Various app updates

SQLNAUI - added "auto" filter Preference
SQLNA - added auto filter string mode
SQLNA - suppress some false positives in the login failure report
SQLCheck - Fit-and-finish improvements
SQLCheck - Made the TLS report better

Author: Malcolm-Stewart

SQLCheck/.vs/SQLCheck/v15/Server/sqlite3/storage.ide

@@ -465,27 +465,67 @@ public static void CollectSecurity(DataSet ds)
 
         public static void CollectTLS(DataSet ds)
         {
+            DataRow Computer = ds.Tables["Computer"].Rows[0];
             string[] TLSVersions = new string[] { "SSL 2.0", "SSL 3.0", "TLS 1.0", "TLS 1.1", "TLS 1.2" };
             string[] ClientServer = new string[] { "Client", "Server" };
-            string[] ValueNames = new string[] { "DisabledByDefault", "Enabled" };  // DWORD
             object temp = null;
+            string defVal = "", enVal = "", disVal = "", effVal = "";
+            TLSInfo tlsInfo = TLSInfo.GetTLSInfo(Computer);
 
             foreach (string cs in ClientServer)
             {
                 foreach (string tlsVersion in TLSVersions)
                 {
-                    foreach (string valueName in ValueNames)
+                    DataRow TLS = ds.Tables["TLS"].NewRow();
+                    ds.Tables["TLS"].Rows.Add(TLS);
+                    defVal = "";
+                    enVal = "";
+                    disVal = "";
+                    effVal = "";
+                    TLS["ClientOrServer"] = cs;
+                    TLS["TLSVersion"] = tlsVersion;
+                    defVal = tlsInfo.GetComputerDefault(tlsVersion);
+                    TLS["Defaultvalue"] = defVal;
+                    temp = Registry.GetValue($@"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{tlsVersion}\{cs}", "Enabled", "");
+                    enVal = temp == null ? "" : ((temp.ToInt() != 0) ? $"True " : "False") + $" (0x{temp.ToInt().ToString("X8")})" + CheckTLS(tlsVersion, "Enabled", temp.ToInt());
+                    TLS["EnabledValue"] = enVal;
+                    temp = Registry.GetValue($@"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{tlsVersion}\{cs}", "DisabledByDefault", "");
+                    disVal = temp == null ? "" : ((temp.ToInt() != 0) ? $"True " : "False") + $" (0x{temp.ToInt().ToString("X8")})" + CheckTLS(tlsVersion, "DisabledByDefault", temp.ToInt());
+                    TLS["DisabledByDefaultValue"] = disVal;
+
+                    //
+                    // Calculate the effective Value
+                    //
+                    switch (defVal)
                     {
-                        DataRow TLS = ds.Tables["TLS"].NewRow();
-                        ds.Tables["TLS"].Rows.Add(TLS);
-                        TLS["ClientOrServer"] = cs;
-                        TLS["TLSVersion"] = tlsVersion;
-                        TLS["ValueName"] = valueName;
-                        TLS["Defaultvalue"] = "TODO";              // TODO
-                        temp = Registry.GetValue($@"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{tlsVersion}\{cs}", valueName, "");
-                        TLS["RegistryValue"] = temp == null ? "" : ((temp.ToInt() != 0) ? $"True " : "False") + $" (0x{temp.ToInt().ToString("X8")})" + CheckTLS(tlsVersion, valueName, temp.ToInt());
-                        TLS["PolicyValue"] = "TODO";               // TODO
+                        case "Not Supported":
+                            effVal = "Not Supported";
+                            break;
+                        case "Disabled":
+                            if (enVal == "" || enVal.StartsWith("False"))
+                            {
+                                effVal = "Disabled";
+                            }
+                            else // enVal = true
+                            {
+                                effVal = disVal.StartsWith("False") ? "Enabled" : "Disabled";  // disVal = "" (not specified) -> Disabled
+                            }
+                            break;
+                        case "Enabled":
+                            if (enVal.StartsWith("False"))
+                            {
+                                effVal = "Disabled";
+                            }
+                            else  // enVal = True or blank (not specified)
+                            {
+                                effVal = disVal.StartsWith("False") ? "Enabled" : "Disabled";  // disVal = "" (not specified) -> Disabled
+                            }
+                            break;
+                        default:
+                            effVal = "";
+                            break;
                     }
+                    TLS["EffectiveValue"] = effVal;
                 }
             }
         }
@@ -1619,7 +1659,7 @@ public static void CollectSPNAccount(DataSet ds)
                                     PropertyValueCollection props = entry.Properties["msDS-AllowedToDelegateTo"];
                                     foreach (object prop in props)
                                     {
-                                        Console.WriteLine($"Constrained target SPN for {tempAccount}: {prop.ToString()}");
+                                        //Console.WriteLine($"Constrained target SPN for {tempAccount}: {prop.ToString()}");  // debug trace
                                         // add constrained SPN records here
                                         DataRow ConstrainedDelegationSPN = ds.Tables["ConstrainedDelegationSPN"].NewRow();
                                         ds.Tables["ConstrainedDelegationSPN"].Rows.Add(ConstrainedDelegationSPN);
@@ -2047,7 +2087,7 @@ public static void ProcessMSSQLServer(DataSet ds, DataRow SQLInstance, DataRow S
                             {
                                 string msg = "";
                                 line = SmartString.GetBetween(line, @"[", @"]", false, true);  // auto trim the result
-                                DataRow[] Certificates = ds.Tables["Certificate"].Select($"ThumbPrint='{line}'");
+                                DataRow[] Certificates = ds.Tables["Certificate"].Select($@"ThumbPrint Like 'Cert Hash(*) ""{line}""'");
                                 if (Certificates.Length == 0)
                                 {
                                     msg = " (no certs match the thumbprint)";

