PingCastle 2.11.0.0

ADWS/ADItem.cs

@@ -175,6 +175,8 @@ static ADItem()
         public ActiveDirectorySecurity msDSAllowedToActOnBehalfOfOtherIdentity { get; set; }
         [ADAttributeAttribute("msDS-AllowedToDelegateTo", ADAttributeValueKind.StringArrayValue)]
         public string[] msDSAllowedToDelegateTo { get; set; }
+        [ADAttributeAttribute("msDS-Approx-Immed-Subordinates", ADAttributeValueKind.IntValue)]
+        public int msDSApproxImmedSubordinates { get; set; }
         [ADAttributeAttribute("mS-DS-CreatorSID", ADAttributeValueKind.SIDValue)]
         public SecurityIdentifier msDSCreatorSID { get; set; }
         [ADAttributeAttribute("msDS-EnabledFeature", ADAttributeValueKind.StringArrayValue)]
@@ -223,6 +225,12 @@ static ADItem()
         public string msPKIRAApplicationPolicies { get; set; }
         [ADAttributeAttribute("msPKI-Template-Schema-Version", ADAttributeValueKind.IntValue)]
         public int msPKITemplateSchemaVersion { get; set; }
+        [ADAttributeAttribute("mSSMSCapabilities", ADAttributeValueKind.StringValue)]
+        public string mSSMSCapabilities { get; set; }
+        [ADAttributeAttribute("mSSMSMPName", ADAttributeValueKind.StringValue)]
+        public string mSSMSMPName { get; set; }
+        [ADAttributeAttribute("mSSMSVersion", ADAttributeValueKind.IntValue)]
+        public int mSSMSVersion { get; set; }
         [ADAttributeAttribute("msiFileList", ADAttributeValueKind.StringArrayValue)]
         public string[] msiFileList { get; set; }
         [ADAttributeAttribute("name", ADAttributeValueKind.StringValue)]

ADWS/ADWSConnection.cs

@@ -11,6 +11,7 @@
 using System.DirectoryServices.ActiveDirectory;
 using System.IO;
 using System.Net;
+using System.Runtime.Serialization;
 using System.Security.Permissions;
 using System.ServiceModel;
 using System.Text;
@@ -396,6 +397,24 @@ private void EnumerateInternalWithADWS(string distinguishedName, string filter,
 					var stringValue = Convert.ToString(stringWriter);
 					Trace.WriteLine("Detail:");
 					Trace.WriteLine(stringValue);
+                    var detail = messageFault.GetDetail<schemas.microsoft.com._2008._1.ActiveDirectory.FaultDetail>();
+                    // non existing object - do not throw an exception if the object does not exist
+                    if (detail != null && detail.DirectoryError != null)
+                    {
+                        var de = detail.DirectoryError;
+                        foreach (var node in detail.DirectoryError.Nodes)
+                        {
+                            if (node.Name == "Win32ErrorCode")
+                            {
+                                string error = node.InnerText;
+                                if (error == "8240")
+                                {
+                                    return;
+                                }
+                                break;
+                            }
+                        }
+                    }
 					throw new PingCastleException("An ADWS exception occured (fault:" + ex.Message + ";reason:" + ex.Reason + ").\r\nADWS is a faster protocol than LDAP but bound to a default 30 minutes limitation. If this error persists, we recommand to force the LDAP protocol. Run PingCastle with the following switches: --protocol LDAPOnly --interactive");
 				}
 				Trace.WriteLine("[" + DateTime.Now.ToLongTimeString() + "]Pull successful");

ADWS/LDAPConnection.cs

@@ -140,6 +140,12 @@ private void EnumerateInternalWithLDAP(string distinguishedName, string filter,
                     Trace.WriteLine("Translating DirectoryServicesCOMException to UnauthorizedAccessException");
                     throw new UnauthorizedAccessException(ex.Message);
                 }
+                if (ex.ErrorCode == -2147016656)
+                {
+                    // no such object
+                    Trace.WriteLine(ex.Message);
+                    return;
+                }
                 throw;
             }
         }

