Conversation

Notices

1. Embed this notice
   Jake Hildreth (acorn) :blacker_heart_outline: (horse@infosec.exchange)'s status on Wednesday, 13-Mar-2024 01:12:54 JST Jake Hildreth (acorn) :blacker_heart_outline:

   • Jake Hildreth (acorn) :blacker_heart_outline:

   Locksmith AD CS Remediation Tool v2024.3 Now Available!

   A Little Icing but Mostly Cake

   Cake: Fixing bugs, adding new functionality
   Icing: Making things look better for the end user or easier to use for developers

   Improvements:

   • Eliminated duplicated ownership check in ESC4/5. We can and should have opinions, and the opinion is that only AD Admins should own PKS objects and templates.
   • Filtered Deny ACEs from ESC4/5. This is not an Effective Access check, but it does cut down on false positives. Added flowcharts that explain severity for each finding. Added comment-based help to every function.Added instructions for Scans parameter to the README.

   In Progress:

   • Check to see if Locksmith is up to date. Provide links for latest version if not up to date.
   • Check to see if user running Locksmith is a member of the Protected Users group. PUG membership will impact ESC8 checks.
   • Check for ESC9. It was announced in August 2022, so Locksmith is late to the game.

   Known Issues:

   • msPKI-Certificate-Name-Flag check in ESC1-3 currently uses a direct comparison (-eq) instead of a bitwise comparison (-band) which could result in false negatives.
   • ESC8 checks reports all endpoints as HTTP even when HTTPS.

   Contributors:
   @samerde
   @horse

   Get it her: https://github.com/TrimarcJake/Locksmith/releases/tag/v2024.3

   • Embed this notice
     Jake Hildreth (acorn) :blacker_heart_outline: (horse@infosec.exchange)'s status on Wednesday, 13-Mar-2024 01:40:12 JST Jake Hildreth (acorn) :blacker_heart_outline:

     in reply to

     @samerde This is also a very important release because I got all the Markdown formatting correct for Mastodon on my first try!