Nessus-Vulnerability-Management-

Vulnerability management is crucial for maintaining a strong cybersecurity posture by proactively identifying and addressing potential security weaknesses. By following a systematic approach involving discovery, assessment, remediation, verification, and continuous monitoring, organizations can significantly reduce their risk of cyber threats and enhance their overall security resilience. In this lab I run a credentialed scan on a outdated Windows vm with vulnerabilities. Then I remediate a few of the critical and high vulnerabilites.

Configure host for credentialed scan

We need to allow our scanner to connect to the Windows registry to look for insecure configurations. A Windows registry is a database that stores configuration settings and options for the operating system and installed applications. It includes settings related to system hardware, installed software, user preferences, and other system configurations. For this reason the registry can be a prime target for attackers. Scanning helps identify any vulnerabilities or misconfigurations that could be exploited

Services > Remote Registry > turn on to Automatic

Advanced sharing allows the scan to access and evaluate network shares and file systems that might be exposed over the network. This is important because vulnerabilities can exist in shared resources, and scanning them helps identify potential risks.

Advanced sharing > Enable file and printer sharing

Lowering User Access Control during a vulnerability scan can help ensure that the scan runs smoothly and covers all areas of the system. This reduces the number of prompts or interruptions that could occur during the scan.

User account control : Set to lowest control

The LocalAccountTokenFilterPolicy setting is important when performing vulnerability scans, particularly on Windows environments. This policy affects how tokens for local accounts are handled by the system and can impact the ability of vulnerability scanners to access and evaluate certain aspects of the system. When set to 1, this policy causes the system to filter local account tokens, meaning that remote access requests made with local account credentials will have more restricted permissions.

Registry Edit > Local Machine > Software > Microsoft > Windows > Current Version > Policies > System

Create a DWORD > Name it : LocalAccountTokenFilterPolicy > Set hexidecimal value to 1

Reboot Computer

Go to Nessus > Basic Network Scan > Name : Windows 10 single host > Target : Input host machine IP address

A credentialed vulnerability scan is a type of security scan where Nessus is provided with valid login credentials for the systems being scanned. This approach allows the scan to perform a deeper and more thorough assessment of the system compared to non-credentialed scans.

Select Credential Scan : Input credentials for host > Save

Vulnerablities

As you can see , after running the credentialed scan we have many critical and high vulnerabilites on our host. Lets dive into them and begin remediating the vulnerabilites

From reading the description we can see that the Firefox browser is outdated. Outdated web browsers can create significant vulnerabilities in a system because they may lack crucial security patches, fail to support modern security practices, and be incompatible with contemporary web standards. Keeping browsers up to date is essential to mitigate these risks and protect against potential threats. We can either uninstall or choose to update the browser

Uninstalling Firefox browser

Our next vulnerability is SMB signing. It looks like the signiture is not required on the SMB server. SMB signing (Server Message Block signing) is a security feature used to protect the integrity of data transmitted over the SMB protocol, which is commonly used for file sharing and network communication in Windows environments. When SMB signing is enabled, each SMB packet (message) sent over the network includes a cryptographic signature this validates the integrity of the data and verifies the identity of the sender, making it much harder for an attacker to successfully tamper with or intercept SMB communications.

Local Securtiy Policy > Local Policies > Security Options > Microsoft Network Server Digitally sign communication > Enable

Our next vulnerability is that our SSL certificate cant be trusted. The X.509 certificates are a standard for public key infrastructure (PKI) used to secure communications over networks like the internet. They are often used in SSL/TLS protocols to ensure secure communication between clients and servers. When a server’s X.509 certificate can’t be trusted, it typically indicates that there is a problem with the certificate’s validation, such as issues with the issuing CA, expiration, domain mismatch, or incomplete trust chain. Addressing these issues generally involves updating or replacing the certificate, ensuring the correct CA is used, and properly configuring the certificate chain.

We will need a custom CA to resolve this, in this case we will generate a self-signed SSL certificate and then add it into nessus rules. Follow the below instruction to create self signed certificate for development purpose

Open powershell command as administrator

Run this command in powershell : New-SelfSignedCertificate -DnsName "example.com" -CertStoreLocation "Cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(1)

-DnsName: Specifies the domain name for which the certificate is issued. Replace "example.com" with your domain or IP address.

-CertStoreLocation: Specifies where to store the certificate. In this case, it stores it in the personal certificate store of the local machine.

-NotAfter: Sets the expiration date for the certificate. This example sets it to one year from the current date.

To see thumbprint : Get-ChildItem -Path Cert:\LocalMachine\My