<Healthcare Network> Server Vulnerability Remediation 8-7

Windows Updates/Windows Registry Keys missing

X.X.X.127, X.X.X.128

• Connected to server through RDP
• Checked the internet for Windows updates through control panel
• Ran all required and optional updates
• Stopped the ManageEngine service running through Services.msc to prevent Manage Engine becoming corrupted.
• Restarted server, using the command line ping –t to verify the reboot was successful
• Ran a Qualys scan to verify if the updates had also solved the Registry misconfiguration
• Scan found that the security update vulnerabilities had been successful, but there were vulnerabilities from not having the .NET framework up to date
• This should have installed from the Windows update
• Found and downloaded the individual .NET framework updates for Server 2012
• Quality and security rollup and the individual security updates would not install, saying they are not compatible
• In order to check the .NET Framework version, opened Powershell and ran (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full").Release -ge 528040
• Output returned as true, meaning the most up to date .NET framework is currently installed

• Reran scan, no longer showed .NET Framework vulnerabilities
• Appears to be false positive on the original scan
• Made note of server to recheck on next full network vulnerability scan

Windows Registry Keys missing

X.X.X.127, X.X.X.128

• Connected to server through RDP
• Registry Keys should be updated appropriately through Windows Update
• Ran Windows Update through Control Panel
• Stopped the ManageEngine service running through Services.msc to prevent Manage Engine becoming corrupted.
• Restarted server, using the command line ping –t to verify the reboot was successful
• Ran a Qualys scan, found the missing Registry key vulnerability was still present
• According to Qualys, installing Windows patch KB4601058 adds the necessary Registry keys
• Installed the Windows patch
• Stopped Manage Engine service and restarted the server
• Attempted to run a Qualys scan, which failed saying the host was down
• Reconnected to server to verify it was functioning normally
• Re-ran Qualys scan
• Qualys Scan shows vulnerability is still present
• Made note of server to bring up to <Director>

BEAST/Birthday Attack

X.X.X.189

• Connected to server using RDP
• Checked the server’s connected to the network is normal now, since previously there have been issues
• Attempted to make the necessary changes to the NSClient.ini file and the Registry, denied due to lack of permissions

X.X.X.192

• Attempted to connect through RDP, could not make a connection
• Attempted to connect through vSphere, could not find IP address
• Server does not currently have an associated DNS Hostname

Remote Management Service Accepting Unencrypted Credentials Detected (FTP)

X.X.X.143

• FTP through port 21 allows unencrypted credentials and data to be passed
• For remediation, the service needs to be changed to a more secure protocol, such as SFTP or FTPS
• Change management needs to be completed first, and approval needs to be gained to ensure there is no interruption of service

NotePad++ "SciLexer.dll" denial of service vulnerability

X.X.X.77

• Connected to server using RDP
• Opened NotePad++
• Attempted to download and install update package through the application
• Download timed out and failed
• Attempted to download latest version through the Notepad++ website
• Download timed out
• Application is a non-essential text editor causing vulnerabilities which has previously been uninstalled from oth er servers
• Uninstalled Notepad++
• Server is a Voice Server, so could not be rebooted. Uninstall should have remediated the issue without a reboot