![]() Nessus Report. Port (0/tcp)Plugin ID: 1. Microsoft Windows - Users Information : Passwords never expires. Synopsis. At least one user has a password that never expires. List of Hosts. 19. Plugin Output. The following users have passwords that never expire : - Guest- WIN- 8. BPIQBRO0. CX$- EXCHANGE$Note that, in addition to the Administrator, Guest, and Kerberosaccounts, Nessus has enumerated only those domain users with UIDsbetween 1. To use a different range, edit the scan policyand change the 'Start UID' and/or 'End UID' preferences for thisplugin, then re- run the scan. Description. Using the supplied credentials, it is possible to list users whosepasswords never expire. Solution. Allow / require users to change their passwords regularly. Risk Factor. None. Plugin publication date: 2. Plugin last modification date: 2. Port cifs (4. 45/tcp)Plugin ID: 1. Microsoft Windows SMB Shares Enumeration. Synopsis. It is possible to enumerate remote network shares. List of Hosts. 19. Plugin Output. Here are the SMB shares available on the remote host when logged as administrator: - ADMIN$- C$- IPC$- NETLOGON- SYSVOLDescription. By connecting to the remote host, Nessus was able to enumerate the network share names. Solution. N/ARisk Factor. None. Plugin publication date: 2. Plugin last modification date: 2. Port cifs (4. 45/tcp)Plugin ID: 5. MS KB2. 52. 43. 75: Fraudulent Digital Certificates Could Allow Spoofing. Voici le rapport du point 1: ===== RAPPORT D'AD-REMOVER 2.0.0.1,C Bulletin (SB17-079) Vulnerability Summary for the Week of March 13, 2017 Original release date: March 20, 2017. The win.ini file is a Windows system file used with Microsoft Windows 3.x and 9x initialization that loads from the C:\Windows directory and loads settings each time. The Windows Registry is a special place where Windows stores configuration settings for device drivers, applications, system services, the Windows Desktop and the. Synopsis. The remote Windows host has an out- of- date SSL certificate blacklist. List of Hosts. 19. Plugin Output. Nessus was unable to open the following registry key : SOFTWARE\Microsoft\System. Certificates\Disallowed\Certificates\1. A2. AF3. 46. D3. 99. F5. 03. 13. C3. 93. F1. 41. 40. 45. 66. This indicates the update has not been applied. Description. The remote host is missing KB2. ![]() ![]() Bonsoir et merci Frederix de me prendre en charge, le log HijackThis : Logfile of random's system information tool 1.09 (written by random/random). SSLcertificate blacklist. A certificate authority (CA) has revoked a number of fraudulent SSLcertificates for several prominent public websites. If an attacker can trick someone into using the affected browser andvisiting a malicious site using one of the fraudulent certificates, hemay be able to fool that user into believing the site is a legitimateone. If these Active. X controls are ever installed on the remote host,either now or in the future, they would expose it to various securityissues. Solution. Microsoft has released an advisory about this : http: //www. Risk Factor. High/ CVSS Base Score: 9. ![]() CVSS2#AV: N/AC: M/Au: N/C: C/I: C/A: C)CVSS Temporal Score: 7. CVSS2#E: F/RL: OF/RC: C)CVECVE- 2. Bugtraq ID3. 36. 63. Other references. OSVDB: 5. 18. 33. CWE: 1. 19. Plugin publication date: 2. Plugin last modification date: 2. Ease of exploitability: Exploits are available. Exploitable with: Canvas (D2. Exploit. Pack)Port (0/tcp)Plugin ID: 1. Microsoft Windows - Users Information : disabled accounts. Synopsis. At least one user account has been disabled. List of Hosts. 19. Plugin Output. The following user accounts have been disabled : - Guest- krbtgt- 2. E6. E5. E- 0. 2B7- 4. F0- BNote that, in addition to the Administrator, Guest, and Kerberosaccounts, Nessus has enumerated only those domain users with UIDsbetween 1. To use a different range, edit the scan policyand change the 'Start UID' and/or 'End UID' preferences for 'SMB use domain SID to enumerate users' setting, and then re- run the scan. Description. Using the supplied credentials, it is possible to list user accountsthat have been disabled. Solution. Delete accounts that are no longer needed. Risk Factor. None. Plugin publication date: 2. Plugin last modification date: 2. Port cifs (4. 45/tcp)Plugin ID: 1. Microsoft Windows SMB Native. Lan. Manager Remote System Information Disclosure. Synopsis. It is possible to obtain information about the remote operating. List of Hosts. 19. Plugin Output. The remote Operating System is : Windows Server (R) 2. Standard 6. 00. 1 Service Pack 1. The remote native lan manager is : Windows Server (R) 2. Standard 6. 0. The remote SMB Domain Name is : TXDescription. It is possible to get the remote operating system name andversion (Windows and/or Samba) by sending an authenticationrequest to port 1. Solutionn/a. Risk Factor. None. Plugin publication date: 2. Plugin last modification date: 2. Port cifs (4. 45/tcp)Plugin ID: 4. MS0. 9- 0. 38: Vulnerabilities in Windows Media File Processing Could Allow Remote Code Execution (9. Synopsis. Arbitrary code can be executed on the remote host through Windows. Media file processing. List of Hosts. 19. Plugin Output- C: \Windows\System. Avifil. 