public SectionDetails GetScore()
{
SectionDetails details = new SectionDetails(0, new List <string>(), this);
SecurityPolicyManager.GetAuditPolicy();
// Loop over every audit configuration
foreach (KeyValuePair <string, ScoredItem <EAuditSettings> > config in ConfigPolicy.HeaderSettingPairs)
{
// If not scored, skip
if (!config.Value.IsScored)
{
continue;
}
// Loop over every system audit setting
foreach (KeyValuePair <string, POLICY_AUDIT_EVENT> systemSetting in SystemPolicy.HeaderSettingPairs)
{
// Check if config and system setting are of the same policy
if (config.Key == systemSetting.Key)
{
// Check if integer casted values are equal
if ((int)config.Value.Value == (int)systemSetting.Value)
{
// Setting is properly configured
details.Points++;
details.Output.Add(ConfigurationManager.Translate("AuditPolicy", config.Key, AuditSettingFormat[config.Value.Value]));
}
}
}
}
return(details);
}
public SectionDetails GetScore()
{
SectionDetails details = new SectionDetails(0, new List <string>(), this);
SecurityPolicyManager.GetLockoutPolicy();
if (ConfigPolicy.AccountLockoutDuration.IsScored &&
ConfigPolicy.AccountLockoutDuration.Value.WithinBounds(SystemPolicy.AccountLockoutDuration))
{
details.Points++;
details.Output.Add(TranslationManager.Translate("AccountLockoutDuration", SystemPolicy.AccountLockoutDuration));
}
if (ConfigPolicy.AccountLockoutThreshold.IsScored &&
ConfigPolicy.AccountLockoutThreshold.Value.WithinBounds(SystemPolicy.AccountLockoutThreshold))
{
details.Points++;
details.Output.Add(TranslationManager.Translate("AccountLockoutThreshold", SystemPolicy.AccountLockoutThreshold));
}
if (ConfigPolicy.ResetLockoutCounterAfter.IsScored &&
ConfigPolicy.ResetLockoutCounterAfter.Value.WithinBounds(SystemPolicy.ResetLockoutCounterAfter))
{
details.Points++;
details.Output.Add(TranslationManager.Translate("ResetLockoutCounterAfter", SystemPolicy.ResetLockoutCounterAfter));
}
return(details);
}
public static List <SectionDetails> CheckScores()
{
List <SectionDetails> details = new List <SectionDetails>();
// Get information we use from secedit for use in sections
SecurityPolicyManager.GetSeceditInfo();
// Reset max score
MaxScore = 0;
// Enumerate all scoring sections
foreach (ISection section in ScoringSections)
{
// Get max score
int maxScore = section.MaxScore();
// Optimization: Check if anything is scored, skip if not
if (maxScore == 0)
{
continue;
}
// Increment total max score by section's
MaxScore += maxScore;
// Get scoring details for specific section
SectionDetails sectionScore = section.GetScore();
// Add details to list
details.Add(sectionScore);
}
return(details);
}
public SectionDetails GetScore()
{
SectionDetails details = new SectionDetails(0, new List <string>(), this);
SecurityPolicyManager.GetPasswordPolicy();
if (ConfigPolicy.EnforcePasswordHistory.IsScored &&
ConfigPolicy.EnforcePasswordHistory.Value.WithinBounds(SystemPolicy.EnforcePasswordHistory))
{
details.Points++;
details.Output.Add(TranslationManager.Translate("EnforcePasswordHistory", SystemPolicy.EnforcePasswordHistory));
}
if (ConfigPolicy.MaxPasswordAge.IsScored &&
ConfigPolicy.MaxPasswordAge.Value.WithinBounds(SystemPolicy.MaximumPasswordAge))
{
details.Points++;
details.Output.Add(TranslationManager.Translate("MaxPasswordAge", SystemPolicy.MaximumPasswordAge));
}
if (ConfigPolicy.MinPasswordAge.IsScored &&
ConfigPolicy.MinPasswordAge.Value.WithinBounds(SystemPolicy.MinimumPasswordAge))
{
details.Points++;
details.Output.Add(TranslationManager.Translate("MinPasswordAge", SystemPolicy.MinimumPasswordAge));
}
if (ConfigPolicy.MinPasswordLength.IsScored &&
ConfigPolicy.MinPasswordLength.Value.WithinBounds(SystemPolicy.MinimumPasswordLength))
{
details.Points++;
details.Output.Add(TranslationManager.Translate("MinPasswordLength", SystemPolicy.MinimumPasswordLength));
}
string[] readableNames = new string[]
{
TranslationManager.Translate("Disabled"),
TranslationManager.Translate("Enabled")
};
if (ConfigPolicy.PasswordComplexity.IsScored && ConfigPolicy.PasswordComplexity.Value == SystemPolicy.PasswordComplexity)
{
details.Points++;
details.Output.Add(TranslationManager.Translate("PasswordComplexity", readableNames[SystemPolicy.PasswordComplexity]));
}
if (ConfigPolicy.ReversibleEncryption.IsScored && ConfigPolicy.ReversibleEncryption.Value == SystemPolicy.ReversibleEncryption)
{
details.Points++;
