System Security.yml

- cvssv3: 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'
  category: System Security
  details:
    - locale: EN
      title: Powershell Configuration
      vulnType: Pentest
      description: >-
        <p>PowerShell is a task automation and configuration management
        framework developed by Microsoft, consisting of a command-line shell and
        associated scripting language built on the .NET framework. It was
        designed to provide a more efficient and effective way for Windows
        administrators to manage and automate various system administration
        tasks, including managing the Windows operating system and other
        Microsoft products such as Exchange, SharePoint, and SQL
        Server.<br><br>PowerShell is often used by adversaries because it
        provides them with a built-in versatile tool for executing malicious
        scripts and commands, bypassing security controls, accessing sensitive
        information, and hiding their actions, making it an attractive tool for
        malicious actors.<br><br>There are several steps that can be taken to
        harden the way PowerShell can act on a system or in specific user
        context:<br></p><ul><li><p>Restrict the Language Mode</p><p>The
        PowerShell language mode determines the syntax, language elements, and
        behavior of PowerShell scripts, with the two main modes being "Full" and
        "Constrained" that can be used to restrict the capabilities of
        PowerShell scripts for security and administrative
        purposes.</p></li><li><p>Set an Execution Policy</p><p>The PowerShell
        execution policy is a security feature that determines what types of
        PowerShell scripts can run on a system and is used to help protect
        against malicious scripts by restricting the execution of scripts from
        unknown or untrusted sources.</p></li><li><p>Uninstall old PowerShell
        versions</p><p>PowerShell version 5 and above has important built-in
        security features that make it safer to use in enterprise environments.
        For example, PowerShell v5 logs every script that is run, making it
        easier to trace the execution of malware. <br>These security features
        are not present in PowerShell v2.0, making it less secure, which at the
        same time makes it a lucrative alternative for
        attackers.</p></li></ul><p></p>
      observation: >-
        <p>Language Mode Failure = Medium<br>Execution Policy =
        Low<br>PowerShell v2 = High</p>
      remediation: >-
        <p>Set the Language Mode to <em>Restricted</em>. This can be activated
        locally:</p><pre><code>[Environment]::SetEnvironmentVariable(‘__PSLockdownPolicy‘,
        ‘4’, ‘Machine‘)</code></pre><p>Or via Group Policies
        Objects:</p><p><em>Computer Configuration\Preferences\Windows
        Settings\Environment</em><br></p><img class="custom-image"
        src="63e504b947c5530011586cfc" alt="Setting PowerShell Language Mode via
        GPO"><p></p><p>Set the Execution Policy to <em>AllSigned</em>. This can
        be done via GPO here: <em>Computer Configuration &gt; Policies &gt;
        Administrative Templates &gt; Windows Components &gt; Windows
        PowerShell</em><br></p><img class="custom-image"
        src="63e505c447c5530011586cfd" alt="Setting Execution Policy for
        PowerShell via GPO"><p><br><br>Deactivate PowerShell v2.0 via GPO or
        remove it locally via the "Windows Features".</p>
      references:
        - 'https://adsecurity.org/?p=2604'
        - >-
          https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3
        - >-
          https://learn.microsoft.com/en-us/powershell/scripting/learn/security-features?view=powershell-7.3
        - >-
          https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.3
      customFields: []
  priority: 2
  remediationComplexity: 1

- cvssv3: 'CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'
  priority: 2
  remediationComplexity: 2
  details:
    - locale: EN
      title: DMA Attacks
      description: >-
        <p>DMA (Direct Memory Access) attacks are a class of security threats
        that exploit the DMA feature present in many computer systems. DMA
        allows hardware devices, such as network cards or USB controllers, to
        access the system's memory directly without involving the CPU, enabling
        faster data transfers.</p><p>In a DMA attack, an attacker gains physical
        or remote access to a target system and leverages DMA capabilities to
        directly read from or write to the system's memory. This access allows
        the attacker to bypass traditional security measures, such as operating
        system permissions or encryption, and potentially gain unauthorized
        access to sensitive data or compromise the system's
        integrity.</p><p>There are two main types of DMA
        attacks:</p><ol><li><p>DMA Read Attacks: In this type of attack, the
        attacker gains access to the system's memory and can read sensitive
        information stored in the memory, including encryption keys, passwords,
        or confidential data. The attacker can then use this information for
        unauthorized purposes.</p></li><li><p>DMA Write Attacks: In a DMA write
        attack, the attacker injects malicious data or code into the system's
        memory, potentially overwriting critical data or modifying the system's
        behavior. This can lead to unauthorized privilege escalation, injection
        of malware, or modification of system settings.</p></li></ol><p>DMA
        attacks can be executed through various means, including physical access
        to the target system, compromised peripheral devices, or exploiting
        vulnerabilities in system firmware or drivers. Some examples of DMA
        attack vectors include FireWire, Thunderbolt, PCI Express, or PCMCIA
        interfaces.</p>
      remediation: >-
        <p>Apply according counter measures via GPO (please also refer to the
        references):<br><br>Firewire: <br><code>Computer Configuration &gt;
        Administrative Templates &gt; System &gt; Device Installation &gt;
        Device Installation Restrictions &gt; Prevent installation of devices
        using drivers that match these device setup classes</code></p><p>Add the
        following entries:</p><table><tbody><tr><th colspan="1"
        rowspan="1"><p><strong>GUID</strong></p></th></tr><tr><td colspan="1"
        rowspan="1"><p><strong>{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}</strong></p></td></tr><tr><td
        colspan="1"
        rowspan="1"><p><strong>{c06ff265-ae09-48f0-812c-16753d7cba83}</strong></p></td></tr><tr><td
        colspan="1"
        rowspan="1"><p><strong>{d48179be-ec20-11d1-b6b8-00c04fa372a7}</strong></p></td></tr><tr><td
        colspan="1"
        rowspan="1"><p><strong>{6bdd1fc1-810f-11d0-bec7-08002be2092f}</strong></p></td></tr></tbody></table><p></p><p>PCIe:<br><code>Computer
        Configuration &gt; Administrative Templates &gt; Windows Components &gt;
        BitLocker Drive Encryption &gt; Disable new DMA devices when this
        computer is locked</code></p><p>General protection against DMA
        attacks:</p><p><code>Computer Configuration &gt; Administrative
        Templates &gt; System &gt; Device Guard &gt; Turn on Virtualization
        Based Security &gt; Secure Boot with DMA</code></p>
      references:
        - >-
          https://www.synacktiv.com/en/publications/practical-dma-attack-on-windows-10.html
        - 'https://www.scip.ch/?labs.20211209'
      customFields: []
  category: System Security

- cvssv3: 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'
  priority: 2
  remediationComplexity: 1
  details:
    - locale: EN
      title: LSA Protection Configuration
      vulnType: Pentest
      description: >-
        <p>LSA Protection, also known as RunAsPPL (Protected Process Light), is
        a security feature introduced in Windows 10 and Windows Server 2016. It
        is designed to protect critical operating system processes by running
        them with an elevated level of protection.</p><p>LSA (Local Security
        Authority) is a subsystem in Windows responsible for security-related
        operations. LSA Protection ensures that certain critical LSA processes
        are isolated and run in a restricted mode called "Protected Process
        Light." This mode provides additional security measures to prevent
        unauthorized access or tampering of these processes.</p><p>Protected
        Process Light (PPL) restricts the interactions and privileges of a
        process, making it more resistant to attacks and unauthorized
        modifications. PPL processes are given a higher integrity level, making
        it difficult for lower-privileged processes or malware to tamper with
        them. This helps protect critical system functions and sensitive
        data.</p><p>By running LSA processes as PPL, Windows enhances the
        overall security of the operating system and helps mitigate various
        attack vectors that target system-level processes.</p>
      observation: <p><br><br></p>
      remediation: >-
        <p>Activate LSA Protection by setting the following registry
        key:<br><code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
        RunAsPPL= 1</code></p>
      references:
        - 'https://itm4n.github.io/lsass-runasppl/'
      customFields: []
  category: System Security

- cvssv3: 'CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'
  priority: 2
  remediationComplexity: 1
  details:
    - locale: EN
      title: Disk Encryption Configuration
      vulnType: Pentest
      description: >-
        <p>Disk encryption is a security measure used to protect the data stored
        on a storage device, such as a hard drive or solid-state drive (SSD). It
        ensures that the data remains unreadable and inaccessible to
        unauthorized users even if the device is lost, stolen, or accessed
        without proper authorization.</p><p>The primary purpose of disk
        encryption is to encrypt the entire contents of the disk, including the
        operating system, applications, and user data. It prevents unauthorized
        individuals from accessing or extracting sensitive information from the
        disk by encrypting it using a cryptographic algorithm.</p><p>One method
        to enhance the security of disk encryption is through preboot
        authentication (PBA). PBA adds an additional layer of protection by
        requiring users to provide authentication credentials before the
        operating system boots up. This means that even if someone gains
        physical access to the device, they cannot bypass the encryption without
        providing the correct authentication.</p><p>Preboot authentication
        typically involves a separate login screen or interface that prompts
        users to enter a password or other authentication factors, such as a PIN
        or biometric data (e.g., fingerprint or facial recognition). Only upon
        successful authentication will the device proceed to boot up the
        operating system and decrypt the disk.</p><p>By combining disk
        encryption with preboot authentication, the data on the encrypted disk
        remains secure from unauthorized access. Even if an attacker manages to
        steal or gain physical access to the device, they would need to bypass
        the preboot authentication to gain access to the encrypted
        data.</p><p>It is important to choose strong authentication credentials
        and regularly update them to maintain the security of the disk
        encryption. Additionally, ensuring the device's firmware and software
        are up to date helps protect against known vulnerabilities and ensures
        the effectiveness of the encryption and authentication mechanisms.</p>
      remediation: >-
        <p>If the encryption is meant to protect against sophisticated attacks,
        the TPM only mode for BitLocker is not sufficient. One of the
        alternative solutions with an additional PIN or USB device should be
        taken into consideration[2]. Another idea would be to make use of 3rd
        party applications that will give the user a SSO feeling that integrate
        with BitLocker.</p>
      references:
        - '[1] https://luemmelsec.github.io/Go-away-BitLocker-you-are-drunk/'
        - >-
          [2]
          https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-countermeasures
      customFields: []
  category: System Security

- cvssv3: 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'
  priority: 2
  remediationComplexity: 1
  details:
    - locale: EN
      title: Removal Media Control Settings
      vulnType: Pentest
      description: >-
        <p>Removable media control is a security feature that helps protect
        against various threats related to the use of removable storage devices
        such as USB flash drives, external hard drives, and optical media.
        Here's a brief description of why removable media control is considered
        a security feature and the threats it can help
        mitigate:</p><ol><li><p>Unauthorized data access: Preventing
        unauthorized access to sensitive data on removable
        devices.</p></li><li><p>Malware introduction and spread: Reducing the
        risk of malware infections and the spread of malicious code through
        removable media.</p></li><li><p>"Bad USB" or "Bad Ethernet" devices that
        disguise as legitimate USB devices emulating HIDs like a keyboard or a
        network adapter to execute code or sniff
        credentials.</p></li><li><p>Data loss prevention: Implementing measures
        to prevent accidental data loss or unauthorized copying of sensitive
        information.</p></li><li><p>Unauthorized software or applications:
        Restricting the introduction of unauthorized software onto corporate
        devices through removable media.</p></li><li><p>Compliance and
        regulatory requirements: Enforcing policies to meet industry regulations
        and demonstrate data security compliance.</p></li></ol><p><a
        target="_blank" rel="noopener noreferrer nofollow"
        href="http://compliance.By">By</a> implementing removable media control
        as a security feature, organizations can mitigate the risks associated
        with unauthorized data access, malware infections, data loss,
        unauthorized software execution, and non-compliance with regulations. It
        provides an additional layer of protection to safeguard sensitive
        information and maintain the integrity and security of systems and
        networks.</p>
      remediation: >-
        <p>Implement according countermeasures that prevent attacks over
        removeable media.<br>This can for example be done via
        GPOs:</p><ol><li><p>Device installation restrictions: Group Policy can
        be used to restrict the installation of USB devices on computers. It
        allows administrators to define policies that prevent the installation
        of unrecognized or unauthorized USB devices, thereby mitigating the risk
        of "Bad USB" attacks.</p></li><li><p>USB port disabling: Group Policy
        enables administrators to disable specific USB ports on computers. By
        selectively disabling USB ports, organizations can limit the risk of
        unauthorized USB devices being connected and prevent potential "Bad USB"
        attacks.</p></li><li><p>Windows Defender Application Control: Windows
        Defender Application Control (WDAC) is a security feature available in
        Windows 10 Enterprise and Windows Server editions. It uses Group Policy
        to define policies that allow only trusted applications to run on a
        system. By enforcing strict application control policies, organizations
        can reduce the risk of "Bad USB" attacks by blocking the execution of
        unauthorized or malicious code from USB
        devices.</p></li></ol><p></p><p><br></p>
      references: []
      customFields: []
  category: System Security

- cvssv3: 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N'
  priority: 3
  remediationComplexity: 1
  details:
    - locale: EN
      title: Credential Guard Configuration
      vulnType: Pentest
      description: >-
        <p>Credential Guard is a security feature introduced in Windows 10 and
        Windows Server 2016 that helps protect against credential theft and
        unauthorized access to sensitive credentials on a Windows system. It is
        specifically designed to defend against Pass-the-Hash (PtH) and
        Pass-the-Ticket (PtT) attacks.</p><p>Credential theft attacks typically
        target the authentication process by stealing or manipulating user
        credentials, such as usernames and passwords, stored in memory or the
        Local Security Authority (LSA) process. These attacks allow adversaries
        to gain unauthorized access to systems, networks, or sensitive
        resources.</p><p>Credential Guard leverages virtualization-based
        security to isolate and protect these credentials. It utilizes
        virtualization technology, such as Hyper-V, to create a separate
        isolated environment called the "security boundary." Within this
        security boundary, sensitive credentials are stored and processed,
        effectively isolating them from the rest of the system, including the
        operating system and user processes.</p><p>By isolating credentials in a
        protected environment, Credential Guard helps prevent unauthorized
        access or tampering by malicious actors. It ensures that even if an
        attacker gains access to the operating system or compromises the system
        at a lower level, they cannot access or extract sensitive credentials
        stored within Credential Guard.</p><p>Key features and benefits of
        Credential Guard include:</p><ol><li><p>Protection against Pass-the-Hash
        and Pass-the-Ticket attacks.</p></li><li><p>Isolation of credentials in
        a separate security boundary.</p></li><li><p>Use of virtualization-based
        security technology for enhanced
        protection.</p></li><li><p>Compatibility with existing authentication
        methods, such as Kerberos and NTLM.</p></li><li><p>Integration with
        other security technologies, like Windows Hello for Business and Windows
        Defender Credential Guard.</p></li></ol><p>Overall, Credential Guard
        strengthens the security posture of Windows systems by safeguarding
        sensitive credentials and mitigating the risk of credential theft
        attacks.</p>
      remediation: >-
        <p>Follow the steps provided by Microsoft [1] to enabled Credential
        Guard.</p>
      references:
        - >-
          [1]
          https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage
        - 'https://blog.nviso.eu/2018/01/09/windows-credential-guard-mimikatz/'
        - >-
          https://blog.netwrix.com/2023/02/06/using-windows-defender-credential-guard-to-protect-privileged-credentials/
      customFields: []
  category: System Security

