-
Notifications
You must be signed in to change notification settings - Fork 89
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'testing' into fix-auditingissues-esc6
- Loading branch information
Showing
8 changed files
with
631 additions
and
326 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,266 @@ | ||
| function Invoke-Remediation { | ||
| <# | ||
| .SYNOPSIS | ||
| Runs any remediation scripts available. | ||
| .DESCRIPTION | ||
| This function offers to run any remediation code associated with identified issues. | ||
| .PARAMETER AuditingIssues | ||
| A PS Object containing all necessary information about auditing issues. | ||
| .PARAMETER ESC1 | ||
| A PS Object containing all necessary information about ESC1 issues. | ||
| .PARAMETER ESC2 | ||
| A PS Object containing all necessary information about ESC2 issues. | ||
| .PARAMETER ESC3 | ||
| A PS Object containing all necessary information about ESC3 issues. | ||
| .PARAMETER ESC4 | ||
| A PS Object containing all necessary information about ESC4 issues. | ||
| .PARAMETER ESC5 | ||
| A PS Object containing all necessary information about ESC5 issues. | ||
| .PARAMETER ESC6 | ||
| A PS Object containing all necessary information about ESC6 issues. | ||
| .INPUTS | ||
| PS Objects | ||
| .OUTPUTS | ||
| Console output | ||
| #> | ||
|
|
||
| [CmdletBinding()] | ||
| param ( | ||
| $AuditingIssues, | ||
| $ESC1, | ||
| $ESC2, | ||
| $ESC3, | ||
| $ESC4, | ||
| $ESC5, | ||
| $ESC6 | ||
| ) | ||
|
|
||
| Write-Host "`nExecuting Mode 4 - Attempting to fix identified issues!`n" -ForegroundColor Green | ||
| Write-Host 'Creating a script (' -NoNewline | ||
| Write-Host 'Invoke-RevertLocksmith.ps1' -ForegroundColor White -NoNewline | ||
| Write-Host ") which can be used to revert all changes made by Locksmith...`n" | ||
| try { | ||
| Export-RevertScript -AuditingIssues $AuditingIssues -ESC1 $ESC1 -ESC2 $ESC2 -ESC3 $ESC3 -ESC4 $ESC4 -ESC5 $ESC5 -ESC6 $ESC6 | ||
| } catch { | ||
| Write-Warning 'Creation of Invoke-RevertLocksmith.ps1 failed.' | ||
| Write-Host "Continue with this operation? [Y] Yes " -NoNewline | ||
| Write-Host "[N] " -ForegroundColor Yellow -NoNewline | ||
| Write-Host "No: " -NoNewLine | ||
| $WarningError = '' | ||
| $WarningError = Read-Host | ||
| if ($WarningError -like 'y') { | ||
| # Continue | ||
| } else { | ||
| break | ||
| } | ||
| } | ||
| if ($AuditingIssues) { | ||
| $AuditingIssues | ForEach-Object { | ||
| $FixBlock = [scriptblock]::Create($_.Fix) | ||
| Write-Host 'ISSUE:' -ForegroundColor White | ||
| Write-Host "Auditing is not fully enabled on Certification Authority `"$($_.Name)`".`n" | ||
| Write-Host 'TECHNIQUE:' -ForegroundColor White | ||
| Write-Host "$($_.Technique)`n" | ||
| Write-Host 'ACTION TO BE PERFORMED:' -ForegroundColor White | ||
| Write-Host "Locksmith will attempt to fully enable auditing on Certification Authority `"$($_.Name)`".`n" | ||
| Write-Host 'COMMAND(S) TO BE RUN:' | ||
| Write-Host 'PS> ' -NoNewline | ||
| Write-Host "$($_.Fix)`n" -ForegroundColor Cyan | ||
| Write-Host 'OPERATIONAL IMPACT:' -ForegroundColor White | ||
