Locksmith v2023.07 releases: identify & remediate common misconfigurations in AD Certificate Services
Locksmith
A tiny tool to identify and remediate common misconfigurations in Active Directory Certificate Services.
Mode 0 (Default) – Identify Issues and Output to Console
PS> .\Invoke-Locksmith.ps1
Running Invoke-Locksmith.ps1 with no parameters or -Mode 0 will scan the current forest and output all discovered AD CS issues to the console in Table format.
Mode 1 – Identify Issues + Fixes and Output to Console
PS> .\Invoke-Locksmith.ps1 –Mode 1
This mode scans the current forest and outputs all discovered AD CS issues and possible fixes to the console in List format.
Mode 2 – Identify Issues and Output to CSV
PS> .\Invoke-Locksmith.ps1 –Mode 2
Locksmith Mode 2 scans the current forest and outputs all discovered AD CS issues to ADCSIssues.CSV in the present working directory.
Mode 3 – Identify Issues + Fixes and Output to CSV
PS> .\Invoke-Locksmith.ps1 –Mode 3
In Mode 3, Locksmith scans the current forest and outputs all discovered AD CS issues and example fixes to ADCSRemediation.CSV in the present working directory.
Mode 4 – Fix All Issues
PS> .\Invoke-Locksmith.ps1 –Mode 4
Mode 4 is the “easy button.” Running Locksmith in Mode 4 will identify all misconfigurations and attempt to fix each issue.
Changelog v2023.07
Improvements:
- All modes: Auditing check now uses FQDNs to contact CAs which should improve results in multi-domain forests. (RGR)
- All modes: ESC2 check now includes “Any Purpose” EKU. (@TrimarcJake)
- All modes: Direct members of the domain Administrators, Cert Publishers, and Domain Admins groups from the invoking domain and direct members of the Enterprise Admins group have been added to the $SafeUsers list. This should minimize false positives in ESC1, ESC2, ESC4, and ESC5 checks. (@TrimarcJake)
- Modes 2 & 3: Technique IDs have been added to CSV output for easier reading. (@SamErde)
- General: usability improvements. (@SamErde)
Major bugs resolved:
- All modes: ESC8 checks now work in Powershell 7. (@TrimarcJake)
- Mode 4: if no issues are found, Locksmith no longer crashes when attempting to create a script to revert its changes. (@techspence)
Known Issues:
- All modes: In multi-domain forests, red error text will flash immediately after invoking Locksmith. This is because Get-ADGroupMember doesn’t allow the use of global catalog servers, and @TrimarcJake is too tired to fix it right now.
- All modes: related to the issue above, domain Administrators, Cert Publishers, and Domain Admins from domains other than the domain where Locksmith was initially invoked are not added to the $SafeUsers list. These results are false positives.
- All modes: Members of groups nested in domain Administrators, Cert Publishers, Domain Admins, and Enterprise Admins are not added to the $SafeUsers list.
Download
git clone https://github.com/TrimarcJake/Locksmith.git
Use
Copyright (c) 2022 Jake Hildreth
Source: https://github.com/TrimarcJake/
