PingCastle 3.0.0.4

Author: vletoux

Data/HealthcheckData.cs

@@ -1170,6 +1170,7 @@ public void SetIntegrity()
         {
             Trace.WriteLine("SetIntegrity called");
             IntegrityRules = ComputeIntegrity();
+            IntegrityVerified = true;
         }
 
         public void CheckIntegrity()

Healthcheck/HealthcheckAnalyzer.cs

@@ -2327,7 +2327,7 @@ private void GenerateADCSEnrollmentServerTests(ADWebService adws, string dnsHost
             byte[] certificate;
             var protocols = new List<string>();
             Trace.WriteLine("[" + DateTime.Now + "] Test for " + dnsHostName + " 1 starts");
-            GenerateTLSInfo(uri.Host, uri.Port, protocols, out certificate);
+            GenerateTLSInfo(uri.Host, uri.Port, protocols, out certificate, "[" + DateTime.Now + "] ");
             Trace.WriteLine("[" + DateTime.Now + "] Test for " + dnsHostName + " 2 done for TLS");
 
             enrollmentServer.SSLProtocol = protocols;
@@ -2340,7 +2340,7 @@ private void GenerateADCSEnrollmentServerTests(ADWebService adws, string dnsHost
             // web enrollment
             // https access
             // channel binding
-            var result = ConnectionTester.TestExtendedAuthentication(uri, adws.Credential);
+            var result = ConnectionTester.TestExtendedAuthentication(uri, adws.Credential, "[" + DateTime.Now + "] Test for " + dnsHostName + " ");
             Trace.WriteLine("[" + DateTime.Now + "] Test for " + dnsHostName + " 3 done for TestExtendedAuthentication");
             if (result == ConnectionTesterStatus.ChannelBindingDisabled)
             {
@@ -2353,7 +2353,7 @@ private void GenerateADCSEnrollmentServerTests(ADWebService adws, string dnsHost
             }
             // http access
             uri = new Uri("http://" + dnsHostName + "/certsrv/certrqxt.asp");
-            result = ConnectionTester.TestConnection(uri, adws.Credential);
+            result = ConnectionTester.TestConnection(uri, adws.Credential, "[" + DateTime.Now + "] Test for " + dnsHostName + " ");
             Trace.WriteLine("[" + DateTime.Now + "] Test for " + dnsHostName + " 4 done for TestConnection");
             if (result == ConnectionTesterStatus.AuthenticationSuccessfull)
             {
@@ -2365,7 +2365,7 @@ private void GenerateADCSEnrollmentServerTests(ADWebService adws, string dnsHost
             // channel binding
             uri = new Uri("https://" + dnsHostName + "/" + System.Net.WebUtility.UrlEncode(CAName) + "_CES_Kerberos/service.svc");
 
-            result = ConnectionTester.TestExtendedAuthentication(uri, adws.Credential);
+            result = ConnectionTester.TestExtendedAuthentication(uri, adws.Credential, "[" + DateTime.Now + "] Test for " + dnsHostName + " ");
             Trace.WriteLine("[" + DateTime.Now + "] Test for " + dnsHostName + " 5 done for TestExtendedAuthentication");
             if (result == ConnectionTesterStatus.ChannelBindingDisabled)
             {
@@ -2379,7 +2379,7 @@ private void GenerateADCSEnrollmentServerTests(ADWebService adws, string dnsHost
 
