-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ESC8 Identification is Incomplete #125
Comments
I've confirmed this! And I see what's causing it. Dang regex. |
Hi, @Adonist I just pushed changes to the |
I'll check it tomorrow and let you know. Thank you for the quick action on this! Thanks |
No, thank you for testing and reporting! It helps to get reports from real users. Lab tests only go so far.
I would love that. Feel free to submit a PR, or we can chat about it in a different space. Totally up to you. |
First: thank you for confirming the change now properly identifies the HTTPS endpoints as HTTPS! As for the rest of your comment: we generally approach things from a defender's standpoint. The mitigations you listed reduce or eliminate the risk of NTLM relay if fully implemented, but in our opinion, the best solution is eliminating the endpoint altogether. That's why this is a VERY basic check. If you find an HTTPS enrollment endpoint, it's low risk, but it's still a risk. But we are aware of the limitations of this approach and have started discussing methods for improving this test. Assessing the actual risk of the HTTPS finding is simply impossible with the data we gather at the moment, so step one will be gathering additional data. If you'd like to help build this check, we'd gladly accept a PR! You can even post PoC code in this Issue, and I'll keep it open until you're satisfied. :D |
Hi,
It seems that ESC8 identification is not accurate.
In my case I can confirm web enrollment is not installed and Windows authentication for CEP and CES is set to: Negoriate:Kerberos and Extended Protection is Required.
Still, running Locksmith comes up with "HTTP enrollment is enabled."
The text was updated successfully, but these errors were encountered: