Most of the servers support the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits. This is considerably easier to exploit if the attacker is on the same physical network.
Some of the such weak cipher suits are:
DES-CBC(56)
DES-CBC(40)
RC4(40)
RC2(40)
I was administering set of Windows servers and here are the steps that I followed to disable these weak cipher suits.
To enable/disable Weak Cipher Suites in Windows Server 2003:
Start Registry Editor (Regedt32.exe), and then locate the following registry key:
To enable this cipher algorithm, change the DWORD value data of the Enabled value to 0xffffffff. Or, change the DWORD value data to 0x0.
If you do not configure the Enabled value, the default is enabled. This
registry key does not apply to an exportable server that does not have
an SGC certificate.
To disable this cipher algorithm, change the DWORD value data of the Enabled value to 0x00000001.
To enable/disable Weak Cipher Suites in Windows Server 2008:
Network Level Authentication completes user authentication before you
establish a remote desktop connection and the logon screen appears. This
is a more secure authentication method that can help protect the remote
computer from malicious users and malicious software. Further this can help provide better security by reducing the risk of denial-of-service attacks.
To use Network Level Authentication, you must meet the following requirements:
The client computer must be using at least Remote Desktop Connection 6.0.
The client computer must be using an
operating system, such as Windows 7, Windows Vista, or Windows XP with
Service Pack 3, that supports the Credential Security Support Provider
(CredSSP) protocol.
The RD Session Host server must be running Windows Server 2008 R2 or Windows Server 2008.
To configure Network Level Authentication for a connection in Windows Server 2008 R2 or Windows Server 2008.
On the RD Session Host server, open Remote Desktop
Session Host Configuration. To open Remote Desktop Session Host
Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
Under Connections, right-click the name of the connection, and then click Properties.
On the General tab, select the Allow connections only from computers running Remote Desktop with Network Level Authentication check box.
Clikc OK
To determine whether a computer is running a version of Remote Desktop
Connection that supports Network Level Authentication, start Remote
Desktop Connection, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. Look for the phrase Network Level Authentication supported in the About Remote Desktop Connection dialog box.
To disable (Alternative method):
If you want, you can disable NLA by running tsconfig.msc on your 2008 R2
server, and deselecting the "Allow connection only from computers
running Remote Desktop with Network Level Authentication" option under
the RDP service. To enable NLA in XP machines; first install XP SP3, then edit the registry settings on the XP client machine to allow NLA
Click Start, click Run, type regedit, and then press ENTER.
In the navigation pane, locate and then click the following registry
subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
In the details pane, right-click Security Packages, and then click Modify.
In the Value data box, type tspkg. Leave any data that is specific to other SSPs, and then click OK.
In the navigation pane, locate and then click the following registry
subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
In the details pane, right-click SecurityProviders, and then click Modify.
In the Value data box, type credssp.dll. Leave any data that is specific to other SSPs, and then click OK.
Exit Registry Editor.
Restart the computer.
RDP mechanisms supported on different Server OS versions
Server OS Version
Client OS
Windows Server 2000, 2003
Windows Server 2003 SP1 / R2
Windows Server 2008
Windows XP SP2 and earlier
Network Level Protection or VPN
Pure SSL/TLS
Pure SSL/TLS
Windows XP SP3*, Windows Vista, Windows Vista SP1
Network Level Protection or VPN
Pure SSL/TLS
NLA or
Pure SSL/TLS
Pure SSL/TLS is a standard mechanism that enables clients to authenticate to servers and provides a secure channel by encrypting communications. To use SSL/TLS, you must obtain certificates issued by a trusted Certificate Authority and configure them on each terminal server on which you want to have server authentication.
Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness
Remote Desktop Protocol Server (Terminal Service) is vulnerable to a man-in-the-middle (MiTM) attack. The RDP client makes no effort to validate the identity of the server when setting up encryption. An attacker with the ability to intercept traffic from the RDP server can establish encryption with the client and server without being detected. A MiTM attack of this nature would allow the attacker to obtain any sensitive information transmitted, including authentication credentials.
Solution : - Force the use of SSL as a transport layer for this service if supported, or/and - Select the 'Allow connections only from computers running Remote Desktop with Network Level Authentication' setting if it is available.
This is the most frequent vulnerability which scanners will complain about TRACE method being enabled on the web server tested. When the debuging function is enabled on web servers. TRACE and TRACK methods can be executed. Normally you will have this enabled by default, but if you want to test if it is really enabled on your server you just have to telnet on the port your web server is running and request for “TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system.
To see if TRACE is supported by your server, you can use curl $ curl -i -X TRACE http://www.example.com
To disable these methods below steps can be followed.
Apache Server: The complex mechanism involves creating a mod_rewrite rule that will disable http methods, which is also quite popular and works with ANY version of apache that supports mod_rewrite. The directives below would need to be set, which are written assuming that this is the first time use for mod_rewrite.