- cvssv3: 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'
  priority: 2
  remediationComplexity: 3
  details:
    - locale: EN
      title: Applocker Configuration
      vulnType: Pentest
      description: >-
        <p>AppLocker is a security feature introduced in Windows 7 and Windows
        Server 2008 R2, and it is available in subsequent versions of Windows.
        It is designed to help organizations enforce application control
        policies by allowing or blocking the execution of specified applications
        and scripts.</p><p>AppLocker enables administrators to define rules that
        determine which applications are allowed to run on a system. These rules
        can be based on various criteria, including file path, file hash,
        publisher, or digital signature. By configuring these rules,
        administrators have granular control over the types of applications that
        can be executed on managed systems.</p><p>Key features and benefits of
        AppLocker include:</p><ol><li><p>Application Whitelisting:
        Administrators can create rules that specify which applications are
        allowed to run, effectively whitelisting approved applications. This
        helps prevent unauthorized or malicious software from running on the
        system.</p></li><li><p>Rule Enforcement: AppLocker enforces the
        configured rules at the operating system level, ensuring that only
        approved applications are allowed to execute. It helps protect against
        unauthorized software installations and execution
        attempts.</p></li><li><p>Flexible Rule Criteria: Rules can be created
        based on various criteria, including file attributes, publisher
        information, digital signatures, and path locations. This flexibility
        allows organizations to define specific policies tailored to their
        needs.</p></li><li><p>Centralized Management: AppLocker can be managed
        through Group Policy, providing a centralized management interface for
        creating, deploying, and maintaining application control policies across
        multiple systems.</p></li><li><p>Auditing and Reporting: AppLocker
        provides auditing capabilities to track and monitor application
        execution attempts. Detailed logs and reports help administrators
        identify and investigate unauthorized or blocked application
        activities.</p></li></ol><p>AppLocker is primarily aimed at
        organizations that require strict control over the software running on
        their systems, such as enterprises, government agencies, and regulated
        industries. It helps enhance security by preventing the execution of
        unauthorized or potentially malicious applications, reducing the attack
        surface and mitigating the risk of malware infections and unauthorized
        software usage.</p>
      remediation: >-
        <p>Where applicable use WDAC (see [1]).</p><p>If not feasible, implement
        Applocker to further harden the system against attacks.</p><p>Follow the
        guidelines referenced from Microsoft [2].</p>
      references:
        - >-
          [1]
          https://learn.microsoft.com/de-de/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview
        - >-
          [2]
          https://learn.microsoft.com/de-de/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview
      customFields: []
  category: System Security

- cvssv3: 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'
  priority: 3
  remediationComplexity: 1
  details:
    - locale: EN
      title: DHCPv6 Settings
      vulnType: Pentest
      description: >-
        <p>In DHCPv6, one of the potential attack vectors is related to the
        DHCPv6 offer process, specifically when configuring DNS servers. Here's
        an explanation of DHCPv6 attacks related to setting DNS servers via DHCP
        offers:</p><ol><li><p>Rogue DHCPv6 Server: An attacker can set up a
        rogue DHCPv6 server on the network to offer malicious DNS server
        addresses in the DHCPv6 response. When clients request DHCPv6
        configuration, they may receive a DHCPv6 offer from the rogue server
        with DNS server addresses that the attacker controls. This can redirect
        the client's DNS queries to malicious DNS servers under the attacker's
        control.</p></li><li><p>DNS Spoofing: By providing malicious DNS server
        addresses in the DHCPv6 offer, an attacker can perform DNS spoofing.
        When clients use the offered DNS servers to resolve domain names, the
        attacker's DNS servers respond with false or malicious information. This
        can lead to users being redirected to malicious websites, phishing
        attacks, or manipulation of DNS responses to gain unauthorized access to
        sensitive information.</p></li><li><p>MITM Attacks: DHCPv6 DNS server
        configuration can also be exploited for Man-in-the-Middle (MitM)
        attacks. An attacker may intercept the DHCPv6 offer and modify the DNS
        server addresses to point to their own server. This enables the attacker
        to intercept DNS queries and responses, allowing them to monitor or
        manipulate the communication between the client and legitimate DNS
        servers.</p></li></ol><p>Normally companies have a DHCPv4 server running
        but not one for DHCPv6. Modern Windows versions ship with IPv6 enabled,
        which takes precedence over IPv4. Hence out of the box these systems are
        likely to be vulnerable to the before mentioned attacks.</p>
      remediation: >-
        <p>To mitigate the described attacks, the following measures can be
        implemented:</p><p>Disable IPv6: If IPv6 is not required, it is
        recommended to disable the IPv6 interface on client systems. This can be
        done through network adapter settings or registry
        configurations.</p><p>Prefer IPv4 over IPv6: Network configurations can
        be adjusted to prioritize IPv4 connectivity over IPv6. This can be done
        by modifying network interface settings or network routing
        configurations. In these cases the valid IPv4 configuration for e.g. DNS
        will "overrule" the rouge IPv6 DNS setting.</p><p>Exercise caution in
        disabling IPv6 on Servers: Microsoft advises against disabling IPv6 in
        server environments, as it may cause disruptions to critical
        functionalities such as Exchange or Domain Controllers. Careful
        consideration should be given before disabling IPv6 on
        servers.</p><p>Configure IPS/IDS Rules: Intrusion Prevention Systems
        (IPS) or Intrusion Detection Systems (IDS) can be configured with
        additional rules specifically designed to detect and mitigate DHCPv6
        attacks. These rules should be regularly updated to address emerging
        threats.</p><p>Use Encrypted Connections: To prevent man-in-the-middle
        attacks, it is recommended to utilize encrypted connections wherever
        possible. This includes using secure protocols such as HTTPS for web
        communications and implementing VPNs (Virtual Private Networks) for
        secure remote access.</p><p>Specify Static Gateway and DNS Server: If
        IPv6 is necessary, it is advisable to manually configure and specify the
        gateway and DNS server addresses statically. This reduces the risk of
        DNS-related attacks by eliminating the reliance on DHCPv6 for network
        configuration.</p>
      references:
        - >-
          https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/
        - >-
          https://www.blackhillsinfosec.com/mitm6-strikes-again-the-dark-side-of-ipv6/
      customFields: []
  category: System Security

- cvssv3: 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'
  priority: 1
  remediationComplexity: 1
  details:
    - locale: EN
      title: BIOS Hardening
      vulnType: Pentest
      description: >-
        <p>The Basic Input/Output System (BIOS) is a firmware that is embedded
        in a computer's motherboard. It is responsible for initializing hardware
        components during the boot process and providing a basic set of
        instructions for the operating system to interact with the
        hardware.</p><p>Securing the BIOS with a password is important for
        several reasons:</p><ol><li><p>Unauthorized access prevention: Setting a
        BIOS password adds an extra layer of security to your computer system.
        It prevents unauthorized users from accessing and modifying critical
        BIOS settings, such as boot order, hardware configurations, and security
        features.</p></li><li><p>Protection against unauthorized booting: A BIOS
        password helps protect against unauthorized booting of the system from
        external devices, such as USB drives or optical media. It ensures that
        only authorized individuals can boot the system, reducing the risk of
        unauthorized access or malware infections.</p></li><li><p>Data
        protection: By securing the BIOS, you can help protect sensitive data
        stored on your computer. If someone tries to tamper with the BIOS
        settings or remove the hard drive, they will be unable to access the
        data without the BIOS password.</p></li><li><p>Preventing malicious
        firmware modifications: Securing the BIOS helps prevent unauthorized
        modifications to the firmware itself. Malicious actors could potentially
        modify the BIOS to install persistent malware or compromise the system's
        integrity. A BIOS password reduces the risk of such
        tampering.</p></li><li><p>Compliance and regulatory requirements: In
        certain industries or organizations, securing the BIOS with a password
        may be necessary to comply with industry regulations or internal
        security policies. It demonstrates a proactive approach to securing
        computer systems and protecting sensitive
        information.</p></li></ol><p>It's important to note that while a BIOS
        password provides a level of security, it is not foolproof. Advanced
        attackers may still find ways to bypass or reset the BIOS password.
        However, setting a BIOS password is a recommended security practice that
        can help mitigate the risk of unauthorized access and protect system
        integrity.</p>
      remediation: <p>A strong and unique password for each system should be used.</p>
      references: []
      customFields: []
  category: System Security