32. dll has not been patched. Remote version : 6. Should be : 6. 0. Description. The remote Windows host is affected by two vulnerabilities involvingthe way in which AVI headers are processed and AVI data is validatedthat could be abused to execute arbitrary code remotely. If an attacker can trick a user on the affected system into openinga specially crafted AVI file, he may be able to leverage these issuesto execute arbitrary code subject to the user's privileges. Solution. Microsoft has released a set of patches for Windows 2. XP, 2. 00. 3,Vista and 2. Bulletin/MS0. 9- 0. Risk Factor. High/ CVSS Base Score: 9. CVSS2#AV: N/AC: M/Au: N/C: C/I: C/A: C)CVSS Temporal Score: 7. CVSS2#E: POC/RL: OF/RC: C)CVECVE- 2. CVE- 2. 00. 9- 1. Bugtraq ID3. 59. 67. Other references. OSVDB: 5. 69. 08. OSVDB: 5. 69. 09. CWE: 1. 89. MSFT: MS0. Vulnerability publication date: 2. Patch publication date: 2. Plugin publication date: 2. Plugin last modification date: 2. Ease of exploitability: Exploits are available. Port cifs (4. 45/tcp)Plugin ID: 4. MS1. 0- 0. 54: Vulnerabilities in SMB Server Could Allow Remote Code Execution (9. Synopsis. It is possible to execute arbitrary code on the remote Windows host. SMB implementation. List of Hosts. 19. Description. The remote host is affected by several vulnerabilities in the SMBserver that may allow an attacker to execute arbitrary code or performa denial of service against the remote host. To use a different range, edit the scan policyand change the 'Start UID' and/or 'End UID' preferences for 'SMB use domain SID to enumerate users' setting, and then re- run the scan. Description. Using the supplied credentials, it is possible to list users who havenever logged into their accounts. Solution. Delete accounts that are not needed. Risk Factor. None. Plugin publication date: 2. Plugin last modification date: 2. Port (0/tcp)Plugin ID: 1. Microsoft Windows - Local Users Information : Disabled accounts. Synopsis. At least one local user account has been disabled. List of Hosts. 19. Plugin Output. The following local user accounts have been disabled : - Guest- 2. E6. E5. E- 0. 2B7- 4. F0- BNote that, in addition to the Administrator and Guest accounts, Nessushas only checked for local users with UIDs between 1. To use a different range, edit the scan policy and change the 'Start. UID' and/or 'End UID' preferences for 'SMB use host SID to enumerate local users' setting, and then re- run the scan. Description. Using the supplied credentials, it is possible to list local useraccounts that have been disabled. Solution. Delete accounts that are no longer needed. Risk Factor. None. Other references. OSVDB: 7. 52. Vulnerability publication date: 1. Plugin publication date: 2. Plugin last modification date: 2. Port cifs (4. 45/tcp)Plugin ID: 3. MS0. 8- 0. 32: Cumulative Security Update of Active. X Kill Bits (9. 50. Synopsis. The remote Windows host has an Active. X control that is affected by. List of Hosts. 19. Plugin Output. The kill- bit has not been set for the following control . The version of this control installed on the remote host reportedlycontains multiple memory corruption flaws. An attacker, exploiting this flaw, can execute arbitrary commands onthe remote host subject to the privileges of the user opening thefile. Solution. Microsoft has released a set of patches for Windows XP, 2. Vista,2. 00. 8, 7, and 2. R2 : http: //www. Risk Factor. High/ CVSS Base Score: 9. CVSS2#AV: N/AC: M/Au: N/C: C/I: C/A: C)CVSS Temporal Score: 6. CVSS2#E: U/RL: OF/RC: C)CVECVE- 2. Bugtraq ID4. 05. 74. Other references. OSVDB: 6. 52. 19. MSFT: MS1. 0- 0. 83. Plugin last modification date: 2. Ease of exploitability: No known exploits are available. Port cifs (4. 45/tcp)Plugin ID: 3. MS0. 9- 0. 12: Vulnerabilities in Windows Could Allow Elevation of Privilege (9. Synopsis. A local user can elevate his privileges on the remote host. List of Hosts. 19. Plugin Output- C: \Windows\System. Ntoskrnl. exe has not been patched. Remote version : 6. Should be : 6. 0. Description. The version of Windows running on the remote host is affected bypotentially four vulnerabilities involving its MSDTC transactionfacility and/or Windows Service Isolation that may allow a local userto escalate his privileges and take complete control of the affectedsystem. Solution. Microsoft has released a set of patches for Windows 2. XP, 2. 00. 3,Vista and 2. Bulletin/MS0. 9- 0. Risk Factor. High/ CVSS Base Score: 7. CVSS2#AV: L/AC: L/Au: N/C: C/I: C/A: C)CVSS Temporal Score: 5. CVSS2#E: POC/RL: OF/RC: C)CVECVE- 2. CVE- 2. 00. 9- 0. CVE- 2. 00. 9- 0. CVE- 2. 00. 9- 0. Bugtraq ID2. 88. 33. Other references. OSVDB: 4. 45. 80. OSVDB: 5. 36. 66. OSVDB: 5. 36. 67. OSVDB: 5. 36. 68. CWE: 2. 64. MSFT: MS0. Plugin publication date: 2. Plugin last modification date: 2. Ease of exploitability: Exploits are available. Exploitable with: Core Impact. Port cifs (4. 45/tcp)Plugin ID: 5. MS1. 1- 0. 07: Vulnerability in the Open. Type Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2. Synopsis. The remote Windows host contains a font driver that is affected by a. List of Hosts. 19. Plugin Output- C: \Windows\system. Atmfd. dll has not been patched. Remote version : 5. Should be : 5. 