2.8.0.0 * reworked the way third party components are included in reports for better html auditing (aka Content Security Policy) * added the rule P-DNSDelegation to check delegation on the MS DNS server which can be used to take control of the domain * show healthcheck rule detail in a table if possible * remove the "network configuration operators" group from privileged groups as it has no impact on the domain by itself * split the allow login / deny login settings from privileges and from DC to another dedicated section * added the rule P-TrustedCredManAccessPrivilege to match STIG rule V-63843 * added Auto logon info if found in the GPO passwords section * added the rule P-LogonDenied to check for tiers isolation. Only in application if more than 200 users & 200 computers * be resilient if a new rule category is added in the future so future reports can be read by this PingCastle version * fix a problem when control character is found in data (loginscript for example) and cannot be serialized in xml * added an experimental bluekeep scanner. To avoid AV detection, the code is commented. Decomment and recompile to use it. * added SeSecurityPrivilege (access to the security event log) in the list of privileges to monitor. * merged the permission report and the healthcheck report * added the rule P-ControlPathIndirectEveryone and P-ControlPathIndirectMany for control path analysis * added the rule A-AuditDC for audit policy * update to bootstrap 4.4.1 * change the algorithm to locate the server. Faster and compatible with kerberos only domains. * added the rule A-DCLdapsProtocol looking for SSLv2 and SSLv3 active on DC * added the rule A-AuditPowershell to check for powershell auditing (informative) * added the rule S-OS-Vista to check for Vista presence (which is not supported anymore). Windows 7 & 2008 added after extended support stops. * added honey pot setting to avoid honey pot accounts to be in error 2.7.1.0 * update the TGT delegation algorithm after the July update (new flag CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION) 2.7.0.0 * added a network map inspired from hilbert curves * fix a bug when doing a map with very complicated data * adjust the krbtgt last password change when a replication set it to "not set" * added the rule P-ExchangePrivEsc to check for Exchange misconfiguration at install * added the rule P-LoginDCEveryone to check if everybody can logon to a DC * added the rule P-RecycleBin to check for the Recycle Bin feature (at forest level) * added the rule P-DsHeuristicsAdminSDExMask to check if AdminSDHolder has been disabled for some critical groups * added the rule P-DsHeuristicsDoListObject to check if the feature DoListObject has been enabled (informative only) * added the rule P-RecoveryModeUnprotected to check if any user can go into recovery mode without being admin * added the rule A-LDAPSigningDisabled to check if the LDAP signing mode has been set to None * added the rule A-DCRefuseComputerPwdChange to check that Domain Controllers don't deny the change of computers account password * added the rule P-DelegationFileDeployed to check for deployed file via GPO (msi, file copied, ...) * added the rule T-FileDeployedOutOfDomain to check for deployed file via GPO (msi, file copied, ...) from outside this domain * added the rule A-NoGPOLLMNR which checks if LLMNR can be used to steal credentials * added the rule T-TGTDelegation to check for TGT delegation on forest trusts * added the rule P-Kerberoasting to check for keberoasting (SPN for admin account). A mitigation via a regular password change is allowed. * update the score produced by the rule S-SMB-v1 from 1 to 10 * fix the scanner command line when targeting multiple computer (single and multiple were inverted) * added the scanner antivirus * added the scanner laps_bitlocker * fix a bug in the graph report when multiple files were examinated in parallele * add a transition msDS-AllowedToActOnBehalfOfOtherIdentity to the graph report * fix a bug when computing msDS-Lockout* in PSO (time were divided by 5) * fix rule A-LMHashAuthorized which were not triggering due to a bug and improved its documentation * improve the healtcheck report and added a comment to locate the NTLMstore (certificate section) * fix GPP Password for scheduled task - only 1 out of 4 kind of scheduled tasks were checked * fix support for missing well known sid S-1-5-32-545 for rules * fix a tedious bug when using LDAP and when requesting the property Objectclass - it is not available in the result using the native API * fix a tedious bug when reading SMB2 data (input was inverted with output) which gave inaccurate results regarding signature * PingCastle does now have a default license and can be run without the .config file In this case, the compatibility shims are removed and forced under .Net 2 engine. To run under .Net 4, a recompile is needed. 2.6.0.0 * fix a problem for early version of LDAP undetected : in ms-*-AdmPwd, MCS was replaced by company name * integrate many hidden functions into the "scanner mode" to be more easy to use * removing the ms17-010 scanner from the source because antivirus are so stupid that they cannot make the difference between a vulnerability scanner & an exploitation kit * added many scanners (aclscanner, ...) * breaking change: admin accounts where checks for lock, smart card, ... even if the account is disabled. This is not the case anymore. * tuned S-DC-SubnetMissing to avoid dealing with local ipv6 loopback address (::1) * added the rule A-DC-Spooler and the spooler scanner to check for print spooler accessible remotely (used to collect computer credentials via unconstrained delegation) * added the rule A-NotEnoughDC to check domains have at least 2 DC * added the rule P-UnconstrainedDelegation to check for unconstrained delegation in kerberos (the data was already reported) * in relation with P-UnconstrainedDelegation, change the way accounts "trusted for delegation" are selected. Change useraccountcontrol flag from 0x01000000 to 0x80000 * fix in healthcheck report: the reversible password detail section was only displayed if there was unconstrained delegation in the domain * added the rule P-ExchangeAdminSDHolder to check for the Exchange modification of the AdminSDHolder object * added the rule P-DelegationKeyAdmin to check for boggus Windows 2016 installation * added the (informative) rule P-OperatorsEmpty to check the recommandation to have the account and server operators empty * added the rule P-DelegationGPOData to check for too large permissions granted to GPO items * added the rule P-PrivilegeEveryone to check for too large GPO assigned privileges * adjust the Domain