- cvssv3: 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N'
  priority: 2
  remediationComplexity: 2
  details:
    - locale: EN
      title: Writeable SYSTEM Path Folders
      vulnType: Pentest
      description: >-
        <p>Granting low-privileged users write rights over folders that are in
        the SYSTEM Path variable can pose security risks due to the following
        reasons:</p><ul><li><p>Malicious code execution: If low-privileged users
        can write to the folders in the SYSTEM Path variable, they could
        potentially place malicious executables or scripts in those folders.
        This could allow them to execute arbitrary code with elevated
        privileges, bypassing security controls.</p></li><li><p>DLL hijacking:
        By placing a malicious DLL (Dynamic Link Library) with the same name as
        a legitimate DLL used by an application in one of the writable folders,
        low-privileged users can trick the application into loading the
        malicious DLL. This can lead to arbitrary code execution or privilege
        escalation.</p></li><li><p>Path hijacking: If low-privileged users can
        modify the SYSTEM Path variable, they can manipulate the order of folder
        paths. This can result in unintended application behavior, as an
        attacker can substitute a legitimate executable or script with a
        malicious one in a folder they have write access
        to.</p></li><li><p>Privilege escalation: Exploiting write access to
        folders in the SYSTEM Path variable can be used as a stepping stone for
        privilege escalation. By placing a malicious executable in a writable
        folder, an attacker can trick a higher-privileged user or system process
        to execute it, potentially gaining elevated privileges.</p></li></ul>
      remediation: >-
        <p>To mitigate these risks, it is recommended to restrict write access
        to folders in the SYSTEM Path variable to only trusted administrators or
        authorized users. Regular users should not have write permissions on
        these folders to prevent unauthorized modifications and potential
        security breaches.</p>
      references: []
      customFields: []
  category: System Security

- cvssv3: 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N'
  details:
    - locale: EN
      title: WDAC Settings
      vulnType: Pentest
      description: >-
        <p>Windows Defender Application Control (WDAC) is a security feature in
        Windows 10 that helps protect systems against malware and unauthorized
        software execution, and is the successor to Applocker. WDAC utilizes
        code integrity policies to enforce strict control over which
        applications and code can run on a device.</p><p>WDAC operates by
        establishing a trusted set of rules that define which applications are
        allowed to execute based on factors such as digital signatures, file
        hashes, and other criteria. These rules create a whitelist of trusted
        applications and prevent the execution of unauthorized or malicious
        code.</p><p>With WDAC, organizations can define and enforce policies
        that specify which software is allowed to run, reducing the risk of
        malware infection and unauthorized software installations. It adds an
        additional layer of protection by verifying the integrity and
        authenticity of applications before they are executed.</p><p>WDAC
        leverages virtualization-based security technologies, such as Virtual
        Secure Mode (VSM) and hardware-based security features, to provide a
        highly secure execution environment. It helps protect against
        kernel-level exploits, code injection attacks, and other advanced
        malware techniques.</p><p>By implementing WDAC, organizations can
        strengthen their security posture, reduce the attack surface, and ensure
        that only trusted and authorized applications can run on their Windows
        10 devices.</p>
      remediation: >-
        <p>Enabling Windows Defender Application Control (WDAC) involves several
        steps and requires specific configurations. Here's a general outline of
        the process:</p><ul><li><p>Verify System Requirements: Ensure that your
        system meets the hardware and software requirements for WDAC. This
        includes having a compatible version of Windows 10 Enterprise or Windows
        Server, a compatible processor with virtualization extensions, and
        Secure Boot enabled.</p></li><li><p>Create Code Integrity Policies: WDAC
        relies on code integrity policies to define the rules for application
        and code execution. You need to create and configure these policies
        based on your organization's requirements. This involves specifying
        trusted sources, file hashes, and other criteria that determine which
        applications are allowed to run.</p></li><li><p>Deploy WDAC Policies:
        Once the code integrity policies are defined, you need to deploy them to
        the target devices. This can be done using Group Policy, Configuration
        Manager, or other deployment tools. Ensure that the policies are
        distributed and applied correctly to the intended
        devices.</p></li><li><p>Test and Validate Policies: It's crucial to
        thoroughly test and validate the WDAC policies to ensure that they
        function as intended. This includes verifying that only trusted
        applications can run while unauthorized or malicious code is blocked.
        Conduct thorough testing to identify any potential conflicts or
        issues.</p></li><li><p>Monitor and Maintain WDAC: After enabling WDAC,
        it's essential to monitor and maintain the policies regularly. Monitor
        system logs and events to identify any policy violations or potential
        threats. Update and maintain the code integrity policies as needed to
        adapt to changes in your environment.</p></li></ul><p>It's important to
        note that the specific steps and configurations for enabling WDAC may
        vary depending on factors such as your organization's security
        requirements, network infrastructure, and device configuration. It's
        recommended to consult Microsoft's official documentation or seek
        guidance from a qualified IT professional for detailed instructions and
        best practices tailored to your specific environment.</p>
      references:
        - >-
          https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control
      customFields: []
  category: System Security

- cvssv3: 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'
  priority: 2
  remediationComplexity: 1
  details:
    - locale: EN
      title: Access to System Tools and Settings
      vulnType: Pentest
      description: >-
        <p>System tools on a Windows system refer to built-in utilities and
        applications that provide various functionalities for managing and
        configuring the operating system. These tools are typically designed to
        perform critical system tasks, diagnostics, troubleshooting, system
        configuration, and administration. Some common examples of system tools
        in Windows include Command Prompt (cmd.exe), PowerShell, Task Manager,
        Registry Editor, Event Viewer, Device Manager, and Disk Management,
        among others. Changing settings for things like the system proxy,
        firewall rules and states, network configuration and even installing or
        uninstalling software is referred to as system settings.</p><p>While
        system tools and settings are essential for system administrators and
        power users to effectively manage and maintain the system, granting
        access to these tools to normal users can pose security concerns. Here
        are a few reasons:</p><ul><li><p>Unauthorized System Modifications:
        System tools often have the capability to modify system settings,
        configurations, and critical files. If normal users have access to these
        tools, they may unintentionally or maliciously modify system settings,
        leading to system instability, performance issues, or security
        vulnerabilities.</p></li><li><p>Privilege Escalation: Certain system
        tools can be leveraged to escalate privileges or execute commands with
        elevated permissions. If normal users have access to such tools, they
        may attempt to exploit them to gain unauthorized access or perform
        actions that they should not have privileges
        for.</p></li><li><p>Exposure of Sensitive Information: System tools can
        provide access to sensitive system information, logs, or files that may
        contain confidential data. Allowing normal users to access these tools
        may expose sensitive information or compromise data
        privacy.</p></li><li><p>Malware Execution: Malware often attempts to
        leverage system tools to carry out its malicious activities. Granting
        access to these tools to normal users increases the risk of
        inadvertently executing malware or running malicious
        commands.</p></li></ul><p>To mitigate these security concerns, it is
        generally recommended to restrict access to system tools and settings
        and limit their usage to trusted administrators or privileged accounts.
        User access control, proper permission settings, and implementing the
        principle of least privilege can help minimize the risk associated with
        normal users accessing system tools.</p>
      remediation: >-
        <p>Restrict access to tools that are meant mainly for administrative
        purposes as much as possible.<br>This can be done via GPOs or
        Intune.</p>
      references: []
      customFields: []
  category: System Security

