Category Archives: Windows

Verify Permissions on files (Windows)

Objective

  • Changes to the permissions on files could block security settings from being applied.
  • Changes to the permissions on files could leak sensitive information.
  • Changes to the permissions on files could lead to a system compromise.
  • Audit files.

Manual audit with powershell

View the permission on the application log file with powershell

get-acl "C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx" | fl
Path : Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx
Owner : NT AUTHORITY\LOCAL SERVICE
Group : NT AUTHORITY\LOCAL SERVICE
Access : NT SERVICE\EventLog Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
Audit :
Sddl : O:LSG:LSD:AI(A;ID;FA;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)(A;ID;FA;;;SY)(A;ID;FA;;;
BA)

Audit with Nessus auditfile

<check_type: "Windows" version:"2">
<group_policy: "MS Windows Server">
 
<file_acl: "ACL_WINEVT_LOGS_application.evtx">
<user: "Administrators">
acl_inheritance: "inherited"
acl_apply: "this object only"
acl_allow: "full control"
</user>
 
<user: "System">
acl_inheritance: "inherited"
acl_apply: "this object only"
acl_allow: "full control"
</user>
 
<user: "EventLog">
acl_inheritance: "inherited"
acl_apply: "this object only"
acl_allow: "full control"
</user>
</acl>
 
<custom_item>
type: FILE_PERMISSIONS
description: "Audit file permissions om %SystemRoot%\SYSTEM32\WINEVT\LOGS\application.evtx"
value_type: FILE_ACL
value_data: "ACL_WINEVT_LOGS_application.evtx"
file: "C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx"
</custom_item>
 
</group_policy>
</check_type>

Error

Running this auditfile with this specific file results into an error because the file has a file lock.

Windows Compliance Checks, version 1.263
 
Which file contains your security policy : SMB login : stty: 'standard input': Inappropriate ioctl for device
SMB password : stty: 'standard input': Inappropriate ioctl for device
 
SMB domain (optional) : "Audit for %SystemRoot%\SYSTEM32\WINEVT\LOGS\application.evtx": [ERROR]
 
FILE_ERROR_FILE_CREATE: the file could not be opened. It could not be found or permissions were insufficient
 
file: C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx

Alternative approach

We can use the powershell command-let get-acl to perform the audit.
We run the command and filter out the known good values.

get-acl "C:\Windows\SYSTEM32\WINEVT\LOGS\setup.evtx" | select -ExpandProperty access | select IdentityReference,
FileSystemRights | Where {$_.IdentityReference -ne "NT SERVICE\EventLog" -and $_.IdentityReference -ne "NT AUTHORITY\S
YSTEM" -and $_.IdentityReference -ne "BUILTIN\Administrators" }

New Nessus Auditfile Check

<check_type: "Windows" version:"2">
<group_policy: "MS Windows Server">
 
<custom_item>
type : AUDIT_POWERSHELL
description : "Audit file permissions om %SystemRoot%\SYSTEM32\WINEVT\LOGS\application.evtx"
value_type : POLICY_TEXT
value_data : ""
powershell_args : 'get-acl \\"C:\\Windows\\SYSTEM32\\WINEVT\\LOGS\\setup.evtx\\" | select -ExpandProperty access | select IdentityReference, FileSystemRights | Where {$_.IdentityReference -ne \\"NT SERVICE\\EventLog\\" -and $_.IdentityReference -ne \\"NT AUTHORITY\\SYSTEM\\" -and $_.IdentityReference -ne \\"BUILTIN\\Administrators\\" }'
check_type : CHECK_EQUAL
powershell_option : CAN_BE_NULL
</custom_item>
 
</group_policy>
</check_type>

References

  • V-63533 – Permissions for the Application event log must prevent access by non-privileged accounts.
  • V-63537 – Permissions for the Security event log must prevent access by non-privileged accounts.
  • V-63541 – Permissions for the System event log must prevent access by non-privileged accounts

MS KB2871997: Update to Improve Credentials Protection and Management

Nessus Output:

Description
The remote host is missing one or more of the following Microsoft updates: KB2871997, KB2973351, KB2975625, KB2982378, KB2984972, KB2984976, KB2984981, KB2973501, or KB3126593. 
These updates are needed to improve the protection against possible credential theft.
- For Windows 7 / 2008 R2 :
KB2984972, KB2871997, KB2982378, and KB2973351 are required; also, KB2984976 (if KB2592687 is installed) or KB2984981 (if KB2830477 is installed).
- For Windows 8 / 2012 :
KB2973501, KB2871997, and KB2973351 are required.
- For Windows 8.1 / 2012 R2 :
KB2973351 (if Update 1 is installed) or KB2975625 (if Update 1 isn't installed).
These updates provide additional protection for the Local Security Authority (LSA), add a restricted administrative mode for Credential Security Support Provider (CredSSP), 
introduce support for the protected account-restricted domain user category, enforce stricter authentication policies, add additional protection for users' credentials, and add a restricted administrative mode for Remote Desktop Connection and Remote Desktop Protocol.
Solution
Microsoft has released a set of patches for Windows 7, 2008 R2, 8, 2012, 8.1, and 2012 R2.

