Deploy
Many strategies exist to deploy PingCastle and collect its reportsMonitoring domains from a bastion can be easy. But ones with no network connection can be difficult. There are many deployment strategies available with PingCastle.
Prerequisites
Management support
Active Directory can be seen locally as a critical component or located in an entity without full technical control
Scheduler
We recommend to collect reports on a weekly basis to trap non validated trusts
Coordinator
This is a person which will receive all reports.
1. Get reports
1.1. Option 1: Each domain run PingCastle
PingCastle can be run on every domain of a company using the command:
PingCastle --healthcheck
1.1. Option 2: PingCastle is run at key location
PingCastle can be run on a Bastion Active Directory, generally used to perform administration tasks. In this case, all the domains will be scanned:
PingCastle --healthcheck --server *
The program can be run on every forest root and be limited to that perimeter
PingCastle --healthcheck --server *.forest.root
The tool can be run on every forest child and explore the child and its trusted domains. In this case the forest root is excluded.
PingCastle --healthcheck --explore-trust --server child.forest.root
PingCastle can explore all the domains of all the trusted forests from another forest. This is useful when the root and child doesn’t share the same name.
PingCastle --healthcheck --explore-forest-trust --server anotherforest.root
If needed, exceptions can be set to not scan domains. For example to not scan the Bastion domain multiple times. In this case use the option –explore-exception <domains> where domains are comma separated domain name.
2. Schedule
Even if the management reporting is done on a monthly basis, we recommend to setup a scheduled task on a weekly basis.
This frequency is justified to:
- See the improvement almost in real time and avoid the tunnel effect
- Detect newly created trusts and be able to remove them if needed with a limited business impact.
Daily scans are not recommended as the additional energy needed to follow up will not provide any additional benefits.
3. Collect the reports
3.1. Encryption to use unsafe channels
Sometimes, domains are unconnected or it is not possible to make the schedule tasks centralize in a single share all the reports. To deal with this case, PingCastle can encrypt the reports to send them in an unsafe channel.
A RSA key pair need to be generated and the public key needs to be shared with all the instance of the program. When producing risks reports and generating the .xml files, add the flag –encrypt to perform the encryption.
You can generate a keypair using the following command and copy the public key in the .config file to be deployed.
PingCastle.exe --generate-keyStarting the task: Generate Key
Public Key (used on the encryption side):
<encryptionSettings encryptionKey="default">
<RSAKeys>
<!-- encryption key -->
<KeySettings name="default" publicKey="<RSAKeyValue><Modulus>h
4smrLAZZ30QwWXHcT1oNz3hH3Ax2R9T75DlioGFCIdLb0QhUn3N8NWgJ2ZgyUNXn4qU1b0DslOIhK+Cq
oqCPvXuHjK6TGrMyphtcbZvvgbLxfyalJemczx1+pOuBlqqVdalE94rnnnBr761WIJJnkJdZ0rzYsebn
DwGuk9kiw8=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue
>"/>
<!-- end -->
</RSAKeys>
</encryptionSettings>
Private Key (used on the decryption side):
<encryptionSettings encryptionKey="default">
<RSAKeys>
<!-- decryption key -->
<KeySettings name="39b5d076-17be-4999-b43e-b894a55446a1" privateKey="<R
SAKeyValue><Modulus>h4smrLAZZ30QwWXHcT1oNz3hH3Ax2R9T75DlioGFCIdLb0QhUn3
N8NWgJ2ZgyUNXn4qU1b0DslOIhK+CqoqCPvXuHjK6TGrMyphtcbZvvgbLxfyalJemczx1+pOuBlqqVda
lE94rnnnBr761WIJJnkJdZ0rzYsebnDwGuk9kiw8=</Modulus><Exponent>AQAB<
;/Exponent><P>uwgX794pe7O3vIiQR5v03WK3Ug5LUAbXpPF6Xq4qGb3TGprZaJQq5rZ2u
J4qwRanOa5pI/zv7RhG/4ItesBuAw==</P><Q>uYaNLEp9Vh8F29tSH+M4z+OjxPl+UL
LRjLrssFLTTNsdnrHgAtdJ1lxfIm/gTUa0qPLa9Y/xkUb1khK/+tV3BQ==</Q><DP>Fd
feI8+IfMACh2xTnWljca+jxVuSBCioasUhC4m/tP3sd8D5/zK+x+8rcmhWifKBWUU7Vk6mHsSlFhY4BY
wPzQ==</DP><DQ>gzfwh8AT0CLXEP6ZomYi257lST8xoUAoyEG5gKjEPJrJ42Fp0HiXB
9+Dhibc3atBwjEqvv5VXGx06iEK2g27RQ==</DQ><InverseQ>HRKFjYwrXqgO4v8Q+J
SOqR6lSvQ15Z6V4AE23i4xfeuIYWwVf0t8AwgkDfFRQnEyh24byuh5PPzUbDOsUY+eYg==</Inver
seQ><D>QQ6pIXnkt6dvw2P2toOi4eDxjQVs56oBv5rske5YzB8kNeOdmtqHXnEqzb519iQ8
incZuP1gKNevTwBu1yxkFuFh0dzjS3iBjHvYGtDo5mARiZ1nN8QNI2zKE+Q6qXF8Z+wN3Fv3oBDQXATI
6IQbgkAxLTMo4CUmtUQ6GvjwFwE=</D></RSAKeyValue>"/>
<!-- end -->
</RSAKeys>
</encryptionSettings>
Done
Task Generate Key completed
Then copy the private key section in the PingCastle and PingCastleReporting configuration file (.config) used to consolidate the results. PingCastle will perform the decryption automatically.
The program can generate an encrypted copy of a report (public key needed) and a decrypted copy of a report (private key needed) using the following commands:
PingCastle --reload-report report.xml --encryptPingCastle --reload-report encrypted-report.xml
Note: Only one key can be specified for encryption but multiple keys can be used for decryption. Their selection is automatic.
3.2. Email
PingCastle can contact if specified a SMTP server to send the reports by email. If the encryption is set, the program will encrypt the reports. Use –sendXmlTo <email> to send only the xml report, –sendHtmlTo <email> to send only the html report and –sendAllTo <email> to send both html and xml report. Email addresses are comma separated ones and the previous flags can be combined.