Bot/Bot.cs

@@ -1,5 +1,6 @@
 using PingCastle.Data;
 using PingCastle.Healthcheck;
+using PingCastle.Report;
 using PingCastle.Rules;
 using System;
 using System.Collections.Generic;
@@ -193,7 +194,7 @@ private BotInputOutput ToHtml(BotInputOutput input)
                 using (var ms = new MemoryStream(UnicodeEncoding.UTF8.GetBytes(xml)))
                 {
                     HealthcheckData healthcheckData = DataHelper<HealthcheckData>.LoadXml(ms, "bot", null);
-                    var endUserReportGenerator = PingCastleFactory.GetEndUserReportGenerator<HealthcheckData>();
+                    var endUserReportGenerator = new ReportHealthCheckSingle();
                     var license = LicenseManager.Validate(typeof(Program), new Program()) as ADHealthCheckingLicense;
                     var report = endUserReportGenerator.GenerateReportFile(healthcheckData, license, healthcheckData.GetHumanReadableFileName());
 

Data/HealthcheckData.cs

@@ -61,6 +61,55 @@ public class HealthCheckCertificateTemplate
         [XmlAttribute]
         public bool HasAuthenticationEku { get; set; }
         public List<HealthcheckDelegationData> Delegations { get; set; }
+
+        [XmlAttribute]
+        public bool NoSecurityExtension { get; set; }
+    }
+
+    [DebuggerDisplay("{Name}")]
+    public class HealthCheckCertificateEnrollment
+    {
+        [XmlAttribute]
+        public string Name { get; set; }
+
+        [XmlAttribute]
+        public string OID { get; set; }
+
+        public List<string> SSLProtocol { get; set; }
+
+        [XmlAttribute]
+        public bool WebEnrollmentHttps { get; set; }
+
+        [XmlAttribute]
+        public bool WebEnrollmentHttp { get; set; }
+
+        [XmlAttribute]
+        public bool WebEnrollmentChannelBindingDisabled { get; set; }
+
+        [XmlAttribute]
+        public bool CESHttp { get; set; }
+
+        [XmlAttribute]
+        public bool CESHttps { get; set; }
+
+        [XmlAttribute]
+        public bool CESChannelBindingDisabled { get; set; }
+
+    }
+
+    [DebuggerDisplay("{Name}")]
+    public class HealthCheckSCCMServer
+    {
+        [XmlAttribute]
+        public string Name { get; set; }
+
+        public string Capabilities { get; set; }
+
+        [XmlAttribute]
+        public string MPName { get; set; }
+
+        [XmlAttribute]
+        public int Version { get; set; }
     }
 
     [DebuggerDisplay("{DN} {ClassName} {DNS}")]
@@ -268,6 +317,8 @@ public class HealthCheckTrustData
 
         public string NetBiosName { get; set; }
 
+        public int msDSSupportedEncryptionTypes { get; set; }
+
         public List<HealthCheckTrustDomainInfoData> KnownDomains { get; set; }
 
         private DomainKey _domain;
@@ -284,7 +335,6 @@ public DomainKey Domain
                 return _domain;
             }
         }
-
     }
 
     [DebuggerDisplay("{GPOName} {UserName}")]
@@ -457,6 +507,7 @@ public void Add(HealthcheckAccountData x)
             NumberActive += x.NumberActive;
             NumberBadPrimaryGroup += x.NumberBadPrimaryGroup;
             NumberDesEnabled += x.NumberDesEnabled;
+            NumberNotAesEnabled += x.NumberNotAesEnabled;
             NumberDisabled += x.NumberDisabled;
             NumberEnabled += x.NumberEnabled;
             NumberInactive += x.NumberInactive;
@@ -524,6 +575,11 @@ public void Add(HealthcheckAccountData x)
         public bool ShouldSerializeListDesEnabled() { return (int)Level <= (int)PingCastleReportDataExportLevel.Full; }
         public List<HealthcheckAccountDetailData> ListDesEnabled { get; set; }
 