             // http access
             uri = new Uri("http://" + dnsHostName + "/" + System.Net.WebUtility.UrlEncode(CAName) + "_CES_Kerberos/service.svc");
-            result = ConnectionTester.TestConnection(uri, adws.Credential);
+            result = ConnectionTester.TestConnection(uri, adws.Credential, "[" + DateTime.Now + "] Test for " + dnsHostName + " ");
             Trace.WriteLine("[" + DateTime.Now + "] Test for " + dnsHostName + " 6 done for TestConnection");
             if (result == ConnectionTesterStatus.AuthenticationSuccessfull)
             {
@@ -3129,7 +3129,7 @@ private void GenerateWSUSData(ADDomainInfo domainInfo, ADWebService adws)
                             {
                                 byte[] certificate;
                                 var protocols = new List<string>();
-                                GenerateTLSInfo(uri.Host, uri.Port, protocols, out certificate);
+                                GenerateTLSInfo(uri.Host, uri.Port, protocols, out certificate, "[" + DateTime.Now + "] ");
                                 cache[key] = new KeyValuePair<List<string>, byte[]>(protocols, certificate);
                             }
                             gpo.WSUSserverSSLProtocol = cache[key].Key;
@@ -3149,7 +3149,7 @@ private void GenerateWSUSData(ADDomainInfo domainInfo, ADWebService adws)
                             {
                                 byte[] certificate;
                                 var protocols = new List<string>();
-                                GenerateTLSInfo(uri.Host, uri.Port, protocols, out certificate);
+                                GenerateTLSInfo(uri.Host, uri.Port, protocols, out certificate, "[" + DateTime.Now + "] ");
                                 cache[key] = new KeyValuePair<List<string>, byte[]>(protocols, certificate);
                             }
                             gpo.WSUSserverAlternateSSLProtocol = cache[key].Key;
@@ -4962,12 +4962,12 @@ private void GenerateDomainControllerData(ADDomainInfo domainInfo, ADWebService
                         }
                         Trace.WriteLine("[" + threadId + "] Working on smb support " + dns);
                         SMBSecurityModeEnum securityMode;
-                        if (SmbScanner.SupportSMB1(dns, out securityMode))
+                        if (SmbScanner.SupportSMB1(dns, out securityMode, "[" + threadId + "] "))
                         {
                             DC.SupportSMB1 = true;
                         }
                         DC.SMB1SecurityMode = securityMode;
-                        if (SmbScanner.SupportSMB2And3(dns, out securityMode))
+                        if (SmbScanner.SupportSMB2And3(dns, out securityMode, "[" + threadId + "] "))
                         {
                             DC.SupportSMB2OrSMB3 = true;
                         }
@@ -4979,15 +4979,15 @@ private void GenerateDomainControllerData(ADDomainInfo domainInfo, ADWebService
                         }
                         if (DC.SMB1SecurityMode != SMBSecurityModeEnum.NotTested && DC.SMB2SecurityMode != SMBSecurityModeEnum.NotTested)
                         {
-                            if (NamedPipeTester.IsRemotePipeAccessible(dns, NamedPipeTester.WebClientPipeName))
+                            if (NamedPipeTester.IsRemotePipeAccessible(dns, NamedPipeTester.WebClientPipeName, "[" + threadId + "] "))
                             {
                                 DC.WebClientEnabled = true;
                             }
                         }
                         Trace.WriteLine("[" + threadId + "] Working on ldap ssl " + dns);
-                        GenerateTLSConnectionInfo(dns, DC, adws.Credential);
+                        GenerateTLSConnectionInfo(dns, DC, adws.Credential, threadId);
                         Trace.WriteLine("[" + threadId + "] Working on ldap signing requirements " + dns);
-                        GenerateLDAPSigningRequirementInfo(dns, DC, adws.Credential);
+                        GenerateLDAPSigningRequirementInfo(dns, DC, adws.Credential, threadId);
                         Trace.WriteLine("[" + threadId + "] Done for " + dns);
                     }
                 };
@@ -5042,36 +5042,40 @@ private void GenerateDomainControllerData(ADDomainInfo domainInfo, ADWebService
             }
         }
 
-        private void GenerateTLSConnectionInfo(string dns, HealthcheckDomainController DC, NetworkCredential credentials)
+        private void GenerateTLSConnectionInfo(string dns, HealthcheckDomainController DC, NetworkCredential credentials, int threadId)
         {
             DC.LDAPSProtocols = new List<string>();
             byte[] certificate;
-            GenerateTLSInfo(dns, 636, DC.LDAPSProtocols, out certificate);
+            Trace.WriteLine("[" + threadId + "] GenerateTLSInfo");
+            GenerateTLSInfo(dns, 636, DC.LDAPSProtocols, out certificate, "[" + threadId + "] ");
             DC.LDAPCertificate = certificate;
             if (DC.LDAPSProtocols.Count > 0)
             {
                 if (DoesComputerMatchDns(dns))
                 {
-                    Trace.WriteLine("Test ignored because tested on the DC itself");
+                    Trace.WriteLine("[" + threadId + "] Test ignored because tested on the DC itself");
                     return;
                 }
-
-                var result = ConnectionTester.TestExtendedAuthentication(new Uri("ldaps://" + dns), credentials);
+                Trace.WriteLine("[" + threadId + "] TestExtendedAuthentication");
+                var result = ConnectionTester.TestExtendedAuthentication(new Uri("ldaps://" + dns), credentials, "[" + threadId + "] ");
+                Trace.WriteLine("[" + threadId + "] Result:" + result);
                 if (result == ConnectionTesterStatus.ChannelBindingDisabled)
                 {
                     DC.ChannelBindingDisabled = true;
                 }
             }
         }
 
