Giters

TrimarcJake / Locksmith

A small tool built to find and fix common misconfigurations in Active Directory Certificate Services.

Home Page:https://github.com/TrimarcJake/Locksmith

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

False Positives in ESC4 from Incomplete Filtering

TrimarcJake opened this issue · comments

commented

Description: Locksmith is alerting on safe objects.

Example: CN=Machine,CN=Certificate Templates... has the following set of rights:

ActiveDirectoryRights : ReadProperty, WriteProperty, ExtendedRight
InheritanceType       : None
ObjectType            : 0e10c968-78fb-11d2-90d4-00c04f79dc55
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : MARVEL\Domain Computers
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

This is safe because WriteProperty only applies to the 0e10c968-78fb-11d2-90d4-00c04f79dc55 (Enroll) right.

Expected Result: No alert on this template.

Actual Result: Locksmith marks this as ESC4.

Proposed Solution: ESC4 check should filter out anything to do with ObjectType 0e10c968-78fb-11d2-90d4-00c04f79dc55 (Enroll) and a05b8cc2-17bc-4802-a710-e7c15ab866a2 (AutoEnroll)

Special thanks to Thomas Andresen for bringing this to my attention!

commented

Resolved in #56