- cvssv3: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'
  priority: 3
  remediationComplexity: 1
  details:
    - locale: EN
      title: NetBIOS Name Resolution / LLMNR / mDNS Settings
      vulnType: Pentest
      description: >-
        <p>NetBIOS Name Resolution, Link-Local Multicast Name Resolution (LLMNR)
        and Multicast DNS (mDNS) are protocols used for name resolution in
        Windows networks. They allow devices on a local network to discover and
        communicate with each other by resolving computer names to IP
        addresses.</p><p>NetBIOS Name Resolution: NetBIOS (Network Basic
        Input/Output System) is a legacy protocol used for communication between
        devices on a local network. NetBIOS Name Resolution translates NetBIOS
        names (computer names) to IP addresses. It relies on broadcast messages
        to resolve names, which can be inefficient and pose security
        risks.</p><p>LLMNR: LLMNR is a modern replacement for NetBIOS Name
        Resolution introduced in Windows Vista and later versions. It performs a
        similar function as NetBIOS Name Resolution but uses multicast messages
        instead of broadcasts. LLMNR is intended to resolve names on local
        networks when DNS name resolution fails.</p><p>mDNS: mDNS (Multicast
        DNS) is a protocol that allows devices on the same local network to
        resolve hostnames without the need for a centralized DNS server. It is
        part of the <strong>Z</strong>ero-Configuration Networking (Zeroconf)
        suite and is widely used for device and service discovery, especially in
        home networks or small office setups.</p><p>Security Concerns: NetBIOS
        Name Resolution, LLMNR and mDNS can introduce security risks,
        particularly when they are enabled on systems connected to untrusted
        networks or outside the local network.</p><ul><li><p>Man-in-the-Middle
        (MitM) Attacks: When NetBIOS Name Resolution, LLMNR or mDNS are enabled,
        an attacker can intercept and respond to name resolution queries, posing
        as the intended device. This allows them to redirect network traffic to
        their own system, enabling potential eavesdropping, data interception,
        or modification of network communications.</p></li><li><p>Name Spoofing
        and Identity Theft: By responding to name resolution queries, an
        attacker can potentially spoof the identity of legitimate devices on the
        network. This can lead to confusion, unauthorized access, or identity
        theft.</p></li><li><p>Information Disclosure: Name resolution requests
        can leak sensitive information, such as computer names and domain
        information, which can be exploited by an attacker for reconnaissance or
        targeted attacks.</p></li></ul><p>To mitigate these security concerns,
        it is generally recommended to disable NetBIOS Name Resolution, LLMNR
        and mDNS, especially on systems connected to untrusted networks or when
        not required for local network functionality. Instead, relying on more
        secure name resolution mechanisms like DNS (Domain Name System) is
        recommended. Disabling these protocols can help reduce the attack
        surface and protect against potential MitM attacks and other security
        vulnerabilities.</p>
      remediation: >-
        <p>NetBIOS should be disabled on all systems that don't need to be
        compatible with Windows 2000 or older OS. It can be disabled via DHCP or
        GPO.<br></p><img class="custom-image" src="64998d53b1221cb2c209eb7d"
        alt="NetBIOS settings in registry"><p></p><p>You can change all adapters
        to 2 like so:</p><p><code>$regkey =
        "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"</code><br><code>Get-ChildItem
        $regkey |foreach { Set-ItemProperty -Path "$regkey\$($_.pschildname)"
        -Name NetbiosOptions -Value 2 -Verbose}</code></p><p>The same applies to
        LLMNR. However, it can only be disabled via GPO or a script.</p><img
        class="custom-image" src="64998dceb1221cb2c209eb83" alt="GPO settings to
        disable LLMNR"><p><code>Computer Configuration -&gt; Administrative
        Templates -&gt; Network -&gt; DNS Client -&gt; Turn off multicast name
        resolution</code></p><p><code>set-ItemProperty -Path
        "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" -name
        EnableMulticast -Value 0<br>new-ItemProperty -Path
        "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" -name
        "EnableMulticast" -Value 0 -Type DWord</code><br><br>mDNS can be
        disabled via the registry as well:<br><code>Set-ItemProperty
        "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\" -Name
        EnableMDNS -Value 0

        New-ItemProperty
        "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\" -Name
        EnableMDNS -Value 0 -Type DWord</code></p>
      references:
        - 'https://luemmelsec.github.io/Relaying-101/'
        - >-
          https://woshub.com/how-to-disable-netbios-over-tcpip-and-llmnr-using-gpo/
      customFields: []
  category: System Security

- cvssv3: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'
  details:
    - locale: EN
      title: SMB Server Settings
      vulnType: Pentest
      description: >-
        <p>SMB (Server Message Block) is a network protocol used for file and
        printer sharing between computers. There are different versions of the
        SMB protocol, including SMB1 (also known as CIFS - Common Internet File
        System), SMB2, SMB2.1, SMB3, and SMB3.02.</p><p>SMB signing is a
        security feature that helps protect against tampering and unauthorized
        access of SMB traffic. When signing is enabled, the SMB server and
        client sign the SMB packets, providing a way to verify the integrity and
        authenticity of the data exchanged between them.</p><p>Here's an
        overview of SMB protocol versions and their support for
        signing:</p><ol><li><p>SMB1 (CIFS): SMB1 supports SMB message signing.
        It provides a basic level of security, but it is considered outdated and
        less secure compared to newer versions.</p></li><li><p>SMB2 and newer:
        Starting from SMB2, the protocol introduced significant improvements in
        terms of performance and security. SMB2 supports stronger encryption
        algorithms and the ability to negotiate signing as a security
        feature.</p></li></ol><ul><li><p>SMB2.1: This version adds support for
        larger buffer sizes and better performance.</p></li><li><p>SMB3: SMB3
        further enhances security and performance. It introduces features like
        encryption and transparent failover for continuous
        availability.</p></li><li><p>SMB3.02: This version adds improvements for
        SMB Direct, which enables high-speed data transfers using RDMA (Remote
        Direct Memory Access).</p></li></ul><p>Not having SMB signing enabled
        can pose security risks, especially in the context of relay attacks. A
        relay attack involves an attacker intercepting and forwarding SMB
        traffic between a client and a server, potentially tampering with or
        impersonating the communication.</p><p>When SMB signing is disabled, an
        attacker can modify SMB packets in transit without detection,
        potentially injecting malicious code or manipulating data. By enabling
        SMB signing, the server and client can verify the integrity and
        authenticity of the SMB traffic, reducing the risk of unauthorized
        modification or tampering.</p><p>Enabling SMB signing helps protect
        against attacks like Man-in-the-Middle (MitM) attacks, where an attacker
        intercepts SMB traffic and manipulates it to gain unauthorized access or
        extract sensitive information. By ensuring that SMB packets are signed,
        the receiving party can verify the origin and integrity of the data,
        making it harder for an attacker to tamper with the
        communication.</p><p>It is recommended to enable SMB signing for
        improved security, particularly in environments where sensitive data is
        being transmitted over SMB connections.</p>
      remediation: >-
        <p>Activate SMB Signing wherever possible.</p><p>This can be done e.g.
        via GPO:</p><p><code>Computer Configuration -&gt; Policies -&gt; Windows
        Settings -&gt; Security Settings -&gt; Local Policies -&gt; Security
        Options -&gt; "Microsoft network server: Digitally sign communications
        (always)"</code></p><p>It's important to test the changes in a
        controlled environment and verify that SMB signing is working as
        expected before applying the GPO to production systems.</p>
      references: 
        - >-
        'https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/active-directory-hardening-series---part-6-–-enforcing-smb-signing/4272168'
      customFields: []
  category: System Security

- cvssv3: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'
  priority: 2
  remediationComplexity: 1
  details:
    - locale: EN
      title: Windows Firewall Settings
      vulnType: Pentest
      description: >-
        <p>The Windows Firewall is a built-in security feature in Windows
        operating systems that helps protect your computer from unauthorized
        network access. It acts as a barrier between your computer and external
        networks, controlling incoming and outgoing network traffic based on
        predefined rules.</p><p>Here are some reasons why the Windows Firewall
        should be turned on:</p><ul><li><p>Network Security: The primary purpose
        of the firewall is to safeguard your computer from malicious network
        activity, such as unauthorized access, hacking attempts, malware, and
        network-based attacks.</p></li><li><p>Blocking Unauthorized Connections:
        The firewall blocks incoming connections that are not explicitly allowed
        by the configured rules. This prevents unauthorized access to your
        computer and helps protect your personal and sensitive
        information.</p></li><li><p>Outbound Traffic Control: The firewall also
        monitors and controls outgoing network traffic. It prevents potentially
        harmful programs or malware from connecting to the internet without your
        knowledge, reducing the risk of data leakage and preventing unauthorized
        communications.</p></li><li><p>Default Protection: Windows Firewall is
        enabled by default on most Windows installations. Keeping it enabled
        ensures that you have a baseline level of protection even if you don't
        have any additional third-party security solutions
        installed.</p></li></ul>
      observation: >-
        <p>Scoring hardly depends on what you found.<br>Disabled Firewall =
        High<br>Enabled Firewall with any-any is the same ^^<br>Enabled firewall
        with bigger security holes might be medium ...</p>
      remediation: >-
        <p>To ensure the effective use of the Windows Firewall, it's important
        to follow these best practices:</p><ul><li><p>Enable the Firewall:
        Always ensure that the Windows Firewall is enabled on your computer to
        provide the first line of defense against unauthorized network
        access.</p></li><li><p>Use Default Firewall Profiles: Windows Firewall
        provides separate profiles for different network locations (Domain,
        Private, Public). Configure the appropriate profile for each network
        connection to apply the necessary rules based on the network's trust
        level.</p></li><li><p>Allow Only Necessary Ports: By default, the
        Windows Firewall blocks all incoming connections. If you need to allow
        specific network services or applications, create custom rules to open
        only the necessary ports in both inbound and outbound directions. This
        reduces the attack surface and minimizes the risk of unwanted
        access.</p></li><li><p>Regularly Update Firewall Rules: Periodically
        review and update your firewall rules to ensure they reflect your
        current network requirements. Remove any unnecessary or obsolete rules
        to maintain an efficient and secure
        configuration.</p></li></ul><p>Overall, enabling and properly
        configuring the Windows Firewall is an essential step in securing your
        computer and protecting it from unauthorized network access and
        potential threats.</p>
      references:
        - >-
          https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring
      customFields: []
  category: System Security

