Scribd
Upload
156 views16 pages

WindowsServer 2016 2ND

The audit report summarizes a security audit of a Windows Server 2016 VM: - 4 vulnerabilities were found, all severe, relating to SMB signing configuration. - The vulnerabilities pose risks between 3,045-843. - The system, services running, and vulnerabilities discovered are described.

Uploaded by

RV K
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
156 views16 pages

WindowsServer 2016 2ND

The audit report summarizes a security audit of a Windows Server 2016 VM: - 4 vulnerabilities were found, all severe, relating to SMB signing configuration. - The vulnerabilities pose risks between 3,045-843. - The system, services running, and vulnerabilities discovered are described.

Uploaded by

RV K
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Audit Report

Windows Server 2016 New Built VM

Audited on August 11, 2020

Reported on August 11, 2020


Audit Report

1. Executive Summary
This report represents a security audit performed by Nexpose from Rapid7 LLC. It contains confidential information about the state of
your network. Access to this information by unauthorized personnel may allow them to compromise your network.

Site Name Start Time End Time Total Time Status

Windows Server 2016 August 11, 2020 08:54, August 11, 2020 08:58, 4 minutes Success
New Built VM GMT GMT
There is not enough historical data to display overall asset trend.

The audit was performed on one system which was found to be active and was scanned.

There were 4 vulnerabilities found during this scan. No critical vulnerabilities were found. Critical vulnerabilities require immediate
attention. They are relatively easy for attackers to exploit and may provide them with full control of the affected systems. 4
vulnerabilities were severe. Severe vulnerabilities are often harder to exploit and may not provide the same access to affected systems.
There were no moderate vulnerabilities discovered. These often provide information to attackers that may assist them in mounting
subsequent attacks on your network. These should also be fixed in a timely manner, but are not as urgent as the other vulnerabilities.

There were 1 occurrences of the cifs-smb-signing-disabled, cifs-smb-signing-not-required, cifs-smb1-deprecated and cifs-smb2-signing-


not-required vulnerabilities, making them the most common vulnerabilities. There were 4 vulnerability instances in the CIFS category,
making it the most common vulnerability category.

Page 1
Audit Report

The cifs-smb-signing-disabled vulnerability poses the highest risk to the organization with a risk score of 843. Risk scores are based on
the types and numbers of vulnerabilities on affected assets.
One operating system was identified during this scan.
There were 3 services found to be running during this scan.

The CIFS, DCE Endpoint Resolution and DCE RPC services were found on 1 systems, making them the most common services.

Page 2
Audit Report

2. Discovered Systems

Node Operating System Risk Aliases

10.87.30.10 Microsoft Windows 3,045 •NJ3VWPRNADI01


•nj3vwprnadi01.prnewswire.local

Page 3
Audit Report

3. Discovered and Potential Vulnerabilities

3.1. Critical Vulnerabilities


No critical vulnerabilities were reported.

3.2. Severe Vulnerabilities

3.2.1. SMB signing disabled (cifs-smb-signing-disabled)

Description:

This system does not allow SMB signing. SMB signing allows the recipient of SMB packets to confirm their authenticity and helps
prevent man in the middle attacks against SMB. SMB signing can be configured in one of three ways: disabled entirely (least secure),
enabled, and required (most secure).

Affected Nodes:

Affected Nodes: Additional Information:

10.87.30.10:445 SMB signing is disabled

References:

Source Reference

URL http://blogs.technet.com/b/josebda/archive/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-
smb2.aspx

Vulnerability Solution:
•Microsoft Windows
Configure SMB signing for Windows
Configure the system to enable or require SMB signing as appropriate. The method and effect of doing this is system specific so
please see this TechNet article for details. Note: ensure that SMB signing configuration is done for incoming connections (Server).

•Samba
Configure SMB signing for Samba
Configure Samba to enable or require SMB signing as appropriate. To enable SMB signing, put the following in the Samba
configuration file, typically smb.conf, in the global section:
server signing = auto

To require SMB signing, put the following in the Samba configuration file, typically smb.conf, in the global section:
server signing = mandatory

Page 4
Audit Report

3.2.2. SMB signing not required (cifs-smb-signing-not-required)

Description:

This system enables, but does not require SMB signing. SMB signing allows the recipient of SMB packets to confirm their authenticity
and helps prevent man in the middle attacks against SMB. SMB signing can be configured in one of three ways: disabled entirely (least
secure), enabled, and required (most secure).

