Microsoft Endpoint Manager – “Defeating Vulnerability Scans”

The Issue

In Operations you may get approached by your Security Team from time to time to help them close new Vulnerabilities that have been identified after a Vulnerability Scan was run. It might look like the below and contain a list of Vulnerabilities that need to be addressed.

The Investigation

If you are lucky the Vulnerability Scan Report Provides you with some helpful links and Tips on how to secure your Infrastructure.

The issue with addressing these Vulnerabilities are that normally it is affecting more than 1 resource at a time and the instructions on how to mitigate can sometimes refer to a GUI or just a random link to a technet article.

So the good news? You can use Microsoft Endpoint Manager Configuration Manager to create Baselines and Configuration Items once and then you can deploy them to a Subset of machines to test and then to all of your affected machines.

I have created a Baseline that Contains Configuration Items that will address the below – (Warning this is supplied AS IS(Draft Version 1.0) and you can feel free to modify the items to your liking, this is more of a community effort and your input is always appreciated. )

List of CIs

  • Configure SMB signing for Windows
  • Disable insecure TLS/SSL protocol support
  • Obtain a new certificate from your CA and
    ensure the server configuration is correct
  • Disable SSLv2, SSLv3, and TLS 1.0. The best
    solution is to only have TLS 1.2 enabled
  • Disable TLS/SSL support for 3DES cipher suite
  • Disable TLS/SSL support for static key cipher
    suites
  • Disable TLS/SSL support for RC4 ciphers
  • Remove the default page or stop/disable the
    IIS server
  • Disable HTTP OPTIONS method
  • Set the password expiration for Windows
    Vista/2008 and newer
  • Force IIS7 to Display Hostname
  • Disable WebDAV for IIS
  • Stop Using SHA-1
  • Disable HTTP DELETE method
  • Restrict Processing of Recursive Queries
  • Use a Stronger Diffie-Hellman Group
  • Generate random Diffie-Hellman parameters
  • Enable TLS/SSL support for strong ciphers

How did I receive the Registry Keys and Details for my CIs?

For TLS I used a tool called IISCrypto (Nartac Software – IIS Crypto)

Everything else I followed the Vulnerability Report and Turned it into PowerShell.

Solution Resource and Contributing

Would you like a copy of the Baseline and all Configuration Items? Head over to

https://github.com/WernerRall147/MEMBaselines

and download the files, fork it, star it, contribute and together lets Secure our Infrastructure.

Just want to secure against TLS/SSL attacks? Go download and run IISCrypto!

As always I hope this has been helpful.

Authors