@@ -255,6 +255,40 @@ public BoolRegistryAPIResult IsUserSpecifiesSanEnabled(string target, string caN
255255 return ret ;
256256 }
257257
258+ /// <summary>
259+ /// This function checks a registry setting on the target host for the specified CA to see if role seperation is enabled.
260+ /// If enabled, you cannot perform any CA actions if you have both ManageCA and ManageCertificates permissions. Only CA admins can modify the setting.
261+ /// </summary>
262+ /// <remarks>https://www.itprotoday.com/security/q-how-can-i-make-sure-given-windows-account-assigned-only-single-certification-authority-ca</remarks>
263+ /// <param name="target"></param>
264+ /// <param name="caName"></param>
265+ /// <returns></returns>
266+ /// <exception cref="Exception"></exception>
267+ [ ExcludeFromCodeCoverage ]
268+ public BoolRegistryAPIResult RoleSeparationEnabled ( string target , string caName )
269+ {
270+ var ret = new BoolRegistryAPIResult ( ) ;
271+ var regSubKey = $ "SYSTEM\\ CurrentControlSet\\ Services\\ CertSvc\\ Configuration\\ { caName } ";
272+ const string regValue = "RoleSeparationEnabled" ;
273+ var data = Helpers . GetRegistryKeyData ( target , regSubKey , regValue , _log ) ;
274+
275+ ret . Collected = data . Collected ;
276+ if ( ! data . Collected )
277+ {
278+ ret . FailureReason = data . FailureReason ;
279+ return ret ;
280+ }
281+
282+ if ( data . Value == null )
283+ {
284+ return ret ;
285+ }
286+
287+ ret . Value = ( int ) data . Value == 1 ;
288+
289+ return ret ;
290+ }
291+
258292 public TypedPrincipal GetRegistryPrincipal ( SecurityIdentifier sid , string computerDomain , string computerName , bool isDomainController , string computerObjectId , SecurityIdentifier machineSid )
259293 {
260294 _log . LogTrace ( "Got principal with sid {SID} on computer {ComputerName}" , sid . Value , computerName ) ;
0 commit comments