What is the Vulnerability ?
In computer security, a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to cross privilege boundaries (i.e. perform unauthorized actions) within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface .
There are some vulnerabilities and their solutions given below:
To apply from Group Policy:
CIFS Account Lockout Policy Allows Password Brute Forcing
Solution- Open gpedit.msc and follow the below steps.
Computer configuration/Windows Setting/Security Setting/Account Policy/Account Lockout Policy. Set the policy as per VA report.
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> “Account lockout threshold” to “3” or less invalid logon attempts (excluding “0”, which is unacceptable).
Untrusted TLS/SSL server X.509 certificate:
first of all make sure you able to take server virtual console from cloud dash board, after that do bellow setting in your server.,
a) open local Group (gpedit.msc)Policy Editor, go to “Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security” “Require use of specific security layer for remote (RDP) connections.” and select “Enabled” and select RDP from drop down menu
b) go to system properties then click on remote settings and uncheck “Allow connection only from computer..”
Self-signed TLS/SSL certificate:
open IIS manager go to server certificate and remove all self sing or expire certificate and
Run mmc.exe. Add Snap In -> Certificates -> Computer Account -> Local Computer -> Finish
Expand the Added Certificate -> Remote Desktop folder and remove the certificate issued.
CIFS Account Password Never Expires
Solution- Open gpedit.msc and follow the below steps.
Computer configuration/Windows Setting/Security Setting/Account Policy/Account Lockout Policy. Set the policy as per VA report.
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Password Policy >> Maximum Password age >
Double click on maximum password age and enter the value 90 days.
Double click on minimum password age and enter the value 42 days
Now go to Computer Management/local users and group and click on users
select the administrator account and right click on it and click on properties, uncheck the password never expires and close.
repeat this above step if any other account is active and do the same settings.
How to Remove the OPTIONS Method in IIS 8.5
open the IIS Manger and click on the top node in the server tree. If you just want to disable the option method for a single site, you can do the following steps starting with the home screen for that site.
Locate the IIS feature section and click on the icon for Request Filtering:
Click on Deny Verb in the Actions list on the right side:
You now can specify the verb you do not want to allow (in this case OPTIONS):
When you click on OK, the dialog closes and you see that OTPIONS is now disabled (allowed = false):
For Disabling SMBv1
Open window powershell and execute below command for Disabling SMBv1
Detect: Get-SmbServerConfiguration | Select EnableSMB1Protocol
Disable:Set-SmbServerConfiguration -EnableSMB1Protocol $false
Enable: Set-SmbServerConfiguration -EnableSMB1Protocol $true
Removing Vulnerabilities to update registry settings:
SMBv2 signing not required
Recommended vulnerability solutions: Enable SMBv2 with Required**
Actual solution: Add this registry Key
open run and type regedit and press enter key follow below and add this registry
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ EnableSecuritySignature (DWORD: 1)
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ RequireSecuritySignature (DWORD: 1)
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ EnableSecuritySignature (DWORD: 1)
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ RequireSecuritySignature (DWORD: 1)
TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)” and “TLS/SSL Server Supports 3DES Cipher Suite”
Recommended vulnerability solutions: “Disable TLS/SSL support for 3DES cipher suite.”
Actual solution: Add this registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\
right click on Ciphers and select new key and name it RC4 128/128
again right click on Ciphers and seclect new key and name it Triple DES 168
Now go to RC4 128/128 and right click on it and select DWORD 32 bit and name it Enabled and put the value 0 after double click on it
repeat this step again for Triple DES 168
Now close the registry and restart the computer.
For Diffie Hellman Ciphers issue
Follow the below steps:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\KeyExchangeAlgorithms\
right click on KeyExchangeAlgorithms and select new key and name it Diffie-Hellman
Now right click on Diffie-Hellman and select new DOWRD32 bit and name it Enabled, doubleclick on it and put the value zero (0)
Now restart the computer.
Microsoft CVE-2017-5754 and Microsoft CVE-2017-5715
Solution- open server registry (run command- regedit), first of all make sure that you do have server and registry backup. Go through below path in regedit.
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management”, click on memory management and in the right panel create a new DWORD(32 bit) with the name of “FeatureSettingsOverride” double click on it and give it 0 value.
Again follow the above steps and new DWORD(32 bit) with name “FeatureSettingsOverrideMask” and give it value 3.
TLS/SSL Server Supports The Use of Static Key Ciphers
Recommended vulnerability solutions: “Disable TLS/SSL support for static key cipher suites”
Actual solution: Add this registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS\Enabled (DWORD: 0)
Weak LAN Manager hashing permitted:
To disable this ability and better secure your workstations, follow these steps:
Go to Start | Run, and enter Regedit.
Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\ control\LSA.
Find the LMCompatibility and LMCompatibilityLevel value.
If LMCompatibility not found right clik on LSA then New create dword 32 bit key and rename the name to LMCompatibility and give him value 5.
Now again create dword 32 bit key and rename the name to LMCompatibilityLevel and give him value 5.
After that follow the below process in group policy
Press Win+R and type gpedit.msc
In Group Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, and expand Local Policies.
Select Security Options.
Double-click Network Security: Do Not Store LAN Manager Hash Value On Next Password Change.
Select Enabled, and click OK.
