Verify Permissions on files (Windows)

Objective Changes to the permissions on files could block security settings from being applied. Changes to the permissions on files could leak sensitive information. Changes to the permissions on files could lead to a system compromise. Audit files. Manual audit with powershell View the permission on the application log file with powershell get-acl "C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx" | fl […]Read More »


Objective: Resolved the error “PASSWORD_COMPLEXITY_UNSUPPORTED_ON_AGENT” when running a Windows auditfile via a Nessus Agent.Read More »

MS KB2871997: Update to Improve Credentials Protection and Management

Nessus Output: Description The remote host is missing one or more of the following Microsoft updates: KB2871997, KB2973351, KB2975625, KB2982378, KB2984972, KB2984976, KB2984981, KB2973501, or KB3126593. These updates are needed to improve the protection against possible credential theft. - For Windows 7 / 2008 R2 : KB2984972, KB2871997, KB2982378, and KB2973351 are required; also, KB2984976 […]Read More »

Check Windows Services with Nessus Auditfile

Objective Monitor Windows Services with Nessus via auditfileRead More »

Advanced Audit Policy Configuration Settings (Windows)

Objective: Audit “Advanced Audit Policy Configuration Settings” Hardening / Configuring “Advanced Audit Policy Configuration Settings”Read More »

User Right Assignments (Windows)

Objective: Audit “User Rights Assignment” Hardening / Configuring “User Rights Assignment”Read More »

Disable TSLv1.0 (Windows)

Best practice for systems running IIS, part of Hardening IIS:Read More »

SSL Version 2 and 3 Protocol Detection

Nessus Output: Description The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are affected by several cryptographic flaws. An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients. NIST has determined that SSL 3.0 is no longer acceptable […]Read More »

Disable SSLv3 (Windows)

Best practice for systems running IIS, part of Hardening IIS:Read More »

Disable SSLv2 (Windows)

Best practice for systems running IIS, part of Hardening IIS:Read More »

Server Message Block (SMB) Protocol Version 1 Unspecified RCE

Nessus Output Description The remote Windows host supports Server Message Block (SMB) Protocol version 1. It is, therefore, affected by an unspecified remote code execution vulnerability that allows an unauthenticated, remote attacker to execute arbitrary code. Note that this vulnerability is one of multiple Equation Group vulnerabilities and exploits disclosed by a group known as […]Read More »

Distinguished-Name Condition Check for Nessus Audit file

Objective Target your Nessus Auditfile checks to a specific OU or DCRead More »

SSL Weak Cipher Suites Supported

Objective Resolve this findingRead More »

SSL RC4 Cipher Suites Supported (Bar Mitzvah)

Objective Resolve this findingRead More »

Configure the 'SSL Cipher Suite Order' Group Policy Setting

Objective Use only strong SSL Cipher Suites Resolve ‘SSL 64-bit Block Size Cipher Suites Supported (SWEET32)’ Resolve ‘SSL RC4 Cipher Suites Supported (Bar Mitzvah)‘Read More »

Check File integrity with Nessus (on Windows with Get-FileHash and AUDIT_FILEHASH_POWERSHELL)

Objective Monitor file integrity by generating a hash and verify it with NessusRead More »

SSL Medium Strength Cipher Suites Supported

Nessus Output Description The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 56 bits and less than 112 bits, or else that uses the 3DES encryption suite. Note that it is considerably easier to circumvent medium strength […]Read More »

Monitor account lockout (in Windows Domain)

Objective Account lockouts can happen when you perform a vulnerability scan with credentials. Account lockouts can happen when you perform brute force password guessing. Monitor the lockout status is crucial in these situations.Read More »

DNS Server Cache Snooping Remote Information Disclosure

Nessus Output Description The remote DNS server responds to queries for third-party domains that do not have the recursion bit set. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited. For instance, if an attacker was interested in […]Read More »

Audit Domain based Group Policies

Objective Group Policy Objects contain sensitive configuration information which can be viewed by default by at least all members of the Domain. Misconfigurations of Group Policy settings or its content can have a huge impact on the environment. A periodic audit is advised.Read More »

Link-Local Multicast Name Resolution (LLMNR) Detection

 Nessus Output Synopsis : The remote device supports LLMNR. Description : The remote device answered to a Link-local Multicast Name Resolution (LLMNR) request. This protocol provides a name lookup service similar to NetBIOS or DNS. It is enabled by default on modern Windows versions. Reported Risk factor by Nessus: None In my option the severity should […]Read More »

FILE_ERROR_SHARE_CONNECT: an error happened while connecting to the remote share

Objective Resolve errorRead More »

MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553)

Nessus Output Description The version of Windows running on the remote host is affected by a vulnerability in the HTTP protocol stack (HTTP.sys) due to improperly parsing crafted HTTP requests. A remote attacker can exploit this to execute arbitrary code with System privileges.Read More »

Install Windows Updates via commandline (servers) interactive

Objective Install windows updates via the commandline. Solution A default installation of Windows 2012 Server has this VB script. c:\windows\System32\en-US\WUA_SearchDownloadInstall.vbsc:\windows\System32\en-US\WUA_SearchDownloadInstall.vbs   You can copy this script to a Windows 2008 server and run it. Copy and paste the line below in a cmd box or Powershell window.Read More »

sethc.exe Possible Backdoor

Nessus Output Description The copy of ‘sethc.exe’ in the Windows ‘System32’ directory on the remote host appears to have been modified, perhaps for use as a backdoor. Either or both of the ‘InternalName’ or ‘OriginalFilename’ file attributes no longer match the original file.Read More »

