I really enjoyed this lab, I was able to test and identify vulnerabilities
for Windows and Linux systems. Both
tools were very easy to use but getting to MBSA was much easier than accessing
MBSA 2.3 Tool – VM Windows
Microsoft Baseline Security Analyzer (MBSA) is
a tool that conducts vulnerability scans on Windows operating systems. This
tool is open source and comes installed on the 2008 Windows servers we are
currently using. After a scan of WINATK01, MBSA found two missing security
updates. The Microsoft Visual C++ 2008 Redistributable package was the last to
be installed, but the most recent, 2010 was never completed. These are packages
that includes fixes for bugs in the operating system and should remain up to
date at all times.
Additionally, multiple administrators were
found on this particular machine. While this may be common for some
organizations, our remote machines should not have more than two administrator
accounts on any machine. Furthermore, of the twenty user accounts on this
machine, nineteen had non-expiring passwords. This can be extremely risky to
our network, as it allows users to never cycle passwords. This could give
hackers plenty of foothold in compromising passwords on our systems because
they have no time limit. Without the system prompting users to change their
passwords every so often, most of them would keep the same one – giving hackers
plenty of time to continuously access the system. Sometimes when conducting
these scans, false positives arise. In this instance, MBSA detected that at
least one account had a weak, or blank password. It was determined to be the
Guest account that had already been disabled – mitigating that risk entirely
and was the proper technique.
The firewall on this particular server was
turned off with exceptions. The proper method is to always keep the firewall on
with exceptions. When something that needs access is flagged by the firewall,
it is imperative that the correct exceptions be made while keeping the firewall
deployed to prevent actual unwarranted access. This should be done immediately.
-Out of date security
-Out of date Service Pack
-MS11-025 – Security
Updates for Micrsosoft Visual C++ 2010 (KB2467173)
-MS11-025 – SP1 (KB2538242)
Security updates by accessing Microsoft Update.
-Obtain and install the
latest Update Rollups and Service Packs.
-Local Account Passwords
Administrator, StudentFirst, StudentUser, Triton, nx
-19 out of the 20 accounts
have passwords that are set to “Never Expire”
-Review the list of members
in the local Administrators and Domain Admins groups to ensure all users with
admin access are justified.
-All accounts having
passwords that do not expire should be reviewed to determine why the option
is set, and whether they should be removed.
-Enable auditing to monitor
event log for unauthorized access.
Internet Explorer zones
have secure settings for all users.
OpenVas – VM Linux
OpenVAS, like MBSA, is an analytic tool that
scans for vulnerabilities. OpenVAS is open source and was used to conduct scans
on our Linux systems. The benefit to using this tool is that, it not only determines
vulnerabilities in the system, but also offers solutions for them too. In
conducting my research, OpenVAS identified five vulnerabilities along with
preventative measures. OpenVAS also
detected that the SSH remote client-server is set to allow weak encryption
algorithms. These algorithms should be disabled to prevent hackers from
accessing our system easily. Furthermore, OpenVAS also found that our SSL ciphers
are weak. Any cipher 64 bit or less is considered vulnerable to brute force
attacks and should not be used. Ciphers recommended as weak should be disabled
from the system. These incluse SSL 2.0,
SSL 3.0 (POODLE), and TSL 1.0. Weak ciphers that our systems should not
be configured to use are RC4, DES, and 3DES. AES is a commonly used cipher that
can be used in Galois/Counter module (GCM) mode to allow 128-bit block
ciphering and parallel processing – reducing stalls in transmission and
increasing efficiency and performance.
-SSH Weak Encryption Algorithms Supported –
The remote SSH server is configured to allow weak encryption algorithms.
4.3 – Medium
-Disable the weak encryption algorithms.
-Check for SSL Weak Ciphers – This routine
search for weak SSL ciphers offered by a service.
-The configuration of this services should be
changed so that it does not support the listed weak ciphers anymore.
-Deprecated SSLv2 and SSLv3 Protocol
Detection – It was possible to detect the usage of the deprecated SSLv2
and/or SSLv3 protocol on this system.
4.3 – Medium
-It is recommended to disable the deprecated
SSLv2 and/or SSLv3 protocols
-This affects all services providing an
encrypted communication using the SSLv2 and/or SSLv3 protocols.
-POODLE SSLv3 Protocol CBC ciphers
Information Disclosure Vulnerability
-This host is installed with OpenSSL and is
prone to information disclosure vulnerability.
4.3 – Medium
Vendor released a patch to address this
vulnerability, the only way to fix POODLE is to disable SSL v3.0.
-SSH Protocol Version Supported
-The remote SSH server is configured to allow
weak MD5 and/or 96 – bit MAC algorithms
2.6 – Low
-Disable the weak MAC algorithms.