Affected Nodes:

Affected Nodes: Additional Information:

10.87.30.10:445 Smb signing is: disabled

References:

Source Reference

URL http://blogs.technet.com/b/josebda/archive/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-
smb2.aspx

Vulnerability Solution:
•Microsoft Windows
Configure SMB signing for Windows
Configure the system to enable or require SMB signing as appropriate. The method and effect of doing this is system specific so
please see this TechNet article for details. Note: ensure that SMB signing configuration is done for incoming connections (Server).

•Samba
Configure SMB signing for Samba
Configure Samba to enable or require SMB signing as appropriate. To enable SMB signing, put the following in the Samba
configuration file, typically smb.conf, in the global section:
server signing = auto

To require SMB signing, put the following in the Samba configuration file, typically smb.conf, in the global section:
server signing = mandatory

3.2.3. SMB: Service supports deprecated SMBv1 protocol (cifs-smb1-deprecated)

Description:

Page 5
Audit Report

The SMB1 protocol has been deprecated since 2014 and is considered obsolete and insecure.

Affected Nodes:

Affected Nodes: Additional Information:

10.87.30.10:445 SMB1 is deprecated and should not be used

References:

Source Reference

URL https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

Vulnerability Solution:
•Samba
Remove/disable SMB1
For Samba systems on Linux, disabling SMB1 is quite straightforward:
How to configure Samba to use SMBv2 and disable SMBv1 on Linux or Unix

•Microsoft Windows
Remove/disable SMB1
For Windows 8.1 and Windows Server 2012 R2, removing SMB1 is trivial. On older OS'es it can't be removed but should be disabled.
This article contains system-specific details:
How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server

3.2.4. SMBv2 signing not required (cifs-smb2-signing-not-required)

Description:

This system enables, but does not require SMB signing. SMB signing allows the recipient of SMB packets to confirm their authenticity
and helps prevent man in the middle attacks against SMB. SMB 2.x signing can be configured in one of two ways: not required (least
secure) and required (most secure).

Affected Nodes:

Affected Nodes: Additional Information:

10.87.30.10:445 Running CIFS serviceConfiguration item smb2-enabled set to 'true' matched


Configuration item smb2-signing set to 'enabled' matched

References:

Page 6
Audit Report

Source Reference

URL https://blogs.technet.com/b/josebda/archive/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-
and-smb2.aspx

Vulnerability Solution:
•Microsoft Windows
Configure SMB signing for Windows
Configure the system to enable or require SMB signing as appropriate. The method and effect of doing this is system specific so
please see this TechNet article for details. Note: ensure that SMB signing configuration is done for incoming connections (Server).

•Samba
Configure SMB signing for Samba
Configure Samba to enable or require SMB signing as appropriate. To enable SMB signing, put the following in the Samba
configuration file, typically smb.conf, in the global section:
server signing = auto

To require SMB signing, put the following in the Samba configuration file, typically smb.conf, in the global section:
server signing = mandatory

3.3. Moderate Vulnerabilities


No moderate vulnerabilities were reported.

Page 7
Audit Report

4. Discovered Services

4.1. CIFS
CIFS, the Common Internet File System, was defined by Microsoft to provide file sharing services over the Internet. CIFS extends the
Server Message Block (SMB) protocol designed by IBM and enhanced by Intel and Microsoft. CIFS provides mechanisms for sharing
resources (files, printers, etc.) and executing remote procedure calls over named pipes.

4.1.1. Discovered Instances of this Service

Device Protocol Port Vulnerabilities Additional Information

10.87.30.10 tcp 445 2 •Windows Server 2019 Datacenter 6.3


•domain: PRNEWSWIRE
•password-mode: encrypt
•security-mode: user
•smb-signing: disabled
•smb1-enabled: true
•smb2-enabled: true
•smb2-signing: enabled

4.2. DCE Endpoint Resolution


The DCE Endpoint Resolution service, aka Endpoint Mapper, is used on Microsoft Windows systems by Remote Procedure Call (RPC)
clients to determine the appropriate port number to connect to for a particular RPC service. This is similar to the portmapper service
used on Unix systems.

