A small tool built to find and fix common misconfigurations in Active Directory Certificate Services.
OTHER License
Bot releases are visible (Hide)
Cake: Fixing bugs, adding new functionality
Icing: Making things look better for the end user or easier to use for developers
-eq
) instead of a bitwise comparison (-band
) which could result in false negatives.Published by TrimarcJake 9 months ago
No long-winded notes this month. Instead, I'll just wish my wife a happy birthday! She's the best. ❤️💜💙
-Mode 4
. - @TrimarcJakeAdd-Member
means slightly faster code that's much easier to read code) - @TrimarcJake-Scans
parameter to limit your search to just a specific issue. - @SamErdePublished by TrimarcJake 10 months ago
This month, the Locksmith team discovered people are actually using Mode 4 (auto-remediation) in the wild. To be honest, we let Mode 4 languish because none of us would trust a fully automated remediation tool... even if we wrote it!
But since it's being used, we should definitely improve it. The new Mode 4 is much more explicit about what the issue is, why it's an issue, and how it will be remediated. Lastly, the Operational Impact is spelled out in plain language and color coded so it's more obvious when a fix may negatively impact operations.
After Locksmith is done fixing stuff on your behalf, you'll get an indicator that it's done instead of just dropping back to the console.
We also resolved some output issues (fewer duplicates), false positives (bitwise math is weird), and cleaned up the scripts used to build the project.
Thank you for using ❤ Locksmith ❤
Published by TrimarcJake 11 months ago
October 2023 was super-hectic for the Locksmith core team, so we decided to skip the October release.
That little break was so worth it because it gave @SamErde some time to finalize a new Locksmith feature: a -Scans
parameter which can be used to specify exactly which misconfigurations Locksmith should search for. By default, all scan types will run, but if you want to search only for templates that match the definition of ESC1 and ESC3, try Invoke-Locksmith -Scans ESC1,ESC3
!
Unsure which scan(s) you want to run? Try Invoke-Locksmith -Scans PromptMe
! If you're running Windows Powershell or Powershell Core w/ Microsoft.PowerShell.ConsoleGuiTools installed, running Invoke-Locksmith -Scans PromptMe
will give you a GridView window that you can use to select one or more scan types:
Powering the selection window is a dictionary class containing important info about each issue such as name, summary, links, finding code, and fixing code. As Locksmith moves forward, this dictionary will be a vital piece of improving Locksmith's usability.
-Scans
with updated comment-based help explaining its use.Published by TrimarcJake about 1 year ago
This month's Locksmith release finally introduces full ESC3 detections. Insecure Enrollment Agent templates and Client Authentication templates requiring signing by a single Enrollment Agent certificate will now be flagged. This closes the door on a pretty large hole in Locksmith's detections.
This release also marks a change in my (@TrimarcJake) role in Locksmith. I am refocusing my development time toward a new tool for finding and fixing issues in Active Directory-integrated DNS called BlueTuxedo. Until BlueTuxedo is released and gets stable, I will not be writing any new code for Locksmith.
But as you can see by this month's contributions, @techspence and @SamErde are more than capable of running the show for a while. :D
PK's PSPublishModule has been invaluable for speeding up development in Locksmith. He'll continue to get mentioned for quite some time.
Published by TrimarcJake about 1 year ago
Shortly after the 2023.07 release of Locksmith, I (@TrimarcJake) was contacted by PowerShell OG @PrzemyslawKlys (PK) about modernizing and improving the usability of Locksmith via his building and publishing tool PSPublishModule. PK split Locksmith into Public and Private functions, each in their own .ps1 file. The functions get tested, formatted, and combined into module files which can be easily published by the Locksmith team and easily installed by end-users.
Unexpectedly (not really), separating functions into individual .ps1 files makes development much smoother. Did you know scrolling a multi-hundred line script to find stuff gets confusing?
This month was mostly spent testing this new process, but we also took some time to add a few goodies including a script that will COMPLETELY AND UTTERLY DESTROY the security of an AD CS environment if you really want to test your tools. DO NOT USE IN PRODUCTION.
I hope you enjoy!
Import-Module .\Locksmith.psd1
or (once it's been published) install it from the PSGallery with Install-Module Locksmith
. The addition of PSGallery support should make Locksmith a cinch to use. (@PrzemyslawKlys)Published by TrimarcJake over 1 year ago
The Locksmith core team (@samerde, @techspence, @TrimarcJake) has settled on a monthly release cadence. New releases should come out during the first weekend of every month and will include any work performed during the preceding month. If you have any feature requests, please raise an Issue! At this point, we are accepting almost every request, no matter how wild!