Solutions for server vulnerabilities

Disable Server Message Block (SMB) Protocol Version 1

Disable SMB v1 on PowerShell

• Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

• Set-SmbServerConfiguration -EnableSMB1Protocol $false

https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=server

MS15-011: Vulnerability in Group Policy Could Allow Remote Code Execution (3000483)

Install security update Windows8.1-KB3000483

https://learn.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-011

WinVerifyTrust Signature Validation CVE-2013-3900 Mitigation (EnableCertPaddingCheck)

Add and enable registry value EnableCertPaddingCheck:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config\EnableCertPaddingCheck

• HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config\EnableCertPaddingCheck

WinVerifyTrust Signature Validation CVE-2013-3900 Mitigation (...

• SSL Medium Strength Cipher Suites Supported (SWEET32)

• SSL RC4 Cipher Suites Supported (Bar Mitzvah)

1. Open GPO setting gpedit.msc

2. Enable and remove Medium Strength Cipher Suites in Computer Configuration > Administrative Templates > Network > SSL Configuration Settings

3. Only keep AES-GCM ciphers in GPO setting

Disabling 3DES and changing cipher suites order.

https://social.technet.microsoft.com/Forums/en-US/330c75b3-c7f4-4fd2-9bcc-0b9b4407c9ac/ssl-medium-strength-cipher-suites-supported-sweet32?forum=winserversecurity

How to resolve SSL Medium Strength Cipher Suites Supported SWEET32 vulnerability (Windows)

• SSL Version 2 and 3 Protocol Detection

• TLS Version 1.0 and 1.1 Protocol Detection

Disable registry value for these vulnerable protocols in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\