Active Directory Certificate Services (AD CS) Analyzer
<# .SYNOPSIS Active Directory Certificate Services (AD CS) Analyzer .DESCRIPTION This script analyzes the configuration and health of Active Directory Certificate Services, providing detailed information about Certificate Authorities, templates, and potential issues. .NOTES File Name : ADCSAnalyzer.ps1 Author : [Your Name] Prerequisite : PowerShell V5.1 or later, PSPKI module, and appropriate AD CS permissions Version : 1.0 Date : [Current Date] .EXAMPLE .\ADCSAnalyzer.ps1 #> # Check if PSPKI module is installed, if not, attempt to install it if (-not (Get-Module -ListAvailable -Name PSPKI)) { Write-Host "PSPKI module not found. Attempting to install..." -ForegroundColor Yellow try { Install-Module -Name PSPKI -Force -AllowClobber } catch { Write-Host "Failed to install PSPKI module. Please install it manually." -ForegroundColor Red exit } } # Import required modules Import-Module PSPKI # Global variables $global:reportPath = "$env:USERPROFILE\Desktop\ADCS_Analysis_Report_$(Get-Date -Format 'yyyyMMdd_HHmmss').html" <# .SYNOPSIS Displays the main menu of the tool. #> function Show-Menu { Clear-Host Write-Host "=== Active Directory Certificate Services Analyzer ===" -ForegroundColor Cyan Write-Host "1. Analyze Certificate Authorities" Write-Host "2. Review Certificate Templates" Write-Host "3. Check CA Health Status" Write-Host "4. Analyze Certificate Revocation Lists (CRLs)" Write-Host "5. Review CA Security Permissions" Write-Host "6. Analyze Certificate Issuance Policies" Write-Host "7. Check for Vulnerable Certificate Templates" Write-Host "8. Generate Comprehensive HTML Report" Write-Host "9. Exit" } <# .SYNOPSIS Analyzes Certificate Authorities in the environment. .OUTPUTS Array of PSObjects containing CA details. #> function Analyze-CertificateAuthorities { Write-Host "`nAnalyzing Certificate Authorities..." -ForegroundColor Yellow $cas = Get-CertificationAuthority $caDetails = @() foreach ($ca in $cas) { $caDetails += [PSCustomObject]@{ Name = $ca.Name Status = $ca.Status Type = $ca.Type Version = $ca.Version KeyLength = $ca.KeyLength HashAlgorithm = $ca.HashAlgorithm ValidityPeriod = $ca.ValidityPeriod } } $caDetails | Format-Table -AutoSize return $caDetails } <# .SYNOPSIS Reviews Certificate Templates. .OUTPUTS Array of PSObjects containing template details. #> function Review-CertificateTemplates { Write-Host "`nReviewing Certificate Templates..." -ForegroundColor Yellow $templates = Get-CertificateTemplate $templateDetails = @() foreach ($template in $templates) { $templateDetails += [PSCustomObject]@{ Name = $template.Name DisplayName = $template.DisplayName SchemaVersion = $template.SchemaVersion ValidityPeriod = $template.ValidityPeriod RenewalPeriod = $template.RenewalPeriod AuthorizedSignatures = $template.AuthorizedSignatures EnrollmentFlags = $template.EnrollmentFlags } } $templateDetails | Format-Table -AutoSize return $templateDetails } <# .SYNOPSIS Checks the health status of Certificate Authorities. .OUTPUTS Array of PSObjects containing CA health status. #> function Check-CAHealthStatus { Write-Host "`nChecking CA Health Status..." -ForegroundColor Yellow $cas = Get-CertificationAuthority $healthStatus = @() foreach ($ca in $cas) { $status = Test-CertificationAuthority -CertificationAuthority $ca.Name $healthStatus += [PSCustomObject]@{ CAName = $ca.Name IsAccessible = $status.IsAccessible IsCaAccessible = $status.IsCaAccessible IsRoleAccessible = $status.IsRoleAccessible IsWebEnrollmentAccessible = $status.IsWebEnrollmentAccessible } } $healthStatus | Format-Table -AutoSize return $healthStatus } <# .SYNOPSIS Analyzes Certificate Revocation Lists (CRLs). .OUTPUTS Array of PSObjects containing CRL details. #> function Analyze-CRLs { Write-Host "`nAnalyzing Certificate Revocation Lists..." -ForegroundColor Yellow $cas = Get-CertificationAuthority $crlDetails = @() foreach ($ca in $cas) { $crl = Get-CACrlDistributionPoint -CertificationAuthority $ca.Name foreach ($point in $crl) { $crlDetails += [PSCustomObject]@{ CAName = $ca.Name URI = $point.URI PublishToServer = $point.PublishToServer PublishToDeltaServer = $point.PublishToDeltaServer PublishToDS = $point.PublishToDS } } } $crlDetails | Format-Table -AutoSize return $crlDetails } <# .SYNOPSIS Reviews CA Security Permissions. .OUTPUTS Array of PSObjects containing CA security permission details. #> function Review-CASecurityPermissions { Write-Host "`nReviewing CA Security Permissions..." -ForegroundColor Yellow $cas = Get-CertificationAuthority $securityPermissions = @() foreach ($ca in $cas) { $permissions = Get-CASecurityDescriptor -CertificationAuthority $ca.Name foreach ($ace in $permissions.Access) { $securityPermissions += [PSCustomObject]@{ CAName = $ca.Name IdentityReference = $ace.IdentityReference AccessControlType = $ace.AccessControlType Rights = $ace.Rights } } } $securityPermissions | Format-Table -AutoSize return $securityPermissions } <# .SYNOPSIS Analyzes Certificate Issuance Policies. .OUTPUTS Array of PSObjects containing issuance policy details. #> function Analyze-CertificateIssuancePolicies { Write-Host "`nAnalyzing Certificate Issuance Policies..." -ForegroundColor Yellow $cas = Get-CertificationAuthority $issuancePolicies = @() foreach ($ca in $cas) { $policies = Get-CAPolicy -CertificationAuthority $ca.Name foreach ($policy in $policies) { $issuancePolicies += [PSCustomObject]@{ CAName = $ca.Name PolicyName = $policy.Name OID = $policy.OID Enabled = $policy.Enabled } } } $issuancePolicies | Format-Table -AutoSize return $issuancePolicies } <# .SYNOPSIS Checks for potentially vulnerable certificate templates. .OUTPUTS Array of PSObjects containing vulnerable template details. #> function Check-VulnerableCertificateTemplates { Write-Host "`nChecking for Vulnerable Certificate Templates..." -ForegroundColor Yellow $templates = Get-CertificateTemplate $vulnerableTemplates = @() foreach ($template in $templates) { $isVulnerable = $false $vulnerabilities = @() if ($template.EnrollmentFlags -band 0x00000008) { $isVulnerable = $true $vulnerabilities += "No CA signature required" } if ($template.AuthorizedSignatures -eq 0) { $isVulnerable = $true $vulnerabilities += "No authorized signatures required" } if ($template.PrivateKeyFlags -band 0x00000001) { $isVulnerable = $true $vulnerabilities += "Exportable private key" } if ($isVulnerable) { $vulnerableTemplates += [PSCustomObject]@{ TemplateName = $template.Name Vulnerabilities = $vulnerabilities -join ", " } } } $vulnerableTemplates | Format-Table -AutoSize return $vulnerableTemplates } <# .SYNOPSIS Generates a comprehensive HTML report of all analyses. .PARAMETER AllResults Hashtable containing all analysis results. .OUTPUTS Saves an HTML report to the desktop. #> function Generate-HTMLReport { param([hashtable]$AllResults) Write-Host "`nGenerating Comprehensive HTML Report..." -ForegroundColor Yellow $reportContent = @" <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>AD CS Analysis Report</title> <style> body { font-family: Arial, sans-serif; line-height: 1.6; color: #333; max-width: 1200px; margin: 0 auto; padding: 20px; } h1, h2, h3 { color: #0078D4; } table { border-collapse: collapse; width: 100%; margin-bottom: 