Vulnerabilities in Windows Server

What is the Vulnerability ?  

   In computer security, a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to cross privilege boundaries (i.e. perform unauthorized actions) within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface .

There are some vulnerabilities   and their solutions given below:

To apply from Group Policy:

CIFS Account Lockout Policy Allows Password Brute Forcing

Solution- Open gpedit.msc and follow the below steps.

Computer configuration/Windows Setting/Security Setting/Account Policy/Account Lockout Policy. Set the policy as per VA report.

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Account lockout threshold" to "3" or less invalid logon attempts (excluding "0", which is unacceptable).      


Untrusted TLS/SSL server X.509 certificate:

first of all make sure you able to take server virtual console from cloud dash board, after that do bellow setting in your server.,

a) open local Group (gpedit.msc)Policy Editor, go to "Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security" "Require use of specific security layer for remote (RDP) connections." and select "Enabled" and select RDP from drop down menu

b) go to system properties then click on remote settings and uncheck "Allow connection only from computer.." 

Self-signed TLS/SSL certificate:

open IIS manager go to server certificate and remove all self sing or expire certificate and

Run mmc.exe. Add Snap In -> Certificates -> Computer Account -> Local Computer -> Finish

Expand the Added Certificate -> Remote Desktop folder and remove the certificate issued.


CIFS Account Password Never Expires 

Solution- Open gpedit.msc and follow the below steps.

Computer configuration/Windows Setting/Security Setting/Account Policy/Account Lockout Policy. Set the policy as per VA report.

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Password Policy >> Maximum Password age >

Double click on maximum password age and enter the value 90 days.

Double click on minimum password age and enter the value 42 days

Now go to Computer Management/local users and group and click on users

select the administrator account and right click on it and click on properties, uncheck the password never expires and close.

repeat this above step if any other account is active and do the same settings.


How to Remove the OPTIONS Method in IIS 8.5

open the IIS Manger and click on the top node in the server tree. If you just want to disable the option method for a single site, you can do the following steps starting with the home screen for that site.

Locate the IIS feature section and click on the icon for Request Filtering:

Click on Deny Verb in the Actions list on the right side:

You now can specify the verb you do not want to allow (in this case OPTIONS):

When you click on OK, the dialog closes and you see that OTPIONS is now disabled (allowed = false):


For Disabling SMBv1

Open window powershell and execute below command for Disabling SMBv1    

Detect: Get-SmbServerConfiguration | Select EnableSMB1Protocol

Disable:Set-SmbServerConfiguration -EnableSMB1Protocol $false

Enable: Set-SmbServerConfiguration -EnableSMB1Protocol $true


Removing Vulnerabilities to update registry settings:

SMBv2 signing not required

Recommended vulnerability solutions: Enable SMBv2 with Required**

Actual solution: Add this registry Key

open run and type regedit and press enter key follow below and add this registry

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ EnableSecuritySignature (DWORD: 1)

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ RequireSecuritySignature  (DWORD: 1)

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ EnableSecuritySignature (DWORD: 1)

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ RequireSecuritySignature  (DWORD: 1)


TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)” and “TLS/SSL Server Supports 3DES Cipher Suite”

Recommended vulnerability solutions: “Disable TLS/SSL support for 3DES cipher suite.”

Actual solution: Add this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\

right click on Ciphers and select new key and name it RC4 128/128

again right click on Ciphers and seclect new key and name it Triple DES 168

Now go to RC4 128/128 and right click on it and select DWORD 32 bit and name it Enabled and put the value 0 after double click on it

repeat this step again for Triple DES 168

Now close the registry and restart the computer.


For Diffie Hellman Ciphers issue

Follow the below steps:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\KeyExchangeAlgorithms\

right click on KeyExchangeAlgorithms and select new key and name it Diffie-Hellman

Now right click on Diffie-Hellman and select new DOWRD32 bit and name it Enabled, doubleclick on it and put the value 0

Now restart the computer.


Microsoft CVE-2017-5754 and Microsoft CVE-2017-5715

Solution- open server registry (run command- regedit), first of all make sure that you do have server and registry backup. Go through below path in regedit.

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management", click on memory management and in the right panel create a new DWORD(32 bit) with the name of “FeatureSettingsOverride” double click on it and give it 0 value.

Again follow the above steps and new DWORD(32 bit) with name “FeatureSettingsOverrideMask” and give it value 3.


TLS/SSL Server Supports The Use of Static Key Ciphers

Recommended vulnerability solutions: “Disable TLS/SSL support for static key cipher suites”

Actual solution: Add this registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS\Enabled (DWORD: 0)


 Weak LAN Manager hashing permitted:

To disable this ability and better secure your workstations, follow these steps:

Go to Start | Run, and enter Regedit.

Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\ control\LSA.

Find the LMCompatibility and LMCompatibilityLevel value.

If LMCompatibility not found right clik on LSA then New create dword 32 bit key and rename the name to  LMCompatibility and give him value 5.

Now again create dword 32 bit key and rename the name to  LMCompatibilityLevel and give him value 5.

After that follow the below process in group policy

Press Win+R and type gpedit.msc

In Group Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, and expand Local Policies.

Select Security Options.

Double-click Network Security: Do Not Store LAN Manager Hash Value On Next Password Change.

Select Enabled, and click OK.


                         

No comments:

Post a Comment