Vulnerability issues in windows server 2008r2

Leenas

New Member
Hi Everyone,

In our environment, we run Vulnerability to scan in the servers using the Nessus scanner tool, as a result it throws some Vulnerability issues as listed below:

  1. SMB Signing not required
  2. DNS Server Cache Snooping Remote Information Disclosure
  3. SSL DROWN Attack Vulnerability (Decrypting RSA with Obsolete and Weakened Encryption) (CVE-2014-3566)
  4. SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) (CVE-2016-0800)
  5. SSL Version 2 and 3 Protocol Detection
I need a solution on this issue. kindly help for me.

I appreciate your answers.

Regards,
Leenas
 

Neemobeer

Windows Forum Team
Staff member
A quick google search would give you the answers.

IMPORTANT hopefully you have a change control process, but if not make sure you test on a subset of systems and for the SSL make sure you don't have any systems that rely on it (hopefully not as it's been obsolete for a long time now)

1. This is a GPO change

2. https://support.microsoft.com/en-us/help/2678371/microsoft-dns-server-vulnerability-to-dns-server-cache-snooping-attack

3-5.
The last three can be fixed by disabling SSLv2 and 3. I'd also disable TLS v1.0. For Windows it's a matter of adding some registry keys and rebooting.
 

Attachments

Leenas

New Member
A quick google search would give you the answers.

IMPORTANT hopefully you have a change control process, but if not make sure you test on a subset of systems and for the SSL make sure you don't have any systems that rely on it (hopefully not as it's been obsolete for a long time now)

1. This is a GPO change

2. https://support.microsoft.com/en-us/help/2678371/microsoft-dns-server-vulnerability-to-dns-server-cache-snooping-attack

3-5.
The last three can be fixed by disabling SSLv2 and 3. I'd also disable TLS v1.0. For Windows it's a matter of adding some registry keys and rebooting.

Hi Neemobeer,

Thanks for valuable responses and the solution.

Regards,
Leenas
 

Leenas

New Member
Hi Neemobeer,

I have some queries in the attached SSL Registry keys values kindly give me some solution.

Is it possible to deploy the registry keys changes using group policy?

If we change the registry value in the server it will affect entire domain or it will affect particular server.

How to deploy group policy to disable SSL 2.0,3.0 using registry changes for particular OU.

we have around 400 users.

Regards,
Leenas
 

Attachments

Neemobeer

Windows Forum Team
Staff member
IE should use the system settings, but there are built-in GPO settings for IE.
Chrome removed support for SSL after version 48 and I believe FF is the same way.

You can find premade admx templates here including for Chrome and Firefox
Group Policy Administrative Templates

For GPOs you can target as broad or granular as you want.
 

Leenas

New Member
IE should use the system settings, but there are built-in GPO settings for IE.
Chrome removed support for SSL after version 48 and I believe FF is the same way.

You can find premade admx templates here including for Chrome and Firefox
Group Policy Administrative Templates

For GPOs you can target as broad or granular as you want.
Thank You Neemobeer, the given information is more helpful for me.

Regards,
Leenas
 
Top