KDC armoring reports inaccurate

[debold]

Scans for the KDC armoring settings do not include the WOW6432Node path for the policy templates and therefore sometimes do not recognize the correctly configured GPOs:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters

Issue encountered on a fresh Windows Server 2022 based domain (DFL/FFL 2016) localized in German

https://github.com/vletoux/pingcastle/blob/b099a83a1bfa9ef7d5ac0c58405296e9c66f8f51/Healthcheck/HealthcheckAnalyzer.cs#L2759

[debold]

I need to update this issue. I missed the fact, that in my test environment the policies are also set in the path tested in the HealthCheckerAnalyzer.cs (I just overlooked them yesterday), but still the rule gets a match even though the settings are applied correctly.

[vletoux]

Wow6432node is for 32 bit programs over 64bits. But Kerberos settings is read by lsass.exe, a native program - 64 bits on 64bits systems. Are you sure this registry setting is correct ?

[debold]

Hi,

I just updated the issue. I oversaw the setting yesterday and yes, it is also present in the path you check. But: even the beta version you shared with Andy still shows that Kerberos armoring is not configured correctly. I checked the registry settings on both DCs and on some clients and they are correct (not localized).

May I ask, where you retrieve the information about the GPO being applied? Do you check the settings from GPOs or do you check the registry of systems to find out, whether the policy was applied?

Another thing (I'm not really into c#), is the query I mentioned in the issue correct? In particular the ... > 1?

Would happily share any info to help getting this resolved 👍🏻

[vletoux]

can you just share with me the GPO content (all the files where the GPO is defined) and the screenshot about the GPO being set. That's why I'll determine how this setting is set and in which files.

[dennore]

For us this happens:

When server armoring is enabled in GPO the PingcastleReport shows "enabled" in RED instead of GREEN...

When its disabled the report shows "disabled" also in RED

[vletoux]

I don't understand. Did you try the version I published yesterday ? If this is a UI issue, please print a screenshot

[SokratisUNI]

Same for me here, it seems that now Kerb Armoring is read properly, but the report shows it in RED. This is happening with the version you just published yesterday. Un grande merci for this wonderful tool Vincent.

In case might help a visual screenshot, here it is:

[vletoux]

it's a simple fix to do. Will upgrade it for the next version