| Write-Host "This change should have little to no impact on the AD CS environment.`n" -ForegroundColor Green | ||
| Write-Host "If you continue, Locksmith will attempt to fix this issue.`n" -ForegroundColor Yellow | ||
| Write-Host "Continue with this operation? [Y] Yes " -NoNewline | ||
| Write-Host "[N] " -ForegroundColor Yellow -NoNewline | ||
| Write-Host "No: " -NoNewLine | ||
| $WarningError = '' | ||
| $WarningError = Read-Host | ||
| if ($WarningError -like 'y') { | ||
| try { | ||
| Invoke-Command -ScriptBlock $FixBlock | ||
| } catch { | ||
| Write-Error 'Could not modify AD CS auditing. Are you a local admin on the CA host?' | ||
| } | ||
| } else { | ||
| Write-Host "SKIPPED!`n" -ForegroundColor Yellow | ||
| } | ||
| } | ||
| } | ||
| if ($ESC1) { | ||
| $ESC1 | ForEach-Object { | ||
| $FixBlock = [scriptblock]::Create($_.Fix) | ||
| Write-Host 'ISSUE:' -ForegroundColor White | ||
| Write-Host "Security Principals can enroll in `"$($_.Name)`" template using a Subject Alternative Name without Manager Approval.`n" | ||
| Write-Host 'TECHNIQUE:' -ForegroundColor White | ||
| Write-Host "$($_.Technique)`n" | ||
| Write-Host 'ACTION TO BE PERFORMED:' -ForegroundColor White | ||
| Write-Host "Locksmith will attempt to enable Manager Approval on the `"$($_.Name)`" template.`n" | ||
| Write-Host 'CCOMMAND(S) TO BE RUN:' | ||
| Write-Host 'PS> ' -NoNewline | ||
| Write-Host "$($_.Fix)`n" -ForegroundColor Cyan | ||
| Write-Host 'OPERATIONAL IMPACT:' -ForegroundColor White | ||
| Write-Host "WARNING: This change could cause some services to stop working until certificates are approved.`n" -ForegroundColor Yellow | ||
| Write-Host "If you continue, Locksmith will attempt to fix this issue.`n" -ForegroundColor Yellow | ||
| Write-Host "Continue with this operation? [Y] Yes " -NoNewline | ||
| Write-Host "[N] " -ForegroundColor Yellow -NoNewline | ||
| Write-Host "No: " -NoNewLine | ||
| $WarningError = '' | ||
| $WarningError = Read-Host | ||
| if ($WarningError -like 'y') { | ||
| try { | ||
| Invoke-Command -ScriptBlock $FixBlock | ||
| } catch { | ||
| Write-Error 'Could not enable Manager Approval. Are you an Active Directory or AD CS admin?' | ||
| } | ||
| } else { | ||
| Write-Host "SKIPPED!`n" -ForegroundColor Yellow | ||
| } | ||
|
|
||
| } | ||
| } | ||
| if ($ESC2) { | ||
| $ESC2 | ForEach-Object { | ||
| $FixBlock = [scriptblock]::Create($_.Fix) | ||
| Write-Host 'ISSUE:' -ForegroundColor White | ||
| Write-Host "Security Principals can enroll in `"$($_.Name)`" template and create a Subordinate Certification Authority without Manager Approval.`n" | ||
| Write-Host 'TECHNIQUE:' -ForegroundColor White | ||
| Write-Host "$($_.Technique)`n" | ||
| Write-Host 'ACTION TO BE PERFORMED:' -ForegroundColor White | ||
| Write-Host "Locksmith will attempt to enable Manager Approval on the `"$($_.Name)`" template.`n" | ||
| Write-Host 'COMMAND(S) TO BE RUN:' -ForegroundColor White | ||
| Write-Host 'PS> ' -NoNewline | ||
| Write-Host "$($_.Fix)`n" -ForegroundColor Cyan | ||
| Write-Host 'OPERATIONAL IMPACT:' -ForegroundColor White | ||
