Src/Private/Get-AbrADCARoot.ps1
|
function Get-AbrADCARoot { <# .SYNOPSIS Used by As Built Report to retrieve Microsoft Active Directory Root Certification Authority information. .DESCRIPTION .NOTES Version: 0.9.11 Author: Jonathan Colon Twitter: @jcolonfzenpr Github: rebelinux .EXAMPLE .LINK #> [CmdletBinding()] param ( ) begin { Write-PScriboMessage -Message 'Collecting AD Certification Authority Per Domain information.' Show-AbrDebugExecutionTime -Start -TitleMessage 'AD Certification Authority Per Domain' } process { try { if ($CAs | Where-Object { $_.IsRoot -like 'True' }) { Section -Style Heading2 'Enterprise Root Certificate Authority' { Paragraph 'The following section provides detailed information about the Enterprise Root Certificate Authority (CA) configuration and operational status.' BlankLine foreach ($CA in ($CAs | Where-Object { $_.IsRoot -like 'True' })) { if (Get-DCWinRMState -ComputerName $CA.ComputerName -DCStatus ([ref]$DCStatus)) { $DCPssSession = Get-ValidPSSession -ComputerName $CA.ComputerName -SessionName $($CA.ComputerName) -PSSTable ([ref]$PSSTable) if ($DCPssSession) { $OutObj = [System.Collections.ArrayList]::new() $AuditingIssue = Invoke-CommandWithTimeout -Session $DCPssSession -ScriptBlock { Get-ItemPropertyValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\$($using:CA.DisplayName)\" -Name 'AuditFilter' } $inObj = [ordered] @{ 'CA Name' = $CA.DisplayName 'Server Name' = $CA.ComputerName.ToString().ToUpper().Split('.')[0] 'Type' = $CA.Type 'Config String' = $CA.ConfigString 'Operating System' = $CA.OperatingSystem 'Certificate' = $CA.Certificate 'Auditing' = switch ($AuditingIssue) { $Null { 'Not Configured' } 0 { 'Not Configured' } 1 { 'Start and stop Active Directory® Certificate Services (1)' } 2 { 'Back up and restore the CA database (2)' } 4 { 'Issue and manage certificate requests (4)' } 8 { 'Revoke certificates and publish CRLs (8)' } 16 { 'Change CA security settings (16)' } 32 { 'Change CA security settings (32)' } 64 { 'Change CA configuration (64)' } 127 { 'Auditing is fully enabled (127)' } default { 'Unknown' } } 'Status' = $CA.ServiceStatus } $OutObj.Add([pscustomobject](ConvertTo-HashToYN $inObj)) | Out-Null if ($HealthCheck.CA.Status) { $OutObj | Where-Object { $_.'Service Status' -notlike 'Running' } | Set-Style -Style Critical -Property 'Service Status' $OutObj | Where-Object { $_.'Auditing' -notlike 'Auditing is fully enabled (127)' } | Set-Style -Style Critical -Property 'Auditing' } $TableParams = @{ Name = "Enterprise Root CA - $($ForestInfo.ToString().ToUpper())" List = $true ColumnWidths = 40, 60 } if ($Report.ShowTableCaptions) { $TableParams['Caption'] = "- $($TableParams.Name)" } $OutObj | Table @TableParams if ( $OutObj | Where-Object { $_.'Auditing' -notlike 'Auditing is fully enabled (127)' } ) { Paragraph 'Health Check:' -Bold -Underline BlankLine Paragraph { Text 'Secutiry Best Practice:' -Bold Text 'Auditing should be fully enabled for the Certification Authority to ensure that all relevant events are logged for security monitoring and incident response purposes. This includes events related to certificate issuance, revocation, and changes to CA configuration.' } } } } } } } } catch { Write-PScriboMessage -IsWarning $_.Exception.Message } } end { Show-AbrDebugExecutionTime -End -TitleMessage 'AD Certification Authority Per Domain' } } |