Add special rule A-PreWin2000AuthenticatedUsers for the printnightmare vulnerability

Author: vletoux

Data/HealthcheckData.cs

@@ -958,6 +958,9 @@ public Dictionary<string, GPOInfo> GPOInfoDic
         public bool ShouldSerializePreWindows2000NoDefault() { return (int)Level <= (int)PingCastleReportDataExportLevel.Normal; }
         public bool PreWindows2000NoDefault { get; set; }
 
+        public bool ShouldSerializePreWindows2000AuthenticatedUsers() { return (int)Level <= (int)PingCastleReportDataExportLevel.Normal; }
+        public bool PreWindows2000AuthenticatedUsers { get; set; }
+
         public bool ShouldSerializeDsHeuristicsAnonymousAccess() { return (int)Level <= (int)PingCastleReportDataExportLevel.Normal; }
         public bool DsHeuristicsAnonymousAccess { get; set; }
 

Healthcheck/HealthcheckAnalyzer.cs

@@ -3509,6 +3509,10 @@ private void GenerateAnomalies(ADDomainInfo domainInfo, ADWebService adws)
                                 healthcheckData.PreWindows2000AnonymousAccess = true;
                                 continue;
                             }
+                            if (member.Contains("S-1-5-11"))
+                            {
+                                healthcheckData.PreWindows2000AuthenticatedUsers = true;
+                            }
                             if (!member.StartsWith("CN=S-"))
                             {
                                 healthcheckData.PreWindows2000NoDefault = true;

Healthcheck/Rules/HeatlcheckRuleAnomalyPreWin2000AuthenticatedUsers.cs

@@ -0,0 +1,26 @@
+//
+// Copyright (c) Ping Castle. All rights reserved.
+// https://www.pingcastle.com
+//
+// Licensed under the Non-Profit OSL. See LICENSE file in the project root for full license information.
+//
+using PingCastle.Rules;
+
+namespace PingCastle.Healthcheck.Rules
+{
+    [RuleModel("A-PreWin2000AuthenticatedUsers", RiskRuleCategory.Anomalies, RiskModelCategory.Reconnaissance)]
+    [RuleComputation(RuleComputationType.TriggerOnPresence, 0)]
+    //[RuleBSI("M 2.412")]
+    [RuleMaturityLevel(5)]
+    public class HeatlcheckRuleAnomalyPreWin2000AuthenticatedUsers : RuleBase<HealthcheckData>
+    {
+        protected override int? AnalyzeDataNew(HealthcheckData healthcheckData)
+        {
+            if (healthcheckData.PreWindows2000AuthenticatedUsers)
+            {
+                return 1;
+            }
+            return 0;
+        }
+    }
+}

Healthcheck/Rules/RuleDescription.resx

@@ -3778,4 +3778,28 @@ If the script is detected, Windows 7 is considered as supported and this rule is
   <data name="S_OS_Win7_Title" xml:space="preserve">
     <value>Obsolete OS (Windows 7)</value>
   </data>
+  <data name="A_PreWin2000AuthenticatedUsers_Description" xml:space="preserve">
+    <value>The purpose is check if the "Pre-Windows 2000 Compatible Access" group contains authenticated users</value>
+  </data>
+  <data name="A_PreWin2000AuthenticatedUsers_Documentation" xml:space="preserve">
+    <value>https://msdn.microsoft.com/en-us/library/cc223672.aspx</value>
+  </data>
+  <data name="A_PreWin2000AuthenticatedUsers_Rationale" xml:space="preserve">
+    <value>The PreWin2000 compatible group contains "authenticated users"</value>
+  </data>
+  <data name="A_PreWin2000AuthenticatedUsers_Solution" xml:space="preserve">
+    <value>Remove "authenticated users" from the PreWin2000 group.</value>
+  </data>
+  <data name="A_PreWin2000AuthenticatedUsers_TechnicalExplanation" xml:space="preserve">
+    <value>The pre-Windows 2000 compatible access group grants access to some RPC calls.
+    Its default and secure value is the "Authenticated Users" group which allows users to perform group look up using legacy protocols.
+    
+  If this group contains "Authenticated Users", it increases the impact on the exploitation vulnerability on legacy protocols such as the printer spooler.
+    Indeed, in the #PrintNightmare attack, it enables a patch bypass on domain controllers because the property Elevated Token is on when establishing a session to the DC.
+    Removing the group can have side impacts and as a consequence, this is reported here as a special hardening measure.
+  </value>
+  </data>
+  <data name="A_PreWin2000AuthenticatedUsers_Title" xml:space="preserve">
+    <value>Check that the "Pre-Windows 2000 Compatible Access" group does not contain "Authenticated Users"</value>
+  </data>
 </root>

PingCastle.csproj

@@ -123,6 +123,7 @@
     <Compile Include="Data\HealthCheckBUEntityData.cs" />
     <Compile Include="Data\CompromiseGraphData.cs" />
     <Compile Include="Healthcheck\HoneyPotSettings.cs" />
+    <Compile Include="Healthcheck\Rules\HeatlcheckRuleAnomalyPreWin2000AuthenticatedUsers.cs" />
     <Compile Include="Healthcheck\Rules\HeatlcheckRuleStaledObsoleteWin7.cs" />
     <Compile Include="Healthcheck\Rules\HeatlcheckRuleTrustAzureADSSO.cs" />
     <Compile Include="Healthcheck\Rules\HeatlcheckRuleAnomalyUnixPassword.cs" />

Properties/AssemblyInfo.cs

@@ -9,7 +9,7 @@
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("Ping Castle")]
 [assembly: AssemblyProduct("Ping Castle")]
-[assembly: AssemblyCopyright("Copyright ©  2019 Ping Castle")]
+[assembly: AssemblyCopyright("Copyright ©  2015-2021 Ping Castle")]
 [assembly: AssemblyTrademark("")]
 [assembly: AssemblyCulture("")]
 
@@ -28,5 +28,5 @@
 //      Numéro de build
 //      Révision
 //
-[assembly: AssemblyVersion("2.9.2.0")]
-[assembly: AssemblyFileVersion("2.9.2.0")]
+[assembly: AssemblyVersion("2.9.2.1")]
+[assembly: AssemblyFileVersion("2.9.2.1")]