Locksmith
Locksmith is a PowerShell tool designed to identify and remediate common misconfigurations within Active Directory Certificate Services (AD CS). It helps administrators and security professionals ensure the security and integrity of their PKI infrastructure.
Key Features:
- Comprehensive Scanning: Identifies a wide range of AD CS vulnerabilities, including those related to ESC1, ESC2, ESC3, ESC4, ESC5, ESC6, ESC8, ESC11, ESC13, and ESC15.
- Multiple Modes of Operation:
- Mode 0 (Default): Identifies issues and outputs them to the console.
- Mode 1: Identifies issues and suggests fixes, outputting both to the console.
- Mode 2: Identifies issues and exports them to a CSV file.
- Mode 3: Identifies issues and suggests fixes, exporting both to a CSV file.
- Mode 4: Attempts to automatically fix all identified issues with user confirmation.
- Selective Scans: Allows users to specify which scans to run using the
-Scans
parameter, offering flexibility and targeted assessments. - Easy Installation: Can be installed directly from the PowerShell Gallery or downloaded as a standalone script.
- Detailed Reporting: Provides clear and concise output, making it easy to understand the identified issues and their potential impact.
Use Cases:
- Security Audits: Regularly scan AD CS environments to identify and address potential vulnerabilities.
- Incident Response: Quickly identify misconfigurations that may have been exploited during a security incident.
- Pre-Deployment Checks: Ensure that AD CS is properly configured before deploying new applications or services.
- Remediation: Automatically fix identified issues to improve the security posture of the AD CS environment.
Target Users:
- System Administrators
- Security Engineers
- Red Teamers
- Penetration Testers