+        public int NumberNotAesEnabled { get; set; }
+
+        public bool ShouldSerializeListNotAesEnabled() { return (int)Level <= (int)PingCastleReportDataExportLevel.Full; }
+        public List<HealthcheckAccountDetailData> ListNotAesEnabled { get; set; }
+
         public int NumberTrustedToAuthenticateForDelegation { get; set; }
 
         public bool ShouldSerializeListTrustedToAuthenticateForDelegation() { return (int)Level <= (int)PingCastleReportDataExportLevel.Full; }
@@ -961,6 +1017,10 @@ public class HealthcheckDomainController
 
         public List<string> LDAPSProtocols { get; set; }
 
+        public bool ChannelBindingDisabled { get; set; }
+
+        public bool LdapServerSigningRequirementDisabled { get; set; }
+
         public DateTime PwdLastSet { get; set; }
 
         public string RegistrationProblem { get; set; }
@@ -989,6 +1049,10 @@ public class HealthcheckDomainController
         [XmlAttribute]
         [DefaultValue(false)]
         public bool AzureADKerberos { get; set; }
+
+        [XmlAttribute]
+        [DefaultValue(false)]
+        public bool WebClientEnabled { get; set; }
     }
 
     [XmlType("delegation")]
@@ -1192,6 +1256,7 @@ public Dictionary<string, GPOInfo> GPOInfoDic
         public int SchemaVersion { get; set; }
         public int SchemaInternalVersion { get; set; }
         public bool IsRecycleBinEnabled { get; set; }
+        public DateTime DCWin2008Install { get; set; }
 
         public DateTime SchemaLastChanged { get; set; }
         public int NumberOfDC { get; set; }
@@ -1270,6 +1335,9 @@ public Dictionary<string, GPOInfo> GPOInfoDic
         public bool ShouldSerializeLAPSInstalled() { return (int)Level <= (int)PingCastleReportDataExportLevel.Normal; }
         public DateTime LAPSInstalled { get; set; }
 
+        public bool ShouldSerializeSCCMInstalled() { return (int)Level <= (int)PingCastleReportDataExportLevel.Normal; }
+        public DateTime SCCMInstalled { get; set; }
+
         public bool ShouldSerializeListLAPSJoinedComputersToReview() { return (int)Level <= (int)PingCastleReportDataExportLevel.Normal; }
         public List<HealthcheckAccountDetailData> ListLAPSJoinedComputersToReview { get; set; }
 
@@ -1337,6 +1405,12 @@ public Dictionary<string, GPOInfo> GPOInfoDic
         public bool ShouldSerializeCertificateTemplates() { return (int)Level <= (int)PingCastleReportDataExportLevel.Normal; }
         public List<HealthCheckCertificateTemplate> CertificateTemplates { get; set; }
 
+        public bool ShouldSerializeCertificateEnrollments() { return (int)Level <= (int)PingCastleReportDataExportLevel.Normal; }
+        public List<HealthCheckCertificateEnrollment> CertificateEnrollments { get; set; }
+
+        public bool ShouldSerializeSCCMServers() { return (int)Level <= (int)PingCastleReportDataExportLevel.Normal; }
+        public List<HealthCheckSCCMServer> SCCMServers { get; set; }
+
         public bool ShouldSerializePrivilegedGroups() { return (int)Level <= (int)PingCastleReportDataExportLevel.Light; }
         public List<HealthCheckGroupData> PrivilegedGroups { get; set; }
 
@@ -1403,6 +1477,9 @@ public Dictionary<string, GPOInfo> GPOInfoDic
         public bool ShouldSerializeAzureADSSOVersion() { return (int)Level <= (int)PingCastleReportDataExportLevel.Normal; }
         public int AzureADSSOVersion { get; set; }
 
+        public bool ShouldSerializeAzureADSSOEncryptionType() { return (int)Level <= (int)PingCastleReportDataExportLevel.Normal; }
+        public int AzureADSSOEncryptionType { get; set; }
+
         public bool ShouldSerializePrivilegedDistributionLastLogon() { return (int)Level <= (int)PingCastleReportDataExportLevel.Normal; }
         public List<HealthcheckPwdDistributionData> PrivilegedDistributionLastLogon { get; set; }
 