- cvssv3: null
  priority: 3
  remediationComplexity: 1
  details:
    - locale: EN
      title: Antivirus Configuration
      vulnType: Pentest
      description: >-
        <p>Antivirus (AV) software, also known as antivirus or anti-malware
        software, is designed to protect computers and other devices from
        malicious software, such as viruses, worms, Trojans, spyware, adware,
        and other types of malware. Its primary purpose is to detect, prevent,
        and remove malicious programs that can harm your computer system or
        compromise your data.</p><p>Here are some key reasons why it is
        important to have AV software turned on:</p><ul><li><p>Malware
        Protection: AV software scans files, programs, and websites for known
        malware signatures and behavioral patterns, preventing them from
        infecting your system. It helps safeguard your computer against viruses,
        which can cause data loss, system crashes, or unauthorized
        access.</p></li><li><p>Real-Time Protection: AV software provides
        real-time monitoring of files and activities on your computer, detecting
        and blocking malware threats as they occur. This proactive approach
        helps prevent malware from executing and spreading throughout your
        system.</p></li><li><p>Web Protection: Many AV solutions include web
        protection features that help block access to malicious websites or warn
        you about potentially dangerous sites. This protects you from phishing
        attempts, drive-by downloads, and other web-based
        threats.</p></li><li><p>Email Protection: AV software often integrates
        with email clients to scan incoming and outgoing email attachments for
        malware. It helps prevent the spread of infected files through email and
        reduces the risk of falling victim to email-borne threats, such as
        phishing emails or malicious attachments.</p></li><li><p>Vulnerability
        Detection: Some AV software includes vulnerability scanning features
        that identify security weaknesses in your operating system or installed
        applications. By identifying vulnerabilities, you can take necessary
        steps to patch or update software, minimizing the risk of exploitation
        by malware.</p></li><li><p>Data Protection: AV software helps protect
        your personal and sensitive information by preventing unauthorized
        access or theft. It can detect keyloggers, screen capture tools, and
        other types of spyware that aim to collect your private
        data.</p></li><li><p>System Performance: While AV software performs
        resource-intensive tasks like scanning files and monitoring activities,
        modern solutions are designed to minimize impact on system performance.
        They use optimized scanning algorithms and leverage hardware
        acceleration to ensure efficient protection without significantly
        slowing down your computer.</p></li></ul><p>In summary, having AV
        software turned on is crucial for maintaining a secure and safe
        computing environment. It helps protect your system, data, and privacy
        from various malware threats, ensuring a smoother and more secure
        digital experience.</p>
      observation: >-
        <p>Rating hardly depends on what is setup.<br>Is AV on or not?<br>Many
        exclusions that can be reviewed by anyone? Are they lax?<br>All features
        enabled or are crucial ones missing?</p>
      remediation: >-
        <p>An AV solution should be installed and actively running on each
        system.<br>The product itself as well as its patterns should be kept
        up-to-date at any time.<br>Harden the systems as much as possible by
        making use of all features provided by your AV.<br>Ensure that things
        like tamper protection are enabled and can't be disabled by normal users
        - best also not by administrators.<br>Exclusions should be kept to a
        minimum, where possible individually by system. So you should not
        globally exclude path x or application y, just because you need it on
        one system out of hundreds.<br></p>
      references: []
      customFields: []
  category: System Security

- cvssv3: null
  priority: 3
  remediationComplexity: 2
  details:
    - locale: EN
      title: Proxy Settings
      vulnType: Pentest
      description: >-
        <p>A proxy server acts as an intermediary between a client (such as a
        computer or device) and the internet. When a client requests a resource
        from the internet, the request first goes through the proxy server,
        which then forwards the request on behalf of the client. The proxy
        server can provide various functions, including caching, filtering, and
        anonymizing the client's requests.</p><p>The primary reasons for using a
        proxy server are:</p><ul><li><p>Anonymity and Privacy: By using a proxy
        server, the client's IP address and other identifying information can be
        masked. This helps protect the client's privacy and adds a layer of
        anonymity when accessing websites or online
        services.</p></li><li><p>Caching and Performance: Proxy servers can
        store copies of frequently accessed web resources, allowing subsequent
        requests for the same resource to be fulfilled from the cache. This
        reduces bandwidth usage and improves performance by delivering content
        faster to the client.</p></li><li><p>Content Filtering and Access
        Control: Proxy servers can be configured to filter web content based on
        predefined rules. This allows organizations to enforce access policies,
        block malicious websites, or restrict access to certain categories of
        content, enhancing security and productivity.</p></li></ul><p>Now,
        regarding security issues, not using a proxy server when required or
        recommended can pose several risks:</p><ul><li><p>Data Leaks: Without a
        proxy server, client requests are made directly to the destination
        server, potentially revealing the client's IP address and other
        identifying information. This information can be used for tracking,
        targeting, or profiling the client.</p></li><li><p>Bypassing Security
        Controls: Proxy servers can implement security controls such as
        antivirus scanning, intrusion detection, or content filtering. Not using
        a proxy may bypass these controls, increasing the risk of accessing
        malicious or inappropriate content.</p></li><li><p>Exposure to Malicious
        Content: Proxy servers can provide an additional layer of defense by
        scanning and filtering web content for malware or malicious scripts.
        Without a proxy, clients may be more exposed to such
        threats.</p></li><li><p>Limited Access Management: Proxy servers allow
        organizations to enforce access policies, blocking access to
        unauthorized websites or limiting access to specific resources. Not
        using a proxy can make it challenging to manage and control internet
        access, leading to potential security and compliance
        issues.</p></li></ul><p>In summary, using a proxy server offers benefits
        such as privacy, performance, and security controls. Neglecting to use a
        proxy, when necessary or advised, can compromise privacy, expose clients
        to security risks, and make it challenging to enforce access policies
        and protect against malicious content.</p>
      observation: >-
        <p>Rating depends on what you found.<br>No proxy - bad<br>Proxy but it
        doesn't filter - bad<br>Try to download Malware via HTTP, HTTPS, in a
        ZIP file, in an encrypted ZIP file etc.</p>
      remediation: >-
        <p>Use a proxy, either locally or in a central place.<br>Make sure to
        block malicious web traffic.<br>Inspect secured traffic for malware -
        SSL inspection.</p>
      references: []
      customFields: []
  category: System Security

- cvssv3: null
  details:
    - locale: EN
      title: Software Lifecycle Management
      vulnType: Pentest
      description: >-
        <p>Used soft- and firmware as well as operating systems should always be
        kept to the most current versions.</p><p>Using outdated versions poses
        several direct and indirect security risks like:<br>- Security
        vulnerabilities: outdated software may have unpatched security holes
        that can be exploited by attackers.<br>- Compatibility issues: new
        hardware or software may not be compatible with old systems.<br>-
        Performance degradation: outdated software may run slower, become less
        responsive, or crash more often.<br>- Lack of features: newer software
        may have additional features or improvements that are not available in
        older versions.<br>- Compliance problems: outdated software may not meet
        industry regulations or standards.<br><br>So staying up to date is a
        mandatory requirement to a matured security culture and should be part
        of the patch management process.</p>
      observation: >-
        <p>Criticality depending on what could be achieved due to systems and
        software being outdated.</p>
      remediation: >-
        <p>Check if any of the mentioned software components can be upgraded /
        updated and if important security updates are missing.<br>Implement a
        patch management strategy and process that ensures that all your systems
        are up to date and that updates are applied timely according to their
        criticality.<br>Apply workarounds when no patches are available when
        tackling critical flaws.</p>
      references: []
      customFields: []
  category: System Security
  priority: 3
  remediationComplexity: 2

