Solutions for server vulnerabilities

Problem	Solution	Solution Reference

Problem	Solution	Solution Reference
Disable Server Message Block (SMB) Protocol Version 1	Disable SMB v1 on PowerShell `Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol` `Set-SmbServerConfiguration -EnableSMB1Protocol $false`	https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=server
MS15-011: Vulnerability in Group Policy Could Allow Remote Code Execution (3000483)	Install security update `Windows8.1-KB3000483`	https://learn.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-011
WinVerifyTrust Signature Validation CVE-2013-3900 Mitigation (EnableCertPaddingCheck)	Add and enable registry value `EnableCertPaddingCheck`: `HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config\EnableCertPaddingCheck` `HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config\EnableCertPaddingCheck`	https://www.tenable.com/plugins/nessus/166555
SSL Medium Strength Cipher Suites Supported (SWEET32) SSL RC4 Cipher Suites Supported (Bar Mitzvah)	Open GPO setting `gpedit.msc` Enable and remove Medium Strength Cipher Suites in `Computer Configuration > Administrative Templates > Network > SSL Configuration Settings` Only keep AES-GCM ciphers in GPO setting
SSL Version 2 and 3 Protocol Detection TLS Version 1.0 and 1.1 Protocol Detection	Disable registry value for these vulnerable protocols in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\`

Notes:

Changing registry value requires computer reboot
Check TLS version for a certain port using openssl s_client -connect <hostname>:<port>