| Write-Host "WARNING: This change could cause some services to stop working until certificates are approved.`n" -ForegroundColor Yellow | ||
| Write-Host "If you continue, Locksmith will attempt to fix this issue.`n" -ForegroundColor Yellow | ||
| Write-Host "Continue with this operation? [Y] Yes " -NoNewline | ||
| Write-Host "[N] " -ForegroundColor Yellow -NoNewline | ||
| Write-Host "No: " -NoNewLine | ||
| $WarningError = '' | ||
| $WarningError = Read-Host | ||
| if ($WarningError -like 'y') { | ||
| try { | ||
| Invoke-Command -ScriptBlock $FixBlock | ||
| } catch { | ||
| Write-Error 'Could not enable Manager Approval. Are you an Active Directory or AD CS admin?' | ||
| } | ||
| } else { | ||
| Write-Host "SKIPPED!`n" -ForegroundColor Yellow | ||
| } | ||
| } | ||
| } | ||
| if ($ESC4) { | ||
| $ESC4 | Where-Object Issue -like "* Owner rights *" | ForEach-Object { # This selector sucks - Jake | ||
| $FixBlock = [scriptblock]::Create($_.Fix) | ||
| Write-Host 'ISSUE:' -ForegroundColor White | ||
| Write-Host "$($_.Issue)`n" | ||
| Write-Host 'TECHNIQUE:' -ForegroundColor White | ||
| Write-Host "$($_.Technique)`n" | ||
| Write-Host 'ACTION TO BE PERFORMED:' -ForegroundColor White | ||
| Write-Host "Locksmith will attempt to set the owner of `"$($_.Name)`" template to Enterprise Admins.`n" | ||
| Write-Host 'COMMAND(S) TO BE RUN:' -ForegroundColor White | ||
| Write-Host 'PS> ' -NoNewline | ||
| Write-Host "$($_.Fix)`n" -ForegroundColor Cyan | ||
| Write-Host 'OPERATIONAL IMPACT:' -ForegroundColor White | ||
| Write-Host "This change should have little to no impact on the AD CS environment.`n" -ForegroundColor Green | ||
| Write-Host "If you continue, Locksmith will attempt to fix this issue.`n" -ForegroundColor Yellow | ||
| Write-Host "Continue with this operation? [Y] Yes " -NoNewline | ||
| Write-Host "[N] " -ForegroundColor Yellow -NoNewline | ||
| Write-Host "No: " -NoNewLine | ||
| $WarningError = '' | ||
| $WarningError = Read-Host | ||
| if ($WarningError -like 'y') { | ||
| try { | ||
| Invoke-Command -ScriptBlock $FixBlock | ||
| } catch { | ||
| Write-Error 'Could not change Owner. Are you an Active Directory admin?' | ||
| } | ||
| } else { | ||
| Write-Host "SKIPPED!`n" -ForegroundColor Yellow | ||
| } | ||
| } | ||
| } | ||
| if ($ESC5) { | ||
| $ESC5 | Where-Object Issue -like "* Owner rights *" | ForEach-Object { # This selector sucks - Jake | ||
| $FixBlock = [scriptblock]::Create($_.Fix) | ||
| Write-Host 'ISSUE:' -ForegroundColor White | ||
| Write-Host "$($_.Issue)`n" | ||
| Write-Host 'TECHNIQUE:' -ForegroundColor White | ||
| Write-Host "$($_.Technique)`n" | ||
| Write-Host 'ACTION TO BE PERFORMED:' -ForegroundColor White | ||
| Write-Host "Locksmith will attempt to set the owner of `"$($_.Name)`" object to Enterprise Admins.`n" | ||
| Write-Host 'COMMAND(S) TO BE RUN:' -ForegroundColor White | ||
| Write-Host 'PS> ' -NoNewline | ||
| Write-Host "$($_.Fix)`n" -ForegroundColor Cyan | ||
| Write-Host 'OPERATIONAL IMPACT:' -ForegroundColor White | ||
| Write-Host "This change should have little to no impact on the AD CS environment.`n" -ForegroundColor Green | ||
