SQLCheck updates

Annotated TSL Cipher Suites.
Fixed 32-bit SQL Aliases.
Identify Java apps and Microsoft.Data.SqlClient.dll apps.
Fixed default LanmanCompatibilityMode.
Fixed null TLS Policy list.
Remove space error in formatting suggested SPNs.
Show ForceStrict setting.

Author: Malcolm-Stewart

SQLCheck/.vs/SQLCheck/v15/Server/sqlite3/storage.ide

@@ -699,11 +699,18 @@ public static void CollectSecurity(DataSet ds)
             // Lanman compatibility Level - affects NTLM connections but not Kerberos connections
             //
 
-            string lanmanCompatibilityLevel = Utility.GetRegistryValueAsString(@"HKLM\SYSTEM\CurrentControlSet\Control\Lsa", "LMCompatibilityLevel", RegistryValueKind.DWord, 0);
-            string lanmanDesc = Utility.LanmanNames(lanmanCompatibilityLevel);
-            Security["LanmanCompatibilityLevel"] = lanmanDesc == "" ? lanmanCompatibilityLevel : $"{lanmanCompatibilityLevel} ({lanmanDesc})";
-            Security.CheckRange("LanmanCompatibilityLevel", lanmanCompatibilityLevel, 0, 7);
-            if (lanmanCompatibilityLevel.CompareTo("3") < 0) Security.LogWarning("LanmanCompatibilityLevel: The setting may be too low.");
+            string lanmanCompatibilityLevel = Utility.GetRegistryValueAsString(@"HKLM\SYSTEM\CurrentControlSet\Control\Lsa", "LMCompatibilityLevel", RegistryValueKind.DWord, "");
+            if (lanmanCompatibilityLevel == "")
+            {
+                Security["LanmanCompatibilityLevel"] = $"Not specified - default: 5 ({Utility.LanmanNames("5")})";
+            }
+            else
+            {
+                string lanmanDesc = Utility.LanmanNames(lanmanCompatibilityLevel);
+                Security["LanmanCompatibilityLevel"] = lanmanDesc == "" ? lanmanCompatibilityLevel : $"{lanmanCompatibilityLevel} ({lanmanDesc})";
+                Security.CheckRange("LanmanCompatibilityLevel", lanmanCompatibilityLevel, 0, 7);
+                if (lanmanCompatibilityLevel.CompareTo("3") < 0) Security.LogWarning("LanmanCompatibilityLevel: The setting may be too low.");
+            }
 
 
             //
@@ -926,13 +933,31 @@ public static void CollectProtocolOrder(DataSet ds)
             if (prot != null)
             {
                 string[] po = (string[])prot;
+                // RegStrings is before the annotation
                 ProtocolOrder["RegistryList"] = string.Join(",", po);
             }
 
             // From HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 ! Functions REG_SZ, comma-delimited
 
-            ProtocolOrder["PolicyList"] = Registry.GetValue(@"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002", "Functions", null);
+            prot = Registry.GetValue(@"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002", "Functions", null);
 
+            if (prot != null)
+            {
+                string[] po = (string[])prot;
+                // RegStrings is before the annotation
+                ProtocolOrder["PolicyList"] = string.Join(",", po);
+
+                // Warn if the Protocol List has entries that arent in the ReistryList
+                if (po.Length > 0)
+                {
+                    string[] RegStrings = ProtocolOrder.GetString("RegistryList").Trim().Split(',');
+                    string[] PolStrings = ProtocolOrder.GetString("PolicyList").Trim().Split(',');
+                    var comp = new StringIgnoreCaseComparer();
+                    var ExtraStrings = PolStrings.Except(RegStrings, comp);
+                    ExtraStrings.ToList().ForEach(s => ProtocolOrder.LogWarning($"Cipher Suite '{s}' appears in the Protocol List but not in the Registry List."));
+                }
+            }
+            
             // Warn if the Protocol List has entries that arent in the ReistryList
             if (ProtocolOrder.GetString("PolicyList").Trim().Length > 0)
             {
@@ -1750,7 +1775,8 @@ public static void CollectProcessDrivers(DataSet ds)
                                                "msodbcsql11.dll",  "msodbcsql13.dll", "msodbcsql17.dll", "msoledbsql.dll",         "sqlnclirda11.dll",
                                                // some non SQL driver DLLs
                                                "aceodbc.dll",      "aceoledb.dll",    "msolap.dll",      "activeds.dll",           "odbcjt32.dll",
-                                               "msjetoledb40.dll", "ibmdadb2.dll",    "ibmdadb264.dll",  "system.data.entity.dll", "system.data.oracleclient.dll"
+                                               "msjetoledb40.dll", "ibmdadb2.dll",    "ibmdadb264.dll",  "system.data.entity.dll", "system.data.oracleclient.dll",
+                                               "microsoft.data.sqlclient.dll",        "java.exe",        "jvm.dll",                "javaw.exe"
                                                };
 
