Locksmith v2023.07 releases: identify & remediate common misconfigurations in AD Certificate Services

by do son · Published · Updated

AD Certificate Services misconfigurations

Locksmith

A tiny tool to identify and remediate common misconfigurations in Active Directory Certificate Services.

Mode 0 (Default) – Identify Issues and Output to Console

PS> .\Invoke-Locksmith.ps1

Running Invoke-Locksmith.ps1 with no parameters or -Mode 0 will scan the current forest and output all discovered AD CS issues to the console in Table format.

Mode 1 – Identify Issues + Fixes and Output to Console

PS> .\Invoke-Locksmith.ps1 Mode 1

This mode scans the current forest and outputs all discovered AD CS issues and possible fixes to the console in List format.

Mode 2 – Identify Issues and Output to CSV

PS> .\Invoke-Locksmith.ps1 Mode 2

Locksmith Mode 2 scans the current forest and outputs all discovered AD CS issues to ADCSIssues.CSV in the present working directory.

Mode 3 – Identify Issues + Fixes and Output to CSV

PS> .\Invoke-Locksmith.ps1 Mode 3

In Mode 3, Locksmith scans the current forest and outputs all discovered AD CS issues and example fixes to ADCSRemediation.CSV in the present working directory.

Mode 4 – Fix All Issues

PS> .\Invoke-Locksmith.ps1 Mode 4

Mode 4 is the “easy button.” Running Locksmith in Mode 4 will identify all misconfigurations and attempt to fix each issue.

Changelog v2023.07

Improvements:

  • All modes: Auditing check now uses FQDNs to contact CAs which should improve results in multi-domain forests. (RGR)
  • All modes: ESC2 check now includes “Any Purpose” EKU. (@TrimarcJake)
  • All modes: Direct members of the domain Administrators, Cert Publishers, and Domain Admins groups from the invoking domain and direct members of the Enterprise Admins group have been added to the $SafeUsers list. This should minimize false positives in ESC1, ESC2, ESC4, and ESC5 checks. (@TrimarcJake)
  • Modes 2 & 3: Technique IDs have been added to CSV output for easier reading. (@SamErde)
  • General: usability improvements. (@SamErde)

Major bugs resolved:

  • All modes: ESC8 checks now work in Powershell 7. (@TrimarcJake)
  • Mode 4: if no issues are found, Locksmith no longer crashes when attempting to create a script to revert its changes. (@techspence)

Known Issues:

  • All modes: In multi-domain forests, red error text will flash immediately after invoking Locksmith. This is because Get-ADGroupMember doesn’t allow the use of global catalog servers, and @TrimarcJake is too tired to fix it right now.
  • All modes: related to the issue above, domain Administrators, Cert Publishers, and Domain Admins from domains other than the domain where Locksmith was initially invoked are not added to the $SafeUsers list. These results are false positives.
  • All modes: Members of groups nested in domain Administrators, Cert Publishers, Domain Admins, and Enterprise Admins are not added to the $SafeUsers list.

Download

git clone https://github.com/TrimarcJake/Locksmith.git

Use

Copyright (c) 2022 Jake Hildreth

Source: https://github.com/TrimarcJake/

Tags: AD Certificate ServicesAD Certificate Services misconfigurationsLocksmith