1. Description. The remote Windows host contains a version of the Open. Type Compact. Font Format (CFF) Font Driver that fails to properly validate certaindata passed from user mode to kernel mode. Using Software Restriction Policies to Protect Against Unauthorized Software. Published: January 0. This important feature provides administrators with a policy- driven mechanism for identifying software programs running on computers in a domain, and controls the ability of those programs to execute. Software restriction policies can improve system integrity and manageability—which ultimately lowers the cost of owning a computer. On This Page. Introduction. Software Restriction Policies—An Overview. Software Restriction Policy Architecture. Software Restriction Policy Options. Software Restriction Policy Design. Step- by- Step Guide for Designing a Software Restriction Policy. Step- by- Step Guide for Creating Additional Rules. Commonly Overlooked Rules. Scenarios. Deployment Considerations. Troubleshooting Software Restriction Policies. Appendix. Summary. Related Links. Introduction. Software restriction policies are a part of Microsoft's security and management strategy to assist enterprises in increasing the reliability, integrity, and manageability of their computers. Software restriction policies are one of many new management features in Windows XP and Windows Server 2. This article provides an in- depth look at how software restriction policies can be used to: Fight viruses. Regulate which Active. X controls can be downloaded. Run only digitally signed scripts. Enforce that only approved software is installed on system computers. Lockdown a machine. Expanded Management Capabilities. Windows 2. 00. 0 brought significant management capabilities to the Windows platform. In Windows 2. 00. Application settings allowed you to customize an application once through Group Policy, and then distribute that customization to all domain users who required it. The Software Installation snap- in provided a means to centrally manage software distribution in your organization. When the user selected an application from the Start menu for the first time, it set up automatically, and then opened. You could also publish applications to groups of users, making the application available for users to install. Security settings defined a security configuration within a Group Policy Object (GPO). Security configuration consisted of settings for: account policies, local policies, event log, registry, file system, public key policies, and other policies. Windows XP and Windows Server 2. Windows 2. 00. 0 by adding the following features: Better diagnostic and planning information through Resultant Set of Policies (RSOP). For more information, see the article Windows 2. Group Policy. Ability to use Windows Management Instrumentation (WMI) filtering. In Windows 2. 00. Active Directory. In Windows XP you can use WMI information to apply group policies to, for example, machines with a certain build or service pack level of Windows. Software restriction policies integrate with the operating system and common scripting runtimes to control the running of software at execution. In Windows 2. 00. Start menu or hiding the Run command. New software restriction policies go beyond this by simply removing the common access points for software. Software Restriction Policies—An Overview. This section discusses the behavior of hostile code and problems associated with unknown code. Hostile Code Has More Ways to Get In. With the increased use of networks and the Internet in daily business computing, the potential for encountering hostile code is higher than ever before. People collaborate in more sophisticated ways by using e- mail, instant messaging, and peer- to- peer applications. As these collaboration opportunities increase, so does the risk of viruses, worms, and other hostile code invading your systems. Remember: e- mail and instant messaging can transport unsolicited hostile code. Hostile code can take many forms. It can range from native Windows executables (. Viruses and worms often use social engineering to trick users into activating them. With the sheer number and variety of forms that code can take, it can be difficult for users to know what is safe to run and what is not. When activated, hostile code can damage content on a hard disk, flood a network with a denial- of- service attack, send confidential information out to the Internet, or compromise the security of a machine. The Problem with Unknown Code. Hostile code is not the only threat—many non- malicious software applications also cause problems. Any software not known and supported by an organization can conflict with other applications or change crucial configuration information. Software restriction policies were designed to help organizations control not just hostile code, but any unknown code—malicious or otherwise. Responding to Unknown Code. Software restriction policies help a business respond to unknown code by: Providing a way to define a list of what is trusted code versus what is not. Providing a flexible, policy- based approach for regulating