .Net 4, a recompile is needed.

2.6.0.0
* fix a problem for early version of LDAP undetected : in ms-*-AdmPwd, MCS was replaced by company name
* integrate many hidden functions into the "scanner mode" to be more easy to use
* removing the ms17-010 scanner from the source because antivirus are so stupid that they cannot make the difference between a vulnerability scanner & an exploitation kit
* added many scanners (aclscanner, ...)
* breaking change: admin accounts where checks for lock, smart card, ... even if the account is disabled. This is not the case anymore.
* tuned S-DC-SubnetMissing to avoid dealing with local ipv6 loopback address (::1)
* added the rule A-DC-Spooler and the spooler scanner to check for print spooler accessible remotely (used to collect computer credentials via unconstrained delegation)
* added the rule A-NotEnoughDC to check domains have at least 2 DC
* added the rule P-UnconstrainedDelegation to check for unconstrained delegation in kerberos (the data was already reported)
* in relation with P-UnconstrainedDelegation, change the way accounts "trusted for delegation" are selected. Change useraccountcontrol flag from 0x01000000 to 0x80000
* fix in healthcheck report: the reversible password detail section was only displayed if there was unconstrained delegation in the domain
* added the rule P-ExchangeAdminSDHolder to check for the Exchange modification of the AdminSDHolder object
* added the rule P-DelegationKeyAdmin to check for boggus Windows 2016 installation
* added the (informative) rule P-OperatorsEmpty to check the recommendation to have the account and server operators empty
* added the rule P-DelegationGPOData to check for too large permissions granted to GPO items
* added the rule P-PrivilegeEveryone to check for too large GPO assigned privileges
* adjust the Domain Controller selection for tests (aka: number of DC in a domain & checks performed on them)
* remove the --split-OU technique which was not used and add an automatic protocol fallback in case of failure (ADWS then LDAP for example)
* allow the use of LDAPS via the --port 636 command switch
* fix a couple of problem in PingCastleReporting (incorrect numbers, wrong label, inability to load some configuration)
* Migrate from Bootstrap 3 to Bootstrap 4
* fix some mono incompatibility
* fix crash when analysing gpo where scheduled task password is being stored
* fix A-NoServicePolicy which was triggered when i shouldn't and vice versa
* add support for Windows 2019
* fix DnsAdminGroup not found when moved in another OU
* fix rootDse listing when using credential & required bind
* extended the rule S-DesEnabled to check also computers account
* add to the report a link in rules to sections of the report to get more insight

2.5.2.0
* fix a problem when a dc has been removed but not its computer account but its dns record
* fix a problem when for the rule A-SmartCardRequired which was triggered each time a "smart card required" account was found
* fix: the decryption process was broken as successful descryption always triggered a failure
* fix S-DC-SubnetMissing when subnet are duplicated (contains CNF and generated from replication problem)
* fix NT4 mismatch if the year was not present and include the word "dataceNTer"
* add a check for "smart card required" for administrator accounts
* reworked the menu to be more interactive

2.5.0.0
* rewrote all rules description / rationale / etc
* added start and end date for exception
* breaking: change the date at which the exception / migration is evaluated from current date to report generation date
* new rules: A-SMB2SignatureNotEnabled A-SMB2SignatureNotRequired S-DC-SubnetMissing P-DelegationLoginScript
* added an experimental scanner for replication usn check
* allows DNS Admin group to be moved to another OU than CN=Users (as a reminder, the group is selected based on its description)
* fix logon logoff script label inverted
* allow users to be in the guest group for their primary group (was Domain Users only before)
* record more details about the operating systems (and adapt the reload of previous reports)
* the rule A-LAPS-Not-Installed, previously informative, now scores 15 points. If the local admin password is set at install, the rule should be put in exception.
* many adaptation to be used with Ping Castle Enterprise

2.4.3.1
* add schemainfo checks
* rework the way replication metadata is collected

2.4.3.0
* fix compatibility problem with windows 2000
* fix bugs relative to --no-enum-limit, adminsdholder check, sidhistory without whencreated, reloading without threat model
* add check related to replication metadata (dsasignature, KrbtgtLastVersion)
* minor changes in the powerpoint reporting (more detail on the reporting frequency)
* new rule for mandatory AD backup (microsoft procedure)
* minor change in reporting (alphabetically order for risk model, ...)

2.4.2.0
* risk model in the healthcheck report
* checking for LAPS install
* scanner for ms17-010 (not in healthcheck)
* small report improvements
* small bug fixing (ex: if AdminSDHolder denied to authentiated users)

2.4.1.1
* better Samba compatibility (linux DC)
* added smb check functionalities & scanner for workstation
* added support for PSO
* rewrote "scanner" functionalities to be more user friendly
* adding dnsadmins as privileged group following https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83

2.4.1.0
* modified the healthcheck report and consolidation to be responsive
* added in PingCastleReporting the risk map (link between BU & entities)
* added in PingCastleReporting the Rules report (matched and explanation) and removed --export-hc-rule in PingCastle
* reworked the report to add a DC view (last startup - for patches, creation date, if presence of null session)
* add an alert for MS14-068 via startuptime
* changed P-AdminNum to be less strict (especially for forest root) and A-Krbtgt to be less agressive
* improve the explanation of some rules
* various bug fixes in PingCastleReporting

2.4.0.1
* modified some KPI in PingCastleReporting overview
* added the flag --smtptls
* modified the score computation algorithm to take part of migration information in the past (showing evolution of score)
* modify the bad primary group count by excluding members of guests group

2.4.0.0
* program rebranded to PingCastle
* added PingCastleReporting for management reports (powerpoint, history, ...)
* reworked the advanced module
  - added the live mode for advanced report
* handle many domains with the same FQDN (but different sid)
* rewrote the "Unknown domain" algorithm in xls which is reusing the graph made at consolidation
* add option to set an exception for all domains (set domain as "*" in the xls file)
* add all --explore options
* rules A-LoginScript, P-Disabled and S-PwdNeverExpires disabled
* added the rule P-DCOwner to check for DC ownership
* lowering the points to 0 for P-ServiceDomainAdmin if the passwords are changed regulary
* add netbios / sid information for forest of domains found indirectly (for matching existing domains)
* modify the simple node graph to add intermediate score and BU/Entity information when available
* added mail notification option if mail is read & smtp credential on command line
* added "details" for rules which are difficult to understand without specifics
* added the domain root for the delegation check
* disabled the check on dangerous permissions for migration sid history and unexpire password (too much false positives)
* added sidhistory information for groups to the sidhistory user information (to not forget to remove sidhistory for groups)

2.3.0.1 (cert-ist forum version)
* add the reachable mode (disabled by default, enabled by default if domain=* and used in interactive mode)
  This mode scans for domains outside trusts. Discover new domains when run on trusted domains.
* Reworked the domain maps for visualization and inclusing of the reachable mode data.
* Add Netbios information in the trust information to be able to match some reachable mode data.
* Remove the requirement for ADWS. LDAP is used if ADWS is not available (LDAP is far more slower than ADWS)

2.2.1.5
fix a problem when a distinguished name of an admin contain LDAP request char

2.2.1.4
fix a problem in the consolidation
fix a problem if a login script is invalid and cannot be parsed as a url

2.2.1.3
bug fixing (null session enabled on forest side, PreWin2000 group empty)
Simplify full graph with bidirectional nodes & red color for unprotected trusts
add a simplified graph