             // get command results - output the data in CSV format, 3 columns; the last has sub-columns in it
@@ -1859,7 +1885,7 @@ public static void CollectSQLAlias(DataSet ds)
             RegistryKey aliasKey = null;
             string[] aliases = null, parts = null;
             bool is64bit = Computer["CPU64Bit"].ToBoolean();
-            string[] regPath = new string[] { @"SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo", @"SOFTWARE\WOW6432Node\MSSQLServer\Client\ConnectTo" };
+            string[] regPath = new string[] { @"SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo", @"SOFTWARE\WOW6432Node\Microsoft\MSSQLServer\Client\ConnectTo" };
             int loopCount = is64bit ? 2 : 1; // only look to Wow64 registry path if on a 64-bit system
             string redirectsTo = "";
 
@@ -2271,7 +2297,7 @@ public static void CollectSPNAccount(DataSet ds)
             int NOT_DELEGATED = 1048576;                     //  0x00100000
             int USE_DES_KEY_ONLY = 2097152;                  //  0x00200000
             int PASSWORD_EXPIRED = 8388608;                  //  0x00800000
-            int TRUSTED_TO_AUTH_FOR_DELEGATION = 16777216;   //  0x01000000   
+            int TRUSTED_TO_AUTH_FOR_DELEGATION = 16777216;   //  0x01000000   allow protocol transition - we aren't distinguishing this right now
 
             DataRow Computer = ds.Tables["Computer"].Rows[0];
             DataRow SPNAccount = null;
@@ -2401,7 +2427,7 @@ public static void CollectSPNAccount(DataSet ds)
                             CollectSPN(ds, SPNAccount, entry.Path);
 
                             // Get constrained delegation SPNs for this account
-                            bool constrained = entry.Properties["msDS-AllowedToDelegateTo"].Count > 0;
+                            bool constrained = (entry.Properties["msDS-AllowedToDelegateTo"].Count > 0);
                             SPNAccount["ConstrainedDelegationEnabled"] = constrained;
                             if (constrained) // get SPNs for constrained delegation
                             {
@@ -3191,14 +3217,14 @@ public static void ProcessSQLPathAndSPNs(DataSet ds, DataRow SQLInstance, DataRo
                                     SuggestedSPN = dtSuggestedSPN.NewRow();
                                     dtSuggestedSPN.Rows.Add(SuggestedSPN);
                                     SuggestedSPN["ParentID"] = SQLServer["ID"];
-                                    suggestedSPN = $@"{spnPrefixF}:{portNumber}";  // FQDN
+                                    suggestedSPN = $@"{spnPrefixF}:{portNumber.Trim()}";  // FQDN
                                     SuggestedSPN["SPNNAme"] = suggestedSPN;
                                     CheckSPN(ds, SQLServer, SuggestedSPN, suggestedSPN, SPNServiceAccount);
 
                                     SuggestedSPN = dtSuggestedSPN.NewRow();
                                     dtSuggestedSPN.Rows.Add(SuggestedSPN);
                                     SuggestedSPN["ParentID"] = SQLServer["ID"];
-                                    suggestedSPN = $@"{spnPrefixN}:{portNumber}";  // NETBIOS name
+                                    suggestedSPN = $@"{spnPrefixN}:{portNumber}.Trim()";  // NETBIOS name
                                     SuggestedSPN["SPNNAme"] = suggestedSPN;
                                     CheckSPN(ds, SQLServer, SuggestedSPN, suggestedSPN, SPNServiceAccount);
                                 }

SQLCheck/SQLCheck/Collectors.cs

@@ -32,5 +32,5 @@
 // You can specify all the values or you can default the Build and Revision Numbers
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("1.0.1286.0")]
-[assembly: AssemblyFileVersion("1.0.1286.0")]
+[assembly: AssemblyVersion("1.0.1305.0")]
+[assembly: AssemblyFileVersion("1.0.1305.0")]