scripts, executables, and Active. X controls. Enforcing the policy automatically. Software Restriction Policy Architecture. Figure 1 below shows the three components of a software restriction policy: An administrator creates the policy by using the Group Policy Microsoft Management Console (MMC) snap- in for a particular Active Directory container site, domain, or organizational unit. The policy is downloaded and applied to a machine. User policies apply the next time a user logs on. Machine policies apply when a machine starts up. When a user starts a program or script, the operating system or scripting host checks the policy and enforces it. Unrestricted or Disallowed. A software restriction policy is created using the MMC Group Policy snap- in. A policy consists of a default rule about whether programs are allowed to run, and exceptions to that rule. The default rule can be set to Unrestricted or Disallowed—essentially run or don't run. Setting the default rule to Unrestricted allows an administrator to define exceptions; for example, the set of programs that are not allowed to run. A more secure approach is to set the default rule to Disallowed and specify only the programs that are known and trusted to run. Default Security Level. There are two ways to use software restriction policies: If an administrator knows all of the software that should run, then a software restriction policy can be applied to control execution to only this list of trusted applications. If all the applications that users might run are not known, then administrators can step in and disallow undesired applications or file types as needed. Four Rules Identify Software. The purpose of a rule is to identify one or more software applications, and specify whether or not they are allowed to run. Creating rules largely consists of identifying software that is an exception to the default rule. Each rule can include descriptive text to help communicate why the rule was created. A software restriction policy supports the following four ways to identify software: Hash—A cryptographic fingerprint of the file. Certificate—A software publisher certificate used to digitally sign a file. Path—The local or universal naming convention (UNC) path of where the file is stored. Zone—Internet Zone. Hash Rules. A hash rule is a cryptographic fingerprint that uniquely identifies a file regardless of where it is accessed or what it is named. An administrator may not want users to run a particular version of a program. This may be the case if the program has security or privacy bugs, or compromises system stability. With a hash rule, software can be renamed or moved into another location on a disk, but it will still match the hash rule because the rule is based on a cryptographic calculation involving file contents. A hash rule consists of three pieces of data, separated by colons: MD5 or SHA- 1 hash value. File length. Hash algorithm IDIt is formatted as follows. Files that are not digitally signed will use an MD5 hash. Example: The following hash rule matches a file with a length of 1. MD5 (denoted by the hash algorithm identifier of 3. Certificate Rules. A certificate rule specifies a code- signing, software publisher certificate. For example, a company can require that all scripts and Active. X controls be signed with a particular set of publisher certificates. Certificates used in a certificate rule can be issued from a commercial certificate authority (CA) such as Veri. Sign, a Windows 2. Windows Server 2. PKI, or a self- signed certificate. A certificate rule is a strong way to identify software because it uses signed hashes contained in the signature of the signed file to match files regardless of name or location. If you wish to make exceptions to a certificate rule, you can use a hash rule to identify the exceptions. Path Rules. A path rule can specify a folder or fully qualified path to a program. When a path rule specifies a folder, it matches any program contained in that folder and any programs contained in subfolders. Both local and UNC paths are supported. Using Environment Variables in Path Rules. A path rule can use environment variables. Since path rules are evaluated in the client environment, the ability to use environment variables (for example, %WINDIR%) allows a rule to adapt to a particular user's environment. Important: Environment variables are not protected by access control lists (ACL). If users can start a command prompt they can redefine an environment variable to a path of their choosing. Using Wildcards in Path Rules. A path rule can incorporate the '?' and '*' wildcards, allowing rules such as . Some examples. Many applications store paths to their installation folders or application directories in the Windows registry. You can create a path rule that looks up these registry keys. For example, some applications can be installed anywhere on the file system. These locations may not be easily identifiable by using specific folder paths, such as C: \Program Files\Microsoft Platform SDK, or environment variables, such as %Program. Files%\Microsoft Platform SDK.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
October 2017
Categories |