Output
A required registry setting is missing:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential = 0
More information: https://blogs.technet.microsoft.com/kfalde/2014/11/01/kb2871997-and-wdigest-part-1/

Continue reading

SSL Version 2 and 3 Protocol Detection

Nessus Output:

Description

The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are affected by several cryptographic flaws. 
An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients.
NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of enforcement found in PCI DSS v3.1, 
any version of SSL will not meet the PCI SSC'S definition of 'strong cryptography'.

Solution
Consult the application's documentation to disable SSL 2.0 and 3.0.
Use TLS 1.1 (with approved cipher suites) or higher instead.

Continue reading

Server Message Block (SMB) Protocol Version 1 Unspecified RCE

Nessus Output

Description
The remote Windows host supports Server Message Block (SMB) Protocol version 1. 
It is, therefore, affected by an unspecified remote code execution vulnerability that allows an unauthenticated, 
remote attacker to execute arbitrary code.

Note that this vulnerability is one of multiple Equation Group vulnerabilities and 
exploits disclosed by a group known as the Shadow Brokers.

Solution
Disable SMBv1 according to the vendor instructions in Microsoft KB2696547. 
Additionally, block SMB directly by blocking TCP port 445 on all network boundary devices. 
For SMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.

Continue reading

SSL Medium Strength Cipher Suites Supported

Nessus Output

Description

The remote host supports the use of SSL ciphers that offer medium strength encryption. 
Nessus regards medium strength as any encryption that uses key lengths at least 56 bits and less than 112 bits, or else that uses the 3DES encryption suite.

Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network.

Continue reading

DNS Server Cache Snooping Remote Information Disclosure

Nessus Output

Description
The remote DNS server responds to queries for third-party domains that do not have the recursion bit set.
This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited.
For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of that financial institution. Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more.

Note: If this is an internal DNS server not accessible to outside networks, attacks would be limited to the internal network. This may include employees, consultants and potentially users on a guest network or WiFi connection if supported.

Solution
Contact the vendor of the DNS software for a fix.

Continue reading

Link-Local Multicast Name Resolution (LLMNR) Detection

 Nessus Output

Synopsis :

The remote device supports LLMNR.

Description :

The remote device answered to a Link-local Multicast Name Resolution
(LLMNR) request. This protocol provides a name lookup service similar
to NetBIOS or DNS. It is enabled by default on modern Windows
versions.

Reported Risk factor by Nessus: None
In my option the severity should be much higher.

Continue reading

MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553)

Nessus Output

Description

The version of Windows running on the remote host is affected by a vulnerability in the HTTP protocol stack (HTTP.sys) due to improperly parsing crafted HTTP requests. A remote attacker can exploit this to execute arbitrary code with System privileges.

Continue reading

Install Windows Updates via commandline (servers) interactive

Objective

  • Install windows updates via the commandline.

Solution

A default installation of Windows 2012 Server has this VB script.

c:\windows\System32\en-US\WUA_SearchDownloadInstall.vbs

 

You can copy this script to a Windows 2008 server and run it.
Copy and paste the line below in a cmd box or Powershell window.

Continue reading

Windows 10 Anniversary Update

I’ve noticed a few changes after installing the Windows 10 Anniversary Update that breaks the credentialed scans with Nessus.

  • The local administrator account is disabled (it was enabled before the update).
  • The remote registry service is disabled (it was enabled before the update).

I’ve run a credentialed scan after enabling both settings again.
The anniversary update restored all security modifications to ‘default’.

A critical vulnerability (Microsoft .NET Framework Unsupported) was reported after installing the Anniversary update, this vulnerability was not present before the update.
This was fixed by a plugin modification.

Microsoft Windows SMB Registry : Winlogon Cached Password Weakness

Nessus Description

The registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount is non-null. It means that the remote host locally caches the passwords of the users when they log in, in order to continue to allow the users to log in in the case of the failure of the PDC. Continue reading

MS15-124: Cumulative Security Update for Internet Explorer (3116180)

Nessus Output

ASLR hardening settings for Internet Explorer in KB3125869
have not been applied. The following DWORD keys must be
created with a value of 1:
  - HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING\iexplore.exe
  - HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING\iexplore.exe

Continue reading

Check Windows File Integrity with sfc and powershell

Objective

Use file integrity checking tools to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered.
Critical Security Control #3: Secure Configurations for Hardware and Software – System 3.5

SFC and Powershell

Windows contains a build-in utility called sfc to verify and fix Windows File Integrity issues.
Lets have a quick look what this utility and some powershell can do for us.
The flags differ on older versions of Windows so check it’s options before running the commands below.

Continue reading

Active Directory

STIGS:

CIS Benchmarks:

CVE Details:

Nessus:

Nessus Plugins for Active Directory