Solutions for server vulnerabilities

Solutions for server vulnerabilities

Problem

Solution

Solution Reference

Problem

Solution

Solution Reference

Disable Server Message Block (SMB) Protocol Version 1

Disable SMB v1 on PowerShell

  • Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

  • Set-SmbServerConfiguration -EnableSMB1Protocol $false

Detect, enable, and disable SMBv1, SMBv2, and SMBv3 in Windows

MS15-011: Vulnerability in Group Policy Could Allow Remote Code Execution (3000483)

Install security update Windows8.1-KB3000483

Microsoft Security Bulletin MS15-011 - Critical

WinVerifyTrust Signature Validation CVE-2013-3900 Mitigation (EnableCertPaddingCheck)

Add and enable registry value EnableCertPaddingCheck:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config\EnableCertPaddingCheck

  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config\EnableCertPaddingCheck

WinVerifyTrust Signature Validation CVE-2013-3900 Mitigation (...

  • SSL Medium Strength Cipher Suites Supported (SWEET32)

  • SSL RC4 Cipher Suites Supported (Bar Mitzvah)

  1. Open GPO setting gpedit.msc

  2. Enable and remove Medium Strength Cipher Suites in Computer Configuration > Administrative Templates > Network > SSL Configuration Settings

  3. Only keep AES-GCM ciphers in GPO setting

Disabling 3DES and changing cipher suites order.

SSL Medium Strength Cipher Suites Supported (SWEET32)

How to resolve SSL Medium Strength Cipher Suites Supported SWEET32 vulnerability (Windows)

  • SSL Version 2 and 3 Protocol Detection

  • TLS Version 1.0 and 1.1 Protocol Detection

Disable registry value for these vulnerable protocols in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

 

Notes:

  • Changing registry value requires computer reboot

  • Check TLS version for a certain port using openssl s_client -connect <hostname>:<port>