-        private void GenerateLDAPSigningRequirementInfo(string dns, HealthcheckDomainController DC, NetworkCredential credentials)
+        private void GenerateLDAPSigningRequirementInfo(string dns, HealthcheckDomainController DC, NetworkCredential credentials, int threadId)
         {
             if (DoesComputerMatchDns(dns))
             {
-                Trace.WriteLine("Test ignored because tested on the DC itself");
+                Trace.WriteLine("[" + threadId + "] Test ignored because tested on the DC itself");
                 return;
             }
-            var result = ConnectionTester.TestSignatureRequiredEnabled(new Uri("ldap://" + dns), credentials);
+            Trace.WriteLine("[" + threadId + "] TestSignatureRequiredEnabled");
+            var result = ConnectionTester.TestSignatureRequiredEnabled(new Uri("ldap://" + dns), credentials, "[" + threadId + "] ");
+            Trace.WriteLine("[" + threadId + "] Result:" + result);
             if (result == ConnectionTesterStatus.SignatureNotRequired)
             {
                 DC.LdapServerSigningRequirementDisabled = true;
@@ -5084,72 +5088,44 @@ bool DoesComputerMatchDns(string Dns)
             return string.Equals(hostName, Dns, StringComparison.OrdinalIgnoreCase);
         }
 
-        private void GenerateTLSInfo(string dns, int port, List<string> protocols, out byte[] certificate)
+        private void GenerateTLSInfo(string dns, int port, List<string> protocols, out byte[] certificate, string logPrefix)
         {
             certificate = null;
             foreach (SslProtocols protocol in Enum.GetValues(typeof(SslProtocols)))
             {
-                if (protocol == SslProtocols.None)
-                    continue;
                 if (protocol == SslProtocols.Default)
-                {
-                    try
-                    {
-                        byte[] c = null;
-                        using (TcpClient client = new TcpClient(dns, port))
-                        {
-                            client.ReceiveTimeout = 1000;
-                            client.SendTimeout = 1000;
-                            using (SslStream sslstream = new SslStream(client.GetStream(), false,
-                                (object sender, X509Certificate CACert, X509Chain CAChain, SslPolicyErrors sslPolicyErrors)
-                                    =>
-                                { c = CACert.GetRawCertData(); return true; }
-                                    , null))
-                            {
-                                Trace.WriteLine("normal auth for " + dns);
-                                sslstream.AuthenticateAsClient(dns, null, protocol, false);
-                                Trace.WriteLine("normal auth supported for " + dns);
-                                certificate = c;
-                            }
-                        }
-                    }
-                    catch (SocketException)
-                    {
-                        Trace.WriteLine("SSL not supported for " + dns);
-                        return;
-                    }
-                    catch (Exception)
-                    {
-                    }
                     continue;
-                }
+                if (protocol == SslProtocols.None)
+                    continue;
                 try
                 {
+                    byte[] c = null;
                     using (TcpClient client = new TcpClient(dns, port))
                     {
                         client.ReceiveTimeout = 1000;
                         client.SendTimeout = 1000;
                         using (SslStream sslstream = new SslStream(client.GetStream(), false,
                                 (object sender, X509Certificate CACert, X509Chain CAChain, SslPolicyErrors sslPolicyErrors)
                                     =>
-                                { return true; }
+                                { c = CACert.GetRawCertData(); return true; }
                                      , null))
                         {
-                            Trace.WriteLine(protocol + " before auth for " + dns);
+                            Trace.WriteLine(logPrefix + protocol + " before auth for " + dns);
                             sslstream.AuthenticateAsClient(dns, null, protocol, false);
-                            Trace.WriteLine(protocol + " supported for " + dns);
+                            Trace.WriteLine(logPrefix + protocol + " supported for " + dns);
+                            certificate = c;
                             protocols.Add(protocol.ToString());
                         }
                     }
                 }
                 catch (SocketException)
                 {
-                    Trace.WriteLine("SSL not supported for " + dns);
+                    Trace.WriteLine(logPrefix + "SSL not supported for " + dns);
                     return;
                 }
                 catch (Exception ex)
                 {
-                    Trace.WriteLine(protocol + " not supported for " + dns + ":" + port + " (" + ex.Message + (ex.InnerException == null ? null : " - " + ex.InnerException.Message) + ")");
+                    Trace.WriteLine(logPrefix + protocol + " not supported for " + dns + ":" + port + " (" + ex.Message + (ex.InnerException == null ? null : " - " + ex.InnerException.Message) + ")");
                 }
             }
         }

Properties/AssemblyInfo.cs

@@ -28,5 +28,5 @@
 //      Numéro de build
 //      Révision
 //
-[assembly: AssemblyVersion("3.0.0.3")]
-[assembly: AssemblyFileVersion("3.0.0.3")]
+[assembly: AssemblyVersion("3.0.0.4")]
+[assembly: AssemblyFileVersion("3.0.0.4")]