The first thing to do is make sure that mod_rewrite is loaded. If mod_rewrite.so is missing from your apache configuration but you have it installed, (and your install location is /usr/local/apache), then add the following statement to your httpd.conf:
Then add the following as well to your httpd.conf file: RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F]
Please note that by default, rewrite configurations are not inherited across virtual servers. Add RewriteEngine On to each virtual host.. Restart apache, re-run the steps in the Validation section, and with either method, you should receive an HTTP 405-Method Not Allowed status code back.
For newer versions (1.3.34 or later for the legacy branch, and 2.0.55 or later).
Simplest option is to add the TraceEnable directive into your httpd.conf and set the value to Off. Or else if httpd.conf is not available, Set "TraceEnable off" in /etc/apache2/apache2.conf or (if it is in Debian version) in /etc/apache2/sites-enabled/000-default
Finally restart the apache server.
IIS 6 Server:
The only supported mechanism in place for remediation is by installing URLScan from Microsoft, (version 2.5 and version 3.1 are still available). The urlscan.ini file included as part of URLScan sets by default a configuration setting "UseAllowVerbs=1". In the [AllowVerbs] section of the ini file, http methods GET, HEAD, and POST are the only ones listed, so simply by installing URLScan, you are protected from TRACE or TRACK.
II7 Server:
Refer the article http://www.iis.net/configreference/system.webserver/security/requestfiltering/verbs. This provides a detailed description. Sun GlassFish Enterprise Server: If you are using GlassFish v2, you need to set the property "traceEnabled" to "true" or "false" under . Here is the reference documentation that lists out all the property name for http-service. http://docs.sun.com/app/docs/doc/820-4338/abhcq?a=view
If you are using V3, Using Admin Console: Expand Configuration -> Network Config -> Network Listeners Click the listener name that you want to configure. You can then change the Trace-Enabled checkbox under the HTTP Tab.
Using CLI You need to find out the name of the protocol that your listener is using. The following example shows you how to get the current setting and change it to false. By default, Trace is enabled. You need the protocol name, the example below says "http-listener-1" only because the Name of the protocol is "http-listener-1".
$./asadmin get configs.config.server-config.network-config.protocols.protocol.http-listener-1.http.trace-enabled configs.config.server-config.network-config.protocols.protocol.http-listener-1.http.trace-enabled=true Command get executed successfully. $./asadmin set configs.config.server-config.network-config.protocols.protocol.http-listener-1.http.trace-enabled=false configs.config.server-config.network-config.protocols.protocol.http-listener-1.http.trace-enabled=false
Command set executed successfully.
Alternative Option ot disable TRACE/TRACK on Sun Servers Change the obj.conf file in the config directory of the web server instance (i.e. not the admin-server config directory) and add the "If" below.
When the installed version of the HP System Management Homepage (SMH) is earlier than 7.0, such systems are reportedly affected by multiple critical security vulnerabilities.
Two possible option to resolve the above vulnerability:
Upgrade to HP System Management Homepage to latest stable version
Disable/Remove HP System Management Homepage
In order to disable HP System Management Homepage in Windows OS, below steps can be followed. To disable this, we need to disable the port 2301-www.
Consider the following before user disables port 2301.
If user disables port 2301 when HP SMH is in autostart URL mode, the start mode automatically changes to start on boot mode.
To disable Port 2301, complete the following steps:
Select Settings from the menu.
In the System Management Homepage box, click the Security link.
Click the Port 2301 link.
In the Configuration box, clear the Enable Port 2301 check box.
Click Apply.
To enable Port 2301, complete the following steps:
Select Settings from the menu.
In the System Management Homepage box, click the Security link.
Click the Port 2301 link.
In the Configuration box, select the Enable Port 2301 check box.
Click Apply.
To Uninstalling HP SMH on a Windows operating system, use the Add/Remove Programs feature in Windows, and complete the following steps to remove HP SMH:
Select Start , Control Panel , Add or Remove Programs.
Select HP System Management Homepage.
Click Remove.
Uninstalling from a Itanium-based Linux, x86 or x86_64 operating system To uninstall HP SMH: Run the following command:
I believe all the listed filters in the below will be usefull for everyone, as it did for me. These are mainly about short listing the number of packets to be looked at during a session of analyzing a packet capture file.
Filter out a given source ip range !(ip.src >= 175.157.7.0 && ip.src <= 175.157.7.255)
Filter out a given destination ip range !(ip.dst >= 175.157.7.0 && ip.dst <= 175.157.7.255)
Filter out both given source and destination ip ranges !(ip.src >= 175.157.7.0 && ip.src <= 175.157.7.255) || !(ip.dst >= 175.157.7.0 && ip.dst <= 175.157.7.255)
Filter out Spanning-tree Protocol messages !stp
Filter out loopback messages !loop
Filter out the below IP range and the Spanning-tree Protocol messages !(ip.src >= 175.157.7.0 && ip.src <= 175.157.7.255) || !(ip.dst >= 175.157.7.0 && ip.dst <= 175.157.7.255) && !stp
The format “ip.addr==175.157.7.0/24″ works now as well. That is a much cleaner solution. !ip.addr==175.157.7.0/24 && !stp