SMB Signing Disabled (Windows)

Nessus Output Description Signing is not required on the remote SMB server. An unauthenticated, remote attacker can exploit this to conduct man-in-the-middle attacks against the SMB server.Read More »

Windows 10 Anniversary Update

I’ve noticed a few changes after installing the Windows 10 Anniversary Update that breaks the credentialed scans with Nessus. The local administrator account is disabled (it was enabled before the update). The remote registry service is disabled (it was enabled before the update). I’ve run a credentialed scan after enabling both settings again. The anniversary update restored […]Read More »

POWERSHELL_NO_RESULT: powershell command returned no result

Objective Resolve the error condition “POWERSHELL_NO_RESULT: powershell command returned no result” in the Nessus auditfile for Windows.Read More »

POWERSHELL_REG_FAILURE: Could not determine powershell location in the registry

Objective Resolve the error “POWERSHELL_REG_FAILURE: Could not determine powershell location in the registry” when running a compliance scan on WindowsRead More »

MS15-011: Vulnerability in Group Policy Could Allow Remote Code Execution (3000483)

Nessus Output KB 3000483 or a related, subsequent update was successfully installed, but the GPO setting "Hardened UNC Paths" has not been enabled.Read More »

MS15-118: Security Update for .NET Framework to Address Elevation of Privilege (3104507)

Nessus Output On Windows 10 the following output is recorded even if all Windows updates are applied. - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Deployment.dll has not been patched. Remote version : 2.0.50727.8670 Should be : 2.0.50727.8671Read More »

MS KB2719662: Vulnerabilities in Gadgets Could Allow Remote Code Execution

Nessus Output Nessus determined the workaround is not being used because the following registry value does not exist : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffSidebarRead More »

Microsoft Windows SMB Registry : Winlogon Cached Password Weakness

Nessus Description The registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount is non-null. It means that the remote host locally caches the passwords of the users when they log in, in order to continue to allow the users to log in in the case of the failure of the PDC.Read More »

MS KB3009008: Vulnerability in SSL 3.0 Could Allow Information Disclosure (POODLE)

Nessus Output The workaround to disable SSL 3.0 for all server software installed on the remote host has not been applied. The workaround to disable SSL 3.0 for all client software installed on the remote host has not been applied.Read More »

MS KB2960358: Update for Disabling RC4 in .NET TLS

Nessus Output The following registry values have not been set to 1 : HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\SchUseStrongCrypto HKLM\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\SchUseStrongCryptoRead More »

MS15-124: Cumulative Security Update for Internet Explorer (3116180)

Nessus Output ASLR hardening settings for Internet Explorer in KB3125869 have not been applied. The following DWORD keys must be created with a value of 1: - HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING\iexplore.exe - HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING\iexplore.exeRead More »

Microsoft XML Parser (MSXML) and XML Core Services Unsupported

Nessus Plugin Output The remote host contains one or more unsupported versions of the Microsoft XML Parser (MSXML) or XML Core Services. Downloading and Installing Microsoft Core XML Services (MSXML) 6.0 does not fix this issue.Read More »

MS KB2269637: Insecure Library Loading Could Allow Remote Code Execution

Nessus Output ntdll.dll has been upgraded by KB2264107 or a related, subsequent update, but the following registry entry has not been set : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\CWDIllegalInDllSearchRead More »

Hardening Internet Explorer

Resources used to implement and audit Internet Explorer:Read More »

Check Internet Explorer version

Objective: According to Microsoft announcement: Support for older versions of Internet Explorer ended on January 12th, 2016, you should verify you Windows systems to the latest Microsoft Support Lifecycle statements.Read More »

Check Windows File Integrity with sfc and powershell

Objective Use file integrity checking tools to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered. Critical Security Control #3: Secure Configurations for Hardware and Software – System 3.5 SFC and Powershell Windows contains a build-in utility called sfc to verify and fix Windows File Integrity […]Read More »

Active Directory

STIGS: Active Directory Domain Security Technical Implementation Guide (STIG) Active Directory Forest Security Technical Implementation Guide (STIG) Active Directory Service 2008 Security Technical Implementation Guide (STIG) Active Directory Service 2003 Security Technical Implementation Guide (STIG) Windows Server 2012 / 2012 R2 Domain Controller Security Technical Implementation Guide Windows Server 2012 Domain Controller Security Technical Implementation […]Read More »

Disable User Access Control (UAC)

  Powershell: New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -ForceNew-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force Reboot required! Links: What pentesters should know about UAC Bypass UAC on Windows 8.1  Read More »

Downloading files via the commandline (Windows)

Objective Methods to download files via the Windows commandline.Read More »

Disarm Windows Defender

When we try to download a backdoor program Windows Defender will block the file. Invoke-WebRequest -uri "" -OutFile ".\sbd.exe"Invoke-WebRequest -uri "" -OutFile ".\sbd.exe"Read More »

Hardening IIS

Best practices and references used for hardening IIS.Read More »


References used to develop Nessus Auditfiles for Windows :Read More »