Controller selection for tests (aka: number of DC in a domain & checks performed on them) * remove the --split-OU technique which was not used and add an automatic protocol fallback in case of failure (ADWS then LDAP for example) * allow the use of LDAPS via the --port 636 command switch * fix a couple of problem in PingCastleReporting (incorrect numbers, wrong label, inability to load some configuration) * Migrate from Bootstrap 3 to Bootstrap 4 * fix some mono incompatibility * fix crash when analysing gpo where scheduled task password is being stored * fix A-NoServicePolicy which was triggered when i shouldn't and vice versa * add support for Windows 2019 * fix DnsAdminGroup not found when moved in another OU * fix rootDse listing when using credential & required bind * extended the rule S-DesEnabled to check also computers account * add to the report a link in rules to sections of the report to get more insight 2.5.2.0 * fix a problem when a dc has been removed but not its computer account but its dns record * fix a problem when for the rule A-SmartCardRequired which was triggered each time a "smart card required" account was found * fix: the decryption process was broken as successful descryption always triggered a failure * fix S-DC-SubnetMissing when subnet are duplicated (contains CNF and generated from replication problem) * fix NT4 mismatch if the year was not present and include the word "dataceNTer" * add a check for "smart card required" for administrator accounts * reworked the menu to be more interactive 2.5.0.0 * rewrote all rules description / rationale / etc * added start and end date for exception * breaking: change the date at which the exception / migration is evaluated from current date to report generation date * new rules: A-SMB2SignatureNotEnabled A-SMB2SignatureNotRequired S-DC-SubnetMissing P-DelegationLoginScript * added an experimental scanner for replication usn check * allows DNS Admin group to be moved to another OU than CN=Users (as a reminder, the group is selected based on its description) * fix logon logoff script label inverted * allow users to be in the guest group for their primary group (was Domain Users only before) * record more details about the operating systems (and adapt the reload of previous reports) * the rule A-LAPS-Not-Installed, previously informative, now scores 15 points. If the local admin password is set at install, the rule should be put in exception. * many adaptation to be used with Ping Castle Enterprise 2.4.3.1 * add schemainfo checks * rework the way replication metadata is collected 2.4.3.0 * fix compatibility problem with windows 2000 * fix bugs relative to --no-enum-limit, adminsdholder check, sidhistory without whencreated, reloading without threat model * add check related to replication metadata (dsasignature, KrbtgtLastVersion) * minor changes in the powerpoint reporting (more detail on the reporting frequency) * new rule for mandatory AD backup (microsoft procedure) * minor change in reporting (alphabetically order for risk model, ...) 2.4.2.0 * risk model in the healthcheck report * checking for LAPS install * scanner for ms17-010 (not in healthcheck) * small report improvements * small bug fixing (ex: if AdminSDHolder denied to authentiated users) 2.4.1.1 * better Samba compatibility (linux DC) * added smb check functionalities & scanner for workstation * added support for PSO * rewrote "scanner" functionalities to be more user friendly * adding dnsadmins as privileged group following https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 2.4.1.0 * modified the healthcheck report and consolidation to be responsive * added in PingCastleReporting the risk map (link between BU & entities) * added in PingCastleReporting the Rules report (matched and explanation) and removed --export-hc-rule in PingCastle * reworked the report to add a DC view (last startup - for patches, creation date, if presence of null session) * add an alert for MS14-068 via startuptime * changed P-AdminNum to be less strict (especially for forest root) and A-Krbtgt to be less agressive * improve the explanation of some rules * various bug fixes in PingCastleReporting 2.4.0.1 * modified some KPI in PingCastleReporting overview * added the flag --smtptls * modified the score computation algorithm to take part of migration information in the past (showing evolution of score) * modify the bad primary group count by excluding members of guests group 2.4.0.0 * program rebranded to PingCastle * added PingCastleReporting for management reports (powerpoint, history, ...) * reworked the advanced module - added the live mode for advanced report * handle many domains with the same FQDN (but different sid) * rewrote the "Unknown domain" algorithm in xls which is reusing the graph made at consolidation * add option to set an exception for all domains (set domain as "*" in the xls file) * add all --explore options * rules A-LoginScript, P-Disabled and S-PwdNeverExpires disabled * added the rule P-DCOwner to check for DC ownership * lowering the points to 0 for P-ServiceDomainAdmin if the passwords are changed regulary * add netbios / sid information for forest of domains found indirectly (for matching existing domains) * modify the simple node graph to add intermediate score and BU/Entity information when available * added mail notification option if mail is read & smtp credential on command line * added "details" for rules which are difficult to understand without specifics * added the domain root for the delegation check * disabled the check on dangerous permissions for migration sid history and unexpire password (too much false positives) * added sidhistory information for groups to the sidhistory user information (to not forget to remove sidhistory for groups) 2.3.0.1 (cert-ist forum version) * add the reachable mode (disabled by default, enabled by default if domain=* and used in interactive mode) This mode scans for domains outside trusts. Discover new domains when run on trusted domains. * Reworked the domain maps for visualization and inclusing of the reachable mode data. * Add Netbios information in the trust information to be able to match some reachable mode data. * Remove the requirement for ADWS. LDAP is used if ADWS is not available (LDAP is far more slower than ADWS) 2.2.1.5 fix a problem when a distinguished name of an admin contain LDAP request char 2.2.1.4 fix a problem in the consolidation fix a problem if a login script is invalid and cannot be parsed as a url 2.2.1.3 bug fixing (null session enabled on forest side, PreWin2000 group empty) Simplify full graph with bidirectional nodes & red color for unprotected trusts add a simplified graph