diff --git a/src/CommonLib/OutputTypes/CARegistryData.cs b/src/CommonLib/OutputTypes/CARegistryData.cs index ece3e1b73..d176aadeb 100644 --- a/src/CommonLib/OutputTypes/CARegistryData.cs +++ b/src/CommonLib/OutputTypes/CARegistryData.cs @@ -8,5 +8,6 @@ public class CARegistryData public EnrollmentAgentRegistryAPIResult EnrollmentAgentRestrictions { get; set; } public BoolRegistryAPIResult IsUserSpecifiesSanEnabled { get; set; } public BoolRegistryAPIResult RoleSeparationEnabled { get; set; } + public BoolRegistryAPIResult RPCEncryptionEnforced { get; set; } } } \ No newline at end of file diff --git a/src/CommonLib/Processors/CertAbuseProcessor.cs b/src/CommonLib/Processors/CertAbuseProcessor.cs index 4da05f191..5cb9bb213 100644 --- a/src/CommonLib/Processors/CertAbuseProcessor.cs +++ b/src/CommonLib/Processors/CertAbuseProcessor.cs @@ -277,6 +277,33 @@ public BoolRegistryAPIResult IsUserSpecifiesSanEnabled(string target, string caN return ret; } + [ExcludeFromCodeCoverage] + public BoolRegistryAPIResult RPCEncryptionEnforced(string target, string caName) + { + var ret = new BoolRegistryAPIResult(); + var subKey = + $"SYSTEM\\CurrentControlSet\\Services\\CertSvc\\Configuration\\{caName}"; + const string subValue = "InterfaceFlags"; + var data = Helpers.GetRegistryKeyData(target, subKey, subValue, _log); + + ret.Collected = data.Collected; + if (!data.Collected) + { + ret.FailureReason = data.FailureReason; + return ret; + } + + if (data.Value == null) + { + return ret; + } + + var interfaceFlags = (int)data.Value; + ret.Value = (interfaceFlags & 0x00000200) == 0x00000200; + + return ret; + } + /// /// This function checks a registry setting on the target host for the specified CA to see if role seperation is enabled. /// If enabled, you cannot perform any CA actions if you have both ManageCA and ManageCertificates permissions. Only CA admins can modify the setting.