| Write-Host "If you continue, Locksmith will attempt to fix this issue.`n" -ForegroundColor Yellow | ||
| Write-Host "Continue with this operation? [Y] Yes " -NoNewline | ||
| Write-Host "[N] " -ForegroundColor Yellow -NoNewline | ||
| Write-Host "No: " -NoNewLine | ||
| $WarningError = '' | ||
| $WarningError = Read-Host | ||
| if ($WarningError -like 'y') { | ||
| try { | ||
| Invoke-Command -ScriptBlock $FixBlock | ||
| } catch { | ||
| Write-Error 'Could not change Owner. Are you an Active Directory admin?' | ||
| } | ||
| } else { | ||
| Write-Host "SKIPPED!`n" -ForegroundColor Yellow | ||
| } | ||
| } | ||
| } | ||
| if ($ESC6) { | ||
| $ESC6 | ForEach-Object { | ||
| $FixBlock = [scriptblock]::Create($_.Fix) | ||
| Write-Host 'ISSUE:' -ForegroundColor White | ||
| Write-Host "The Certification Authority `"$($_.Name)`" has the dangerous EDITF_ATTRIBUTESUBJECTALTNAME2 flag enabled.`n" | ||
| Write-Host 'TECHNIQUE:' -ForegroundColor White | ||
| Write-Host "$($_.Technique)`n" | ||
| Write-Host 'ACTION TO BE PERFORMED:' -ForegroundColor White | ||
| Write-Host "Locksmith will attempt to disable the EDITF_ATTRIBUTESUBJECTALTNAME2 flag on Certifiction Authority `"$($_.Name)`".`n" | ||
| Write-Host 'COMMAND(S) TO BE RUN' -ForegroundColor White | ||
| Write-Host 'PS> ' -NoNewline | ||
| Write-Host "$($_.Fix)`n" -ForegroundColor Cyan | ||
| $WarningError = 'n' | ||
| Write-Host 'OPERATIONAL IMPACT:' -ForegroundColor White | ||
| Write-Host "WARNING: This change could cause some services to stop working.`n" -ForegroundColor Yellow | ||
| Write-Host "If you continue, Locksmith will attempt to fix this issue.`n" -ForegroundColor Yellow | ||
| Write-Host "Continue with this operation? [Y] Yes " -NoNewline | ||
| Write-Host "[N] " -ForegroundColor Yellow -NoNewline | ||
| Write-Host "No: " -NoNewLine | ||
| $WarningError = '' | ||
| $WarningError = Read-Host | ||
| if ($WarningError -like 'y') { | ||
| try { | ||
| Invoke-Command -ScriptBlock $FixBlock | ||
| } catch { | ||
| Write-Error 'Could not disable the EDITF_ATTRIBUTESUBJECTALTNAME2 flag. Are you an Active Directory or AD CS admin?' | ||
| } | ||
| } else { | ||
| Write-Host "SKIPPED!`n" -ForegroundColor Yellow | ||
| } | ||
| } | ||
| } | ||
|
|
||
| Write-Host "Mode 4 Complete! There are no more issues that Locksmith can automatically resolve.`n" -ForegroundColor Green | ||
| Write-Host 'If you experience any operational impact from using Locksmith Mode 4, use ' -NoNewline | ||
| Write-Host 'Invoke-RevertLocksmith.ps1 ' -ForegroundColor White | ||
| Write-Host "to revert all changes made by Locksmith. It can be found in the current working directory.`n" | ||
| Write-Host @" | ||
| REMINDER: Locksmith cannot automatically resolve all AD CS issues at this time. | ||
| There may be more AD CS issues remaining in your environment. | ||
| Use Locksmith in Modes 0-3 to further investigate your environment | ||
| or reach out to the Locksmith team for assistance. We'd love to help!`n | ||
| "@ -ForegroundColor Yellow | ||
| } |
Oops, something went wrong.