20px; } th, td { border: 1px solid #ddd; padding: 8px; text-align: left; } th { background-color: #f2f2f2; } </style> </head> <body> <h1>Active Directory Certificate Services Analysis Report</h1> <p>Generated on: $(Get-Date)</p> <h2>Certificate Authorities</h2> $($AllResults.CertificateAuthorities | ConvertTo-Html -Fragment) <h2>Certificate Templates</h2> $($AllResults.CertificateTemplates | ConvertTo-Html -Fragment) <h2>CA Health Status</h2> $($AllResults.CAHealthStatus | ConvertTo-Html -Fragment) <h2>Certificate Revocation Lists (CRLs)</h2> $($AllResults.CRLs | ConvertTo-Html -Fragment) <h2>CA Security Permissions</h2> $($AllResults.SecurityPermissions | ConvertTo-Html -Fragment) <h2>Certificate Issuance Policies</h2> $($AllResults.IssuancePolicies | ConvertTo-Html -Fragment) <h2>Vulnerable Certificate Templates</h2> $($AllResults.VulnerableTemplates | ConvertTo-Html -Fragment) </body> </html> "@ $reportContent | Out-File -FilePath $global:reportPath Write-Host "Report generated and saved to: $global:reportPath" -ForegroundColor Green } # Main program loop $allResults = @{} do { Show-Menu $choice = Read-Host "`nEnter your choice (1-9)" switch ($choice) { "1" { $allResults.CertificateAuthorities = Analyze-CertificateAuthorities } "2" { $allResults.CertificateTemplates = Review-CertificateTemplates } "3" { $allResults.CAHealthStatus = Check-CAHealthStatus } "4" { $allResults.CRLs = Analyze-CRLs } "5" { $allResults.SecurityPermissions = Review-CASecurityPermissions } "6" { $allResults.IssuancePolicies = Analyze-CertificateIssuancePolicies } "7" { $allResults.VulnerableTemplates = Check-VulnerableCertificateTemplates } "8" { Generate-HTMLReport -AllResults $allResults } "9" { Write-Host "Exiting program..." -ForegroundColor Yellow; break } default { Write-Host "Invalid choice. Please try again." -ForegroundColor Red } } if ($choice -ne "9") { Read-Host "`nPress Enter to continue..." } } while ($choice -ne "9")
This Active Directory Certificate Services Analyzer includes:
- A menu-driven interface for easy navigation.
- Functions to analyze various aspects of AD CS:
- Certificate Authorities analysis
- Certificate Templates review
- CA Health Status check
- Certificate Revocation Lists (CRLs) analysis
- CA Security Permissions review
- Certificate Issuance Policies analysis
- Vulnerable Certificate Templates check
- Comprehensive error handling for each analysis function.
- A function to generate an HTML report of all collected data.
Key features:
- Detailed analysis of CA configurations and health
- Review of certificate templates and their settings
- Analysis of CRL distribution points
- Security permissions review for CAs
- Identification of potentially vulnerable certificate templates
- Comprehensive HTML report generation
This tool is particularly useful for:
- PKI administrators managing AD CS environments
- Security auditors reviewing certificate services configurations
- IT professionals troubleshooting PKI issues in an AD environment
To use this script effectively:
- Run PowerShell as an administrator
- Ensure you have the necessary permissions to query AD CS in your domain
- Have the PSPKI PowerShell module installed (the script attempts to install it if not present)
This script provides a comprehensive overview of the AD CS configuration in an Active Directory environment, making it easier to identify issues, security concerns, or misconfigurations related to your PKI infrastructure. It can significantly streamline the process of auditing and maintaining AD CS in large or complex environments.
Leave a Reply
Want to join the discussion?Feel free to contribute!