SQLCheck/.vs/SQLCheck/v15/Server/sqlite3/storage.ide-shm

@@ -32,5 +32,5 @@
 // You can specify all the values or you can default the Build and Revision Numbers
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("1.0.0.1088")]
-[assembly: AssemblyFileVersion("1.0.0.1088")]
+[assembly: AssemblyVersion("1.0.0.1095")]
+[assembly: AssemblyFileVersion("1.0.0.1095")]

SQLCheck/.vs/SQLCheck/v15/Server/sqlite3/storage.ide-wal

@@ -70,6 +70,7 @@
     <Compile Include="SmartString.cs" />
     <Compile Include="Storage.cs" />
     <Compile Include="TextReport.cs" />
+    <Compile Include="TLSInfo.cs" />
     <Compile Include="Utility.cs" />
     <EmbeddedResource Include="SQLCheck.resx">
       <DependentUpon>SQLCheck.cs</DependentUpon>

SQLCheck/SQLCheck/Collectors.cs

@@ -130,12 +130,12 @@ public static DataSet CreateDataSet(String ComputerName)
             dt.AddColumn("ID", "Integer");
             dt.Columns["ID"].AutoIncrement = true;
             dt.AddColumn("ParentID", "Integer");
-            dt.AddColumn("TLSVersion", "String");     // SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
-            dt.AddColumn("ClientOrServer", "String"); // Client or Server
-            dt.AddColumn("ValueName", "String");      // DisabledByDefault or Enabled
-            dt.AddColumn("DefaultValue", "String");   // got from OS version mapping table, any non-zero setting is "True", preserve blanks for missing entries
-            dt.AddColumn("RegistryValue", "String");  // under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
-            dt.AddColumn("PolicyValue", "String");    // under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies ... somewhere - none on my system
+            dt.AddColumn("TLSVersion", "String");                // SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2
+            dt.AddColumn("ClientOrServer", "String");            // Client or Server
+            dt.AddColumn("DefaultValue", "String");              // got from OS version mapping table: Not Supported, Disabled, Enabled
+            dt.AddColumn("EnabledValue", "String");              // under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
+            dt.AddColumn("DisabledByDefaultValue", "String");    // under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
+            dt.AddColumn("EffectiveValue", "String");            // 
             ds.Tables.Add(dt);
 