SQLCheck/SQLCheck/Properties/AssemblyInfo.cs

@@ -43,6 +43,10 @@ public static TLSInfo GetTLSInfo(DataRow Computer)
             //
             // https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-
             //
+            // Confirmed with the SCHANNEL team that TLS 1.3 is not supported by any version of Windows 10 or 2019.
+            // Some TLS 1.3 cipher suites may appear in the list on Windows 10 and 2019, but that was for TLS 1.3 proofing before releasing Windows 11 and 2022.
+            // There is no actual support for TLS 1.3 before Windows 11 or 2022.
+            //
             // Windows Version                                 Version #   Build #  SSL 2 Client  SSL 2 Server  SSL3        TLS 1.0     TLS 1.1     TLS 1.2     TLS 1.3
             // ----------------------------------------------  ----------  -------  ------------  ------------  ----------  ----------  ----------  ----------  ----------
             // Windows Vista / Windows Server 2008             NT 6.0        older  Disabled      Enabled       Enabled     Enabled     Not Supp    Not Supp    Not SUpp
@@ -57,10 +61,10 @@ public static TLSInfo GetTLSInfo(DataRow Computer)
             //
             // Windows 10, version 1607 / Windows Server 2016  10.0          14393  Not Supp      Not Supp      Disabled    Enabled     Enabled     Enabled     Not Supp      Change
             // Windows 10, version 1809 / Windows Server 2019  10.0          17763  Not Supp      Not Supp      Disabled    Enabled     Enabled     Enabled     Not Supp
-            // Windows 10, version 20H2 / Windows Server 2019  10.0          19042  Not Supp      Not Supp      Disabled    Enabled     Enabled     Enabled     Enabled       Change
-            // Windows 10, version 21H1 / Windows Server 2019  10.0          19043  Not Supp      Not Supp      Disabled    Enabled     Enabled     Enabled     Enabled
+            // Windows 10, version 20H2 / Windows Server 2019  10.0          19042  Not Supp      Not Supp      Disabled    Enabled     Enabled     Enabled     Not Supp
+            // Windows 10, version 21H1 / Windows Server 2019  10.0          19043  Not Supp      Not Supp      Disabled    Enabled     Enabled     Enabled     Not Supp
             //
-            // Windows 11, version 21H2                        10.0          22000  Not Supp      Not Supp      Disabled    Enabled     Enabled     Enabled     Enabled
+            // Windows 11, version 21H2                        10.0          22000  Not Supp      Not Supp      Disabled    Enabled     Enabled     Enabled     Enabled       Change
             // Windows Server 2022, wersion 21H2               10.0          20348  Not Supp      Not Supp      Disabled    Enabled     Enabled     Enabled     Enabled
 
 
@@ -69,12 +73,12 @@ public static TLSInfo GetTLSInfo(DataRow Computer)
             string WindowsBuild = Computer.GetString("WindowsBuild");
             string WindowsName = Computer.GetString("WindowsName");
 
-            // Windows 11, Windows 2022, Windows 10 versions 19042 and greater - Windows 2019 is in there somewhere, as well
-            if (Utility.CompareVersion(WindowsVersion, "10.0.19041") == ">") // Windows 11, Windows 2022, Windows 10/2019 versions 19042 and greater
+            // Windows 11, Windows 2022 and above
+            if (Utility.CompareVersion(WindowsVersion, "10.0.20000") == ">") // Windows 11, Windows 2022, Windows 10/2019 versions 19042 and greater
             {
                 return new TLSInfo("Not Supported", "Not Supported", "Disabled", "Enabled", "Enabled", "Enabled", "Enabled");
             }
-            // Windows 2016 / Windows 10 Build 1607
+            // Windows 2016, 2019 / Windows 10 Build 1607 and above
             else if (Utility.CompareVersion(WindowsVersion, "10.0.14392") == ">")  // starts with 10.0.14393
             {
                 return new TLSInfo("Not Supported", "Not Supported", "Disabled", "Enabled", "Enabled", "Enabled", "Not Supported");

SQLCheck/SQLCheck/TLSInfo.cs

@@ -508,10 +508,11 @@ static void ReportSecurity(DataSet ds, TextWriter s)  // outputs computer and do
                 }
                 rf = new ReportFormatter();
                 rf.SetColumnNames("Registry List:L", "Policy List:L");
+                
                 for (int i = 0; i < Math.Max(registryList.Length, policyList.Length); i++)  // loop for the longest array
                 {
-                    rf.SetcolumnData(i < registryList.Length ? registryList[i] : "",
-                                     i < policyList.Length ? policyList[i] : "");
+                    rf.SetcolumnData(i < registryList.Length ? Utility.AnnotateCipherSuite(registryList[i]) : "",
+                                     i < policyList.Length ? Utility.AnnotateCipherSuite(policyList[i]) : "");
                 }
                 s.WriteLine(rf.GetHeaderText());
                 s.WriteLine(rf.GetSeparatorText());