Lab 2I really enjoyed this lab, I was able to test and identify vulnerabilitiesfor Windows and Linux systems. Bothtools were very easy to use but getting to MBSA was much easier than accessingOpenVAS.
MBSA 2.3 Tool – VM WindowsMicrosoft Baseline Security Analyzer (MBSA) isa tool that conducts vulnerability scans on Windows operating systems. Thistool is open source and comes installed on the 2008 Windows servers we arecurrently using. After a scan of WINATK01, MBSA found two missing securityupdates.
The Microsoft Visual C++ 2008 Redistributable package was the last tobe installed, but the most recent, 2010 was never completed. These are packagesthat includes fixes for bugs in the operating system and should remain up todate at all times. Additionally, multiple administrators werefound on this particular machine. While this may be common for someorganizations, our remote machines should not have more than two administratoraccounts on any machine. Furthermore, of the twenty user accounts on thismachine, nineteen had non-expiring passwords. This can be extremely risky toour network, as it allows users to never cycle passwords.
This could givehackers plenty of foothold in compromising passwords on our systems becausethey have no time limit. Without the system prompting users to change theirpasswords every so often, most of them would keep the same one – giving hackersplenty of time to continuously access the system. Sometimes when conductingthese scans, false positives arise. In this instance, MBSA detected that atleast one account had a weak, or blank password. It was determined to be theGuest account that had already been disabled – mitigating that risk entirelyand was the proper technique.
The firewall on this particular server wasturned off with exceptions. The proper method is to always keep the firewall onwith exceptions. When something that needs access is flagged by the firewall,it is imperative that the correct exceptions be made while keeping the firewalldeployed to prevent actual unwarranted access. This should be done immediately.
Report Categories Issues Result Severity Resolution Security Updates -Out of date security updates -Out of date Service Pack -MS11-025 – Security Updates for Micrsosoft Visual C++ 2010 (KB2467173) -MS11-025 – SP1 (KB2538242) High High -Complete Microsoft Security updates by accessing Microsoft Update. -Obtain and install the latest Update Rollups and Service Packs. Administrative Vulnerabilities -Administrator Accounts -Local Account Passwords No issues: -Windows Firewall -Automatic Update -File Systems -Guest Account -Anonymous Access -Incomplete Updates -Admin Accounts Administrator, StudentFirst, StudentUser, Triton, nx -19 out of the 20 accounts have passwords that are set to “Never Expire” -Warning -Warning -Review the list of members in the local Administrators and Domain Admins groups to ensure all users with admin access are justified. -All accounts having passwords that do not expire should be reviewed to determine why the option is set, and whether they should be removed. Additional System Information -Auditing No issues: -Services -Shares -Windows Version Information warning -Low -Enable auditing to monitor event log for unauthorized access. Internet Information Services N/A N/A N/A N/A SQL Server N/A N/A N/A N/A Desktop Application -IE Zones -Macro Security -No issue -No issue -NA -NA Internet Explorer zones have secure settings for all users. OpenVas – VM LinuxOpenVAS, like MBSA, is an analytic tool thatscans for vulnerabilities.
OpenVAS is open source and was used to conduct scanson our Linux systems. The benefit to using this tool is that, it not only determinesvulnerabilities in the system, but also offers solutions for them too. Inconducting my research, OpenVAS identified five vulnerabilities along withpreventative measures. OpenVAS alsodetected that the SSH remote client-server is set to allow weak encryptionalgorithms. These algorithms should be disabled to prevent hackers fromaccessing our system easily. Furthermore, OpenVAS also found that our SSL ciphersare weak. Any cipher 64 bit or less is considered vulnerable to brute forceattacks and should not be used.
Ciphers recommended as weak should be disabledfrom the system. These incluse SSL 2.0, SSL 3.0 (POODLE), and TSL 1.
0. Weak ciphers that our systems should notbe configured to use are RC4, DES, and 3DES. AES is a commonly used cipher thatcan be used in Galois/Counter module (GCM) mode to allow 128-bit blockciphering and parallel processing – reducing stalls in transmission andincreasing efficiency and performance. Issues OpenVas Linux Result Severity Resolution -SSH Weak Encryption Algorithms Supported – The remote SSH server is configured to allow weak encryption algorithms. 4.3 – Medium -Disable the weak encryption algorithms.
-Check for SSL Weak Ciphers – This routine search for weak SSL ciphers offered by a service. 4.3 – Medium -The configuration of this services should be changed so that it does not support the listed weak ciphers anymore. -Deprecated SSLv2 and SSLv3 Protocol Detection – It was possible to detect the usage of the deprecated SSLv2 and/or SSLv3 protocol on this system.
4.3 – Medium -It is recommended to disable the deprecated SSLv2 and/or SSLv3 protocols -This affects all services providing an encrypted communication using the SSLv2 and/or SSLv3 protocols. -POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability -This host is installed with OpenSSL and is prone to information disclosure vulnerability. 4.3 – Medium Vendor released a patch to address this vulnerability, the only way to fix POODLE is to disable SSL v3.0.
-SSH Protocol Version Supported -The remote SSH server is configured to allow weak MD5 and/or 96 – bit MAC algorithms 2.6 – Low -Disable the weak MAC algorithms.