- cvssv3: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'
  priority: 2
  remediationComplexity: 1
  details:
    - locale: EN
      title: RDP Configuration
      vulnType: Pentest
      description: >-
        <p><br>Remote Desktop Protocol (RDP) is a technology developed by
        Microsoft that allows users to connect to and control a remote computer
        over a network connection. It enables remote access to resources,
        applications, and desktop environments on a remote system.</p><p>RDP can
        be convenient for various purposes, such as remote administration,
        technical support, and remote work scenarios. However, if not properly
        secured, RDP can pose security risks. Some of the potential risks
        include:</p><ul><li><p>Unauthorized access: If RDP is exposed to the
        internet or not adequately protected, it can become a target for
        malicious actors attempting to gain unauthorized access to
        systems.</p></li><li><p>Brute-force attacks: Attackers can launch
        brute-force attacks against RDP sessions, trying various username and
        password combinations to gain access.</p></li><li><p>Vulnerabilities:
        Like any software, RDP implementations can have security vulnerabilities
        that can be exploited by attackers.</p></li></ul><p>Network Level
        Authentication (NLA) is a security feature in RDP that can help mitigate
        some of these risks. NLA requires users to authenticate themselves
        before establishing a remote desktop connection. It adds an extra layer
        of security by verifying the user's credentials before allowing access
        to the remote system. With NLA enabled, the remote system must
        authenticate the user before a full RDP session is initiated, reducing
        the risk of unauthorized access.</p><p>By enabling NLA, potential
        security risks associated with RDP can be mitigated, as it helps ensure
        that only authenticated and authorized users can establish remote
        desktop connections. It is recommended to configure RDP with NLA and
        follow best practices for securing RDP connections, such as using strong
        passwords, enabling network firewalls, keeping the RDP software up to
        date, and restricting access to trusted networks or specific IP
        addresses.</p>
      remediation: >-
        <p>If possible disable RDP completely.<br>If not possible, harden access
        by enforcing NLA. This can be done via GPO or directly via
        registry:<br><code>Computer Configuration -&gt; Administrative Templates
        -&gt; Windows Components -&gt; Remote Desktop Services -&gt; Remote
        Desktop Session Host -&gt; Security -&gt; Require user authentication
        for remote connections by using Network Level
        Authentication</code></p><p><code>Set-ItemProperty -Path
        'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal
        Server\WinStations\RDP-Tcp' -Name 'UserAuthentication' -Value
        1</code><br></p><p>Ensure strong passwords or even better MFA for
        accounts that can login remotely.</p>
      references: []
      customFields: []
  category: System Security

- cvssv3: null
  priority: 2
  remediationComplexity: 1
  details:
    - locale: EN
      title: WinRM Settings
      vulnType: Pentest
      description: >-
        <p>WinRM (Windows Remote Management) is a Microsoft Windows feature that
        allows for remote management and execution of commands on Windows
        systems over a network. It enables administrators to remotely manage
        Windows computers using PowerShell or other remote management
        tools.</p><p>WinRM relies on a client-server model, where the client
        (usually a remote administrator) communicates with the WinRM service
        running on the target system to perform management tasks. This allows
        administrators to remotely configure settings, execute commands,
        retrieve information, and perform other administrative tasks without
        physically accessing the system.</p><p>In terms of security
        implications, WinRM introduces potential risks if not properly
        configured and secured. Some key considerations
        include:</p><ul><li><p>Authentication and Authorization: WinRM should be
        configured to use strong authentication mechanisms, such as Kerberos or
        SSL/TLS, to prevent unauthorized access. Access controls should be
        defined to limit who can connect and what actions they can
        perform.</p></li><li><p>Encryption: Communication between the WinRM
        client and server should be encrypted using SSL/TLS to protect sensitive
        data and prevent eavesdropping or tampering.</p></li><li><p>Firewall
        Configuration: The necessary firewall rules should be in place to allow
        WinRM traffic only from trusted sources and block unauthorized access
        from the network.</p></li><li><p>Credential Management: Proper
        management of credentials used for WinRM authentication is essential.
        Secure storage and handling of credentials are crucial to prevent
        unauthorized access to sensitive information.</p></li><li><p>Regular
        Updates: Keeping the WinRM service and underlying operating system up to
        date with the latest security patches is important to address any
        vulnerabilities that may be discovered over time.</p></li></ul><p>By
        considering and implementing these security measures, WinRM can be used
        effectively while minimizing the potential risks associated with remote
        management capabilities.</p>
      remediation: >-
        <p>Follow the guidelines outlined in the description to harden
        WinRM.<br>If possible disable WinRM completely.</p>
      references:
        - >-
          https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.3
      customFields: []
  category: System Security

- cvssv3: 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'
  priority: 4
  remediationComplexity: 1
  details:
    - locale: EN
      title: Unquoted Service Paths
      vulnType: Pentest
      description: >-
        <p>Windows services normally start executables. The executable path
        allows the OS to find the correct executable to run for each service.
        The following path is an example of a secure service
        path:</p><p><code>"C:\Programs\Test
        Folder\bin\service.exe"</code></p><p>The following path is an example of
        an unsafe service path:</p><p><code>C:\Program Files\Test
        Folder\bin\service.exe</code></p><p>When Windows attempts to read the
        path to this executable, it interprets the space as a kind of terminator
        if the path is not enclosed in <code>"</code>.&nbsp; So it will attempt
        to execute the following (in
        order):</p><p><code>C:\Program.exe</code></p><p><code>C:\Program
        Files\Test.exe</code></p><p><code>C:\Program Files\Test
        Folder\bin\service.exe</code></p><p>If the directories are configured
        with inappropriate permissions, the attacker can place a malicious
        executable file in them. If the service is set to run with
        administrative privileges (e.g. SYSTEM), the attacker can elevate its
        privileges and gain unauthorized administrative access to the system. In
        this case the attacker would want to try to add the first 2 files to the
        filesystem.</p>
      remediation: >-
        <p>The first step would be to ask the vendor of the affected application
        for an updated versions that fixes the misconfiguration.</p><p>A manual
        workaround would be to manually put the binary path into quotes.</p>
      references:
        - >-
          https://www.ired.team/offensive-security/privilege-escalation/unquoted-service-paths
      customFields: []
  category: System Security

- cvssv3: 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'
  details:
    - locale: EN
      title: Password Policy
      vulnType: Pentest
      description: >-
        <p>Using weak passwords has several security implications and is posing
        one of the biggest risks in the IT security threat landscape with the
        following impacts:</p><ul><li><p>Easy to guess: Bad passwords are often
        easily predictable, making it easier for hackers to guess or crack
        them.</p></li><li><p>Dictionary attacks: Poor passwords are susceptible
        to dictionary attacks, where a hacker uses a list of commonly used
        passwords to gain access to an account.</p></li><li><p>Brute force
        attacks: In a brute force attack, a hacker tries every possible
        combination of characters to crack a password, making a weak password
        easier to crack.</p></li><li><p>Reuse: People often reuse the same
        password across multiple accounts, putting all their information at risk
        if a single password is compromised.</p></li><li><p>...</p><p></p><p>If
        the passwords used by the users are not complex enough they can easily
        be guessed or the clear text passwords can trivially be recovered if an
        attacker gets access to their hashed values.</p></li></ul>
      remediation: >-
        <p>The following settings and measures can help to harden access to
        users and their credentials:</p><ul><li><p>Implementing multi-factor
        authentication.</p></li><li><p>Implementing a secure domain wide
        password policy in case of Active Directory. At least 12 characters for
        low privileged and 14 characters for high privileged accounts. For
        service accounts at least 20 characters should be
        used.</p></li><li><p>Using a password manager. Best in combination with
        the possibility for fine granular rights management and MFA
        authentication.</p></li><li><p>Password blacklisting. Ban passwords with
        the company name, seasons, passwords on leaked lists
        etc.</p></li><li><p>Implementing password policies based on the access
        rights of the accounts affected.</p></li><li><p>Regular password
        audits.</p></li><li><p>User awareness campaigns. Especially security
        related trainings for technical staff.</p><p></p></li></ul><p>Best
        practices for the Domain Password
        Policy:</p><ul><li><p>ComplexityEnabled =
        True</p></li><li><p>LockoutDuration &gt;= 15
        Minutes</p></li><li><p>LockoutObservationWindow &gt;= 15
        Minutes</p></li><li><p>LockoutThreshold &lt;= 10
        Minutes</p></li><li><p>MinPasswordLength &gt;=
        12</p></li><li><p>ReversibleEncryptionEnabled = False</p></li></ul>
      references: []
      customFields: []
  category: System Security
  priority: 3
  remediationComplexity: 1