4.2.1. Discovered Instances of this Service

Device Protocol Port Vulnerabilities Additional Information

10.87.30.10 tcp 135 0

4.3. DCE RPC

4.3.1. Discovered Instances of this Service

Device Protocol Port Vulnerabilities Additional Information

10.87.30.10 tcp 49664 0 •interface-uuid: D95AFE70-A6D5-


4259-822E-2C84DA1DDB0D
•interface-version: 1
•name: D95AFE70-A6D5-4259-822E-
2C84DA1DDB0D
•object-interface-uuid: 765294BA-
60BC-48B8-92E9-89FD77769D91

Page 8
Audit Report

Device Protocol Port Vulnerabilities Additional Information

•port.discovered.from: tcp/135
•protocol-sequence:
ncacn_ip_tcp:10.87.30.10[49664]
10.87.30.10 tcp 49665 0 •interface-uuid: F6BEAFF7-1E19-
4FBB-9F8F-B89E2018337C
•interface-version: 1
•name: Event log TCPIP
•port.discovered.from: tcp/135
•protocol-sequence:
ncacn_ip_tcp:10.87.30.10[49665]

10.87.30.10 tcp 49666 0 •interface-uuid: 3A9EF155-691D-4449-


8D05-09AD57031823
•interface-version: 1
•name: 3A9EF155-691D-4449-8D05-
09AD57031823
•port.discovered.from: tcp/135
•protocol-sequence:
ncacn_ip_tcp:10.87.30.10[49666]

10.87.30.10 tcp 49906 0 •interface-uuid: 12345778-1234-ABCD-


EF00-0123456789AC
•interface-version: 1
•name: 12345778-1234-ABCD-EF00-
0123456789AC
•port.discovered.from: tcp/135
•protocol-sequence:
ncacn_ip_tcp:10.87.30.10[49906]

10.87.30.10 tcp 54271 0 •interface-uuid: 29770A8F-829B-4158-


90A2-78CD488501F7
•interface-version: 1
•name: 29770A8F-829B-4158-90A2-
78CD488501F7
•port.discovered.from: tcp/135
•protocol-sequence:
ncacn_ip_tcp:10.87.30.10[54271]

10.87.30.10 tcp 60363 0 •interface-uuid: 12345778-1234-ABCD-


EF00-0123456789AC
•interface-version: 1
•name: 12345778-1234-ABCD-EF00-

Page 9
Audit Report

Device Protocol Port Vulnerabilities Additional Information

0123456789AC
•port.discovered.from: tcp/135
•protocol-sequence:
ncacn_ip_tcp:10.87.30.10[60363]
10.87.30.10 tcp 60365 0 •interface-uuid: 76F03F96-CDFD-
44FC-A22C-64950A001209
•interface-version: 1
•name: 76F03F96-CDFD-44FC-A22C-
64950A001209
•port.discovered.from: tcp/135
•protocol-sequence:
ncacn_ip_tcp:10.87.30.10[60365]

10.87.30.10 tcp 60379 0 •interface-uuid: 6B5BDD1E-528C-


422C-AF8C-A4079BE4FE48
•interface-version: 1
•name: Remote Fw APIs
•port.discovered.from: tcp/135
•protocol-sequence:
ncacn_ip_tcp:10.87.30.10[60379]

10.87.30.10 tcp 61719 0 •interface-uuid: 367ABB81-9844-35F1-


AD32-98F038001003
•interface-version: 2
•name: 367ABB81-9844-35F1-AD32-
98F038001003
•port.discovered.from: tcp/135
•protocol-sequence:
ncacn_ip_tcp:10.87.30.10[61719]

Page 10
Audit Report

5. Discovered Users and Groups


No user or group information was discovered during the scan.

Page 11
Audit Report

6. Discovered Databases
No database information was discovered during the scan.

Page 12
Audit Report

7. Discovered Files and Directories


No file or directory information was discovered during the scan.

Page 13
Audit Report

8. Policy Evaluations
No policy evaluations were performed.

Page 14
Audit Report

9. Spidered Web Sites


No web sites were spidered during the scan.

Page 15

You might also like