-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create Get-PublishedTemplates #161
Create Get-PublishedTemplates #161
Conversation
Get-PublishedTemplates pulls a list of published templates with their name, OID, flags, enrollment flag, last modified date, revision, and minor revision. This should help us check if vulnerable templates are published and also ultimately check if the vulnerable version is in use by issued certificate requests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Big comment in code. Feel free to hit me up for more details.
Get-PublishedTemplates | ||
|
||
.NOTES | ||
If either of these flags are set, the template is considered published: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Your logic doesn't seem consistent with what's actually published, but it's very possible I'm missing something.
Your code returns this from my lab CA:
But the Certificate Templates list on my lab CA looks like this:
Which matches CA's object's cetificateTemplates
attribute expanded:
Note: The Certificate Templates pane shows the templates displayName
attribute while the expanded certificateTemplates
list shows the name
attribute.
This function should be rewritten to see if the template name exists within the certificateTemplates
attribute on any pKIEnrollmentService
object. We already collect the required attribute in Get-ADCSObject
, so I think you could:
- Collect all the published template
name
s from all the CA objects - De-duplicate the list and store it as
$PublishedTemplates
- Loop through the templates to see if
$PublishedTemplates -contains $TemplateName
- Return
$true
or$false
to enrich the template object as a custom attribute.
Or whatever you want to do. You probably have a more elegant way of doing it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thinking about de-duplicating the list and the possibility of different versions of a template being published on different CAs. Is that possible, and if so: does a published template on multiple CAs have the same OID for each instance, or a unique one per CA?
EDIT: I think I found that the answer is no to both questions. One version across all CAs and the same OID for the template on all CAs.
@SamErde what's the status on this? The current version seems to return no result. |
Will try to find time to revive and resolve this week. |
@SamErde and I chatted. We're gonna go a different route. Thanks for playing along at home, everyone! |
Get-PublishedTemplates pulls a list of published templates with their name, OID, flags, enrollment flag, whenModified, revision, and minor revision. This should help us check if vulnerable templates are published and also ultimately check if the vulnerable version is in use by issued certificate requests.
Please review the bitwise checks for the template's
flags
andmspki-enrollment-flag
properties to see if the logic is correct and returns all published templates in your test environments.Contributes to #87.