Report/ReportBase.cs

@@ -946,14 +946,19 @@ protected void GenerateAccordionDetail(string id, string dataParent, string titl
   </div>");
         }
 
-        private static string GenerateId(string title)
+        protected static string GenerateId(string title)
         {
             return "section" + title.Replace(" ", "");
         }
 
         protected void GenerateTabHeader(string title, string selectedTab, bool defaultIfTabEmpty = false)
         {
             string id = GenerateId(title);
+            GenerateTabHeader(title, id, selectedTab, defaultIfTabEmpty);
+        }
+
+        protected void GenerateTabHeader(string title, string id, string selectedTab, bool defaultIfTabEmpty = false)
+        {
             bool isActive = (String.IsNullOrEmpty(selectedTab) ? defaultIfTabEmpty : selectedTab == id);
             Add(@"<li class=""nav-item""><a href=""#");
             Add(id);
@@ -1393,6 +1398,8 @@ protected void AddLsaSettingsValue(string property, int value)
                 case "srvsvcsessioninfo":
                 case "enablemodulelogging":
                 case "enablescriptblocklogging":
+                case "enablecbacandarmor":
+                case "cbacandarmorlevel":
                     if (value == 0)
                     {
                         Add(@"<span class=""unticked"">Disabled</span>");

Report/ReportHealthCheckConsolidation.cs

@@ -531,7 +531,7 @@ private void GenerateDCInformation()
                         AddCellText(dc.OperatingSystem);
                         AddCellText((dc.CreationDate == DateTime.MinValue ? "Unknown" : dc.CreationDate.ToString("u")));
                         AddCellText((dc.StartupTime == DateTime.MinValue ? (dc.LastComputerLogonDate.AddDays(60) < DateTime.Now ? "Inactive?" : "Unknown") : (dc.StartupTime.AddMonths(6) < DateTime.Now ? /*"<span class='unticked'>" +*/ dc.StartupTime.ToString("u")/* + "</span>" */: dc.StartupTime.ToString("u"))));
-                        AddCellText((dc.StartupTime == DateTime.MinValue ? "" : (DateTime.Now.Subtract(dc.StartupTime)).Days + " days"));
+                        AddCellText((dc.StartupTime == DateTime.MinValue ? "" : (DateTime.Now.Subtract(dc.StartupTime)).Days.ToString("D3") + " days"));
                         AddCellText((String.IsNullOrEmpty(dc.OwnerName) ? dc.OwnerSID : dc.OwnerName));
                         AddCellText((dc.HasNullSession ? "YES" : "NO"), true, !dc.HasNullSession);
                         AddCellText((dc.SupportSMB1 ? "YES" : "NO"), true, !dc.SupportSMB1);

Report/ReportHealthCheckSingle.cs

@@ -1559,7 +1559,7 @@ private void GenerateDCInformation()
                                 AddCellText(dc.OperatingSystem);
                                 AddCellText((dc.CreationDate == DateTime.MinValue ? "Unknown" : dc.CreationDate.ToString("u")));
                                 AddCellText((dc.StartupTime == DateTime.MinValue ? (dc.LastComputerLogonDate.AddDays(60) < DateTime.Now ? "Inactive?" : "Unknown") : (dc.StartupTime.AddMonths(6) < DateTime.Now ? /*"<span class='unticked'>" + */dc.StartupTime.ToString("u")/* + "</span>"*/ : dc.StartupTime.ToString("u"))));
-                                AddCellText((dc.StartupTime == DateTime.MinValue ? "" : (DateTime.Now.Subtract(dc.StartupTime)).Days + " days"));
+                                AddCellText((dc.StartupTime == DateTime.MinValue ? "" : (DateTime.Now.Subtract(dc.StartupTime)).Days.ToString("D3") + " days"));
                                 AddCellText((String.IsNullOrEmpty(dc.OwnerName) ? dc.OwnerSID : dc.OwnerName));
                                 AddCellText((dc.HasNullSession ? "YES" : "NO"), true, !dc.HasNullSession);
                                 AddCellText((dc.SupportSMB1 ? "YES" : "NO"), true, !dc.SupportSMB1);

Rules/RuleBase.cs

@@ -83,9 +83,14 @@ protected RuleBase()
             {
                 throw new NotImplementedException();
             }
+            ReloadResource();
+        }
+
+        public void ReloadResource()
+        {
             string resourceKey;
             resourceKey = RiskId.Replace('-', '_').Replace('$', '_');
-
+            
             Title = ResourceManager.GetString(resourceKey + "_Title");
             Description = ResourceManager.GetString(resourceKey + "_Description");
             TechnicalExplanation = ResourceManager.GetString(resourceKey + "_TechnicalExplanation");