#certificateservices — Public Fediverse posts

An interesting post around #ADCS #ActiveDirectory #CertificateServices validation and concerns around it https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/the-nightmare-of-validating-certificate-requests/ba-p/3743769

The Locksmith Active Directory (AD) Certificate Services (CS) remediation tool has been updated: https://github.com/TrimarcJake/Locksmith

New features:
- Support for Restricted Admin Mode. If RAM is detected, Locksmith will ask to be re-run using the -Credential switch.
- If the AD Powershell module is not installed on Win 10/11, Locksmith will attempt to install it for you.
Note: previously only available on server-class OSes.
- New functions for checking user type and elevation status.
- Auto-generated snippets for ownership issues (a subset of ESC4/ESC5).
- Support for non-English Active Directory environments!

Next planned updates:
- Add individual CA Hosts to $SafeUsers using SIDs.
- Perform additional environment checks before attempting to run.
- Rename modes to something that makes sense.

#IAM #IdentitySecurity #CertificateServices #ActiveDirectory #ActiveDirectoryCertificateServices #ADCS #PKI #Locksmith #OpenSource #DefensiveSecurity #DefensiveSecurityTooling #Pizza

Locksmith has been updated: https://github.com/TrimarcJake/Locksmith

New features:
- Improved on-screen explanation of what the script is doing
- Improved output formatting
- Confirmation now required before the AD CS environment is changed
- If Locksmith changes your environment, a script is created to easily revert those changes.
- Less false positives
- If Active Directory module is not installed, Locksmith will attempt to install it for you.

Next planned updates:
- Strict Mode support
- RDP Restricted Admin support

#IAM #IdentitySecurity #CertificateServices #ActiveDirectory #ActiveDirectoryCertificateServices #ADCS #Locksmith #OpenSource #DefensiveSecurity #DefensiveSecurityTooling #Pizza