             //

SQLCheck/SQLCheck/Properties/AssemblyInfo.cs

@@ -0,0 +1,68 @@
+using System;
+using System.Data;
+
+namespace SQLCheck
+{
+    class TLSInfo
+    {
+        public string SSL20 = "";
+        public string SSL30 = "";
+        public string TLS10 = "";
+        public string TLS11 = "";
+        public string TLS12 = "";
+        public string TLS13 = "";
+
+        public TLSInfo(string ssl20, string ssl30, string tls10, string tls11, string tls12, string tls13)
+        {
+            SSL20 = ssl20;
+            SSL30 = ssl30;
+            TLS10 = tls10;
+            TLS11 = tls11;
+            TLS12 = tls12;
+            TLS13 = tls13;
+        }
+
+        public string GetComputerDefault(string TLSVersion)
+        {
+            switch (TLSVersion)
+            {
+                case "SSL 2.0": return SSL20;
+                case "SSL 3.0": return SSL30;
+                case "TLS 1.0": return TLS10;
+                case "TLS 1.1": return TLS11;
+                case "TLS 1.2": return TLS12;
+                case "TLS 1.3": return TLS13;
+                default: return $"Unknown TLS version: {TLSVersion}.";
+            }
+        }
+
+        public static TLSInfo GetTLSInfo(DataRow Computer)
+        {
+            string WindowsVersion = Computer.GetString("WindowsVersion");
+            string WindowsReleaseID = Computer.GetString("WindowsReleaseID");
+            string WindowsBuild = Computer.GetString("WindowsBuild");
+            string WindowsName = Computer.GetString("WindowsName");
+
+            if (Utility.CompareVersion(WindowsVersion, "10.0") == "=" && WindowsReleaseID.StartsWith("22"))  // Windows 22
+            {
+                return new TLSInfo("Enabled", "Enabled", "Enabled", "Enabled", "Enabled", "Enabled");
+            }
+            else if (Utility.CompareVersion(WindowsVersion, "10.0") == "=" ||   // Windows 10   and Windows 2016 and Windows 2019
+                     WindowsVersion.Contains("NT 6.2.") ||                      // Windows 8    and Windows Server 2012
+                     WindowsVersion.Contains("NT 6.3."))                        // Windows 8.1  and Windows Server 2012 R2
+            {
+                return new TLSInfo("Enabled", "Enabled", "Enabled", "Enabled", "Enabled", "Not Supported");
+            }
+            else if (WindowsVersion.Contains("NT 6.1.") ||                      // Windows 7 and Windows 2008 R2
+                    (WindowsVersion.Contains("NT 6.0.") && WindowsBuild == "6002" && WindowsName.Contains("Server")))        // Windows Server 2008 SP2 (not Vista SP2)
+            {
+                // if version = Windows 2008 SP2, Windows 2008 R2, Windows 7
+                return new TLSInfo("Enabled",  "Disabled", "Disabled", "Disabled", "Disabled", "Not Supported");
+            }
+            else // anything older
+            {
+                return new TLSInfo("Enabled", "Not Supported", "Not Supported", "Not Supported", "Not Supported", "Not Supported");
+            }
+        }
+    }
+}

SQLCheck/SQLCheck/SQLCheck.csproj

@@ -285,15 +285,15 @@ static void ReportSecurity(DataSet ds, TextWriter s)  // outputs computer and do
             DataTable dtTLS = ds.Tables["TLS"];
             ReportFormatter rf = new ReportFormatter();
             // rf.SetColumnNames("Client/Server:L", "TLS Version:L", "Setting:L", "Default:L", "Registry:L", "Policy:L");  // we don't collect all these columns, yet
-            rf.SetColumnNames("Client/Server:L", "TLS Version:L", "Setting:L", "Registry:L");
+            rf.SetColumnNames("Client/Server:L", "TLS Version:L", "Default:L", "Enabled in Reg:L", "Disabled By Default:L", "Effective Value:L");
             foreach (DataRow TLS in dtTLS.Rows)
             {
                 rf.SetcolumnData(TLS["ClientOrServer"].ToString(),
                                  TLS["TLSVersion"].ToString(),
-                                 TLS["ValueName"].ToString(),
-                                 //    TLS["DefaultValue"].ToString(),
-                                 TLS["RegistryValue"].ToString());
-                                 //    TLS["PolicyValue"].ToString());
+                                 TLS.GetString("DefaultValue"),
+                                 TLS.GetString("EnabledValue"),
+                                 TLS.GetString("DisabledByDefaultValue"),
+                                 TLS.GetString("EffectiveValue"));
             }
             s.WriteLine(rf.GetHeaderText());
             s.WriteLine(rf.GetSeparatorText());