details.Output.Add(TranslationManager.Translate("ReversibleEncryption", readableNames[SystemPolicy.ReversibleEncryption]));
}
return(details);
}
public static List <SectionDetails> CheckScores()
{
List <SectionDetails> details = new List <SectionDetails>();
// Get information we use from secedit for use in sections
SecurityPolicyManager.GetSeceditInfo();
// Reset max score
MaxScore = 0;
// Enumerate all scoring sections
foreach (ISection section in ScoringSections)
{
// Get max score
int maxScore = section.MaxScore();
// Optimization: Check if anything is scored, skip if not
if (maxScore == 0)
{
continue;
}
// Increment total max score by section's
MaxScore += maxScore;
try
{
// Get scoring details for specific section
SectionDetails sectionScore = section.GetScore();
// Add details to list
details.Add(sectionScore);
}
catch (Exception ex)
{
EventLog.WriteEntry(".NET Runtime", ex.ToString(), EventLogEntryType.Error, 1026);
}
}
return(details);
}
public static WSSecurityPolicy GetSecurityPolicyDriver(MessageSecurityVersion version)
{
SecurityPolicyManager policyManager = new SecurityPolicyManager();
return policyManager.GetSecurityPolicyDriver(version);
}
public static bool TryGetSecurityPolicyDriver(ICollection<XmlElement> assertions, out WSSecurityPolicy securityPolicy)
{
SecurityPolicyManager policyManager = new SecurityPolicyManager();
return policyManager.TryGetSecurityPolicyDriver(assertions, out securityPolicy);
}
public SectionDetails GetScore()
{
SectionDetails details = new SectionDetails(0, new List <string>(), this);
SecurityPolicyManager.GetUserRightsAssignment();
// For each config definition
foreach (UserRightsDefinition definition in UserRightsDefinitions)
{
// Create copy of dictionary. Uses more memory but optimizes
// checking as we can remove user rights after checking them
Dictionary <string, List <SecurityIdentifier> > tempDict =
new Dictionary <string, List <SecurityIdentifier> >(SystemPolicy.UserRightsSetting);
string foundUserRights = null;
bool configCorrect = true;
// For each retrieved system user rights definition
foreach (KeyValuePair <string, List <SecurityIdentifier> > userRights in tempDict)
{
// Check if config and system define the same user rights
if (definition.ConstantName != userRights.Key)
{
continue;
}
foundUserRights = definition.ConstantName;
// If config and user rights identifiers count do not match,
// it is incorrectly configured. Break the loop and set as incorrect
if (definition.Identifiers.Count != userRights.Value.Count)
{
configCorrect = false;
break;
}
// Loop over sids first so we're not converting
// identifiers to usernames multiple times for each
foreach (SecurityIdentifier identifier in userRights.Value)
{
// Cache name to be compared with later checked identifiers
string name = null;
bool foundIdentifier = false;
foreach (UserRightsIdentifier cfgId in definition.Identifiers)
{
switch (cfgId.Type)
{
case EUserRightsIdentifierType.Name:
// If name has not been found yet, retrieve it
if (name == null)
{
name = GetNameFromSID(identifier);
}
// If name and config name match, match is found
if (name == cfgId.Identifier)
{
foundIdentifier = true;
// Save name for possible output
cfgId.Name = name;
}
break;
case EUserRightsIdentifierType.SecurityID:
// If Security IDs match, match is found
if (identifier.MatchesConfig(cfgId.Identifier))
{
foundIdentifier = true;
// If name has not been found yet, retrieve it
if (name == null)
{
name = GetNameFromSID(identifier);
}
// Save name for possible output
cfgId.Name = name;
}
break;
}
// If we found the match, break the loop
// as there is no need to keep searching
if (foundIdentifier)
{
break;
}
}
// If no match was found, the config and
// system config do not match, break the loop
if (!foundIdentifier)
{
configCorrect = false;
break;
}
}
// If process got here,
// break the loop as a match was found
break;
}
// If user rights was found
if (foundUserRights != null)
{
// If configured correctly, increment points and give output
if (configCorrect)
{
// Create list for every name, used to give user the proper output
IEnumerable <string> names = definition.Identifiers.Select(x => x.Name);
details.Points++;
details.Output.Add(TranslationManager.Translate("UserRights", definition.Setting,
string.Join(TranslationManager.Translate("Delimiter"), names)));
}
tempDict.Remove(foundUserRights);
}
}
return(details);
}