@@ -1519,5 +1596,6 @@ public IList<DomainKey> DomainKnown
         }
 
         public CompromiseGraphData ControlPaths { get; set; }
+
     }
 }

Exports/ExportComputers.cs

@@ -55,7 +55,7 @@ public override void Export(string filename)
                         (ADItem x) =>
                         {
                             var d = new AddData();
-                            HealthcheckAnalyzer.ProcessAccountData(d, x, false);
+                            HealthcheckAnalyzer.ProcessAccountData(d, x, false, default(DateTime));
                             if ((++export % 500) == 0)
                             {
                                 DisplayAdvancement("Exported: " + export);

Exports/ExportUsers.cs

@@ -51,7 +51,7 @@ public override void Export(string filename)
                         (ADItem x) =>
                         {
                             var d = new AddData();
-                            HealthcheckAnalyzer.ProcessAccountData(d, x, false);
+                            HealthcheckAnalyzer.ProcessAccountData(d, x, false, default(DateTime));
                             if ((++export % 500) == 0)
                             {
                                 DisplayAdvancement("Exported: " + export);

Graph/Export/ExportDataFromActiveDirectoryLive.cs

@@ -101,11 +101,18 @@ private void AddDnsAdmins(GraphObjectReference objectReference)
                     objectReference.Objects[CompromiseGraphDataTypology.PrivilegedAccount].Add(new GraphSingleObject(x.ObjectSid.Value, GraphObjectReference.DnsAdministrators, CompromiseGraphDataObjectRisk.Medium));
                     dnsAdminFound = true;
                 };
-            // we do a one level search just case the group is in the default position
-            adws.Enumerate("CN=Users," + domainInfo.DefaultNamingContext, "(&(objectClass=group)(description=DNS Administrators Group))", properties, callback, "OneLevel");
-            if (!dnsAdminFound)
+            try
+            {
+                // we do a one level search just case the group is in the default position
+                adws.Enumerate("CN=Users," + domainInfo.DefaultNamingContext, "(&(objectClass=group)(description=DNS Administrators Group))", properties, callback, "OneLevel");
+                if (!dnsAdminFound)
+                {
+                    adws.Enumerate("CN=Users," + domainInfo.DefaultNamingContext, "(&(objectClass=group)(sAMAccountName=DNSAdmins))", properties, callback, "OneLevel");
+                }
+            }
+            catch(Exception)
             {
-                adws.Enumerate("CN=Users," + domainInfo.DefaultNamingContext, "(&(objectClass=group)(sAMAccountName=DNSAdmins))", properties, callback, "OneLevel");
+                // trap silently the exception if the users container has been removed
             }
             if (!dnsAdminFound)
             {
@@ -163,7 +170,7 @@ private void BuildDirectDelegationData()
                             if (!map[spn[1]].Contains(sid))
                                 map[spn[1]].Add(sid);
                         }
-                        if ((aditem.UserAccountControl & 0x80000) != 0)
+                        if ((aditem.UserAccountControl & 0x1000000) != 0)
                         {
                             protocolTransitionSid.Add(aditem.ObjectSid.Value);
                         }

Healthcheck/FakeHealthCheckDataGenerator.cs

@@ -424,7 +424,7 @@ private void GenerateUserData(FakeHealthCheckDataGeneratorDomainModel model, Hea
                 // trusted to authenticate
                 x.UserAccountControl += BoolOnChance(2) * 0x80000;
                 x.PrimaryGroupID = 515 + BoolOnChance(1);
-                HealthcheckAnalyzer.ProcessAccountData(healthcheckData.UserAccountData, x, false);
+                HealthcheckAnalyzer.ProcessAccountData(healthcheckData.UserAccountData, x, false, default(DateTime));
 
             }
             healthcheckData.LoginScript = new List<HealthcheckLoginScriptData>();
@@ -453,7 +453,7 @@ private void GenerateComputerData(FakeHealthCheckDataGeneratorDomainModel model,
                 // trusted to authenticate
                 x.UserAccountControl += BoolOnChance(2) * 0x80000;
                 x.PrimaryGroupID = 515 + BoolOnChance(1);
-                HealthcheckAnalyzer.ProcessAccountData(healthcheckData.ComputerAccountData, x, true);
+                HealthcheckAnalyzer.ProcessAccountData(healthcheckData.ComputerAccountData, x, true, default(DateTime));
             }
             healthcheckData.LoginScript = new List<HealthcheckLoginScriptData>();