- cvssv3: 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'
  priority: 3
  remediationComplexity: 1
  details:
    - locale: EN
      title: Co-installer Configuration
      vulnType: Pentest
      description: >-
        <p>The Windows Co-installer [1] feature is a mechanism used in Windows
        operating systems to facilitate the installation and management of
        device drivers. Co-installers are DLL (Dynamic Link Library) files that
        can be included alongside a device driver package. They provide
        additional functionality and instructions to the Windows Installer
        service during the installation or update of a
        driver.</p><p>Co-installers are used to perform various tasks, such as
        configuring hardware settings, updating firmware, handling complex
        driver installations or even installing additional
        software.</p><p>However, the use of Co-installers can have security
        implications for the following reasons:</p><ul><li><p><strong>Privilege
        Escalation</strong>: Co-installers might run with elevated privileges
        during the driver installation process. If a Co-installer has
        vulnerabilities or malicious code, it could potentially be exploited by
        attackers to escalate their privileges and gain control of the
        system.</p></li><li><p><strong>Code Execution</strong>: Co-installers
        execute code as part of the driver installation process. Malicious
        Co-installers could execute harmful code, leading to various security
        issues, such as unauthorized access, data manipulation, or system
        compromise.</p></li><li><p><strong>Driver Tampering</strong>:
        Co-installers can modify driver settings and configurations. If an
        attacker replaces a legitimate Co-installer with a malicious one, they
        could tamper with the driver's behavior, potentially causing system
        instability or security vulnerabilities.</p></li><li><p><strong>Driver
        Signature Bypass</strong>: Co-installers can sometimes be used to bypass
        driver signature enforcement, which is a security feature that ensures
        drivers are digitally signed by trusted entities. This could enable the
        installation of unsigned or malicious drivers, further compromising
        system security.</p></li></ul><p>There are lots of Co-installers known
        to attackers that can be abused for privilege escalation. Amongst the
        most common ones was the one which comes while installing certain Razer
        devices [2].</p>
      remediation: >-
        <p>Disable the ability to install Co-installers by settings the
        following registry
        key:</p><p><code>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device
        Installer\DisableCoInstallers = 1</code></p><p>Users will have to
        install the software that comes with the device drivers manual if really
        needed.</p>
      references:
        - >-
          [1]
          https://learn.microsoft.com/en-us/windows-hardware/drivers/install/writing-a-co-installer
        - >-
          [2]
          https://www.bleepingcomputer.com/news/microsoft/how-to-block-windows-plug-and-play-auto-installing-insecure-apps
        - 'https://www.scip.ch/en/?labs.20211209'
      customFields: []
  category: System Security

- cvssv3: 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'
  priority: 3
  remediationComplexity: 1
  details:
    - locale: EN
      title: Secure Boot Configuration
      vulnType: Pentest
      description: >-
        <p>Secure Boot is a security feature in Windows (and other operating
        systems) that helps protect the boot process from malware and
        unauthorized modifications. Here's a brief overview:</p><p>Secure Boot
        works by ensuring that only digitally signed and trusted bootloaders and
        operating system components are allowed to run during the startup
        process. This prevents the execution of malicious code or unauthorized
        firmware and driver modifications that could compromise the system's
        integrity.</p><p>Key points about Secure Boot on
        Windows:</p><ul><li><p><strong>UEFI Requirement</strong>: Secure Boot
        relies on the Unified Extensible Firmware Interface (UEFI) in modern
        computers. It's typically enabled or disabled in the UEFI firmware
        settings.</p></li><li><p><strong>Digital Signatures</strong>:
        Bootloaders, kernel files, and drivers must have valid digital
        signatures from trusted Certificate Authorities (CAs) to be loaded
        during the boot process.</p></li><li><p><strong>Enforcement</strong>:
        When Secure Boot is enabled, the UEFI firmware checks the digital
        signatures of boot components and refuses to load them if they're not
        signed or not signed by trusted
        sources.</p></li><li><p><strong>Protection Against Rootkits</strong>:
        Secure Boot helps protect against rootkits and other low-level malware
        that attempt to compromise the boot
        process.</p></li><li><p><strong>Compatibility Mode</strong>: Some UEFI
        systems offer a compatibility mode that allows non-signed or legacy
        bootloaders to run. However, this weakens the security provided by
        Secure Boot.</p></li><li><p><strong>Hardware Requirements</strong>:
        Secure Boot requires hardware support in the form of a UEFI firmware
        with Secure Boot capabilities.</p></li></ul><p>By enforcing the use of
        trusted boot components, Secure Boot helps safeguard the integrity of
        the operating system and protects against certain types of attacks that
        target the boot process. It's an essential security feature for modern
        Windows systems, especially those running Windows 8 and later
        versions.</p><p>If Secure Boot is not enabled on a system, attackers may
        exploit this vulnerability to carry out various malicious activities,
        including:</p><ul><li><p><strong>Bootkit Attacks</strong>: Attackers can
        inject malicious bootloaders or rootkits during the boot process,
        allowing them to gain control of the system and potentially hide their
        presence from antivirus and security
        software.</p></li><li><p><strong>Malware Persistence</strong>: Without
        Secure Boot, malware can persistently infect the system, making it
        difficult for users to remove the malicious software, even after
        traditional disinfection attempts.</p></li><li><p><strong>Unauthorized
        Kernel Modifications</strong>: Attackers can load unsigned or malicious
        kernel modules, giving them control over the operating system and
        potentially compromising its integrity and
        security.</p></li><li><p><strong>Firmware Tampering</strong>: They can
        modify firmware settings and configurations, potentially leading to
        hardware vulnerabilities or backdoors that are difficult to detect and
        remove.</p></li><li><p><strong>Bypassing Security Measures</strong>:
        Secure Boot helps enforce driver and operating system component
        integrity. When it's disabled, attackers can potentially load unsigned
        or tampered components, bypassing security measures and exposing the
        system to a higher risk of exploitation.</p></li></ul><p>In summary, the
        absence of Secure Boot can leave a system more vulnerable to a range of
        attacks that target the boot process and operating system integrity,
        making it easier for attackers to compromise and control the system.</p>
      remediation: >-
        <p>Enable Secure Boot via the following registry
        key:</p><p><code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\State\UEFISecureBootEnabled
        = 1</code></p><p></p>
      references:
        - >-
          https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot
      customFields: []
  category: System Security

- cvssv3: 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N'
  details:
    - locale: EN
      title: UAC Configuration
      vulnType: Pentest
      description: >-
        <p>Windows UAC (User Account Control) is a security feature in Windows
        operating systems that helps prevent unauthorized changes to your
        computer by requiring administrator-level permission for certain actions
        and system-level tasks. When a user or application attempts to perform
        an action that requires elevated privileges, UAC prompts the user for
        permission or prompts for an administrator's password, depending on the
        UAC settings.</p><p>Security implications of disabling or setting UAC to
        the weakest setting:</p><ul><li><p><strong>Elevated Attack
        Surface</strong>: Disabling UAC or setting it to the lowest level
        reduces the number of prompts for administrator privileges, making it
        easier for malicious software to execute privileged actions without user
        consent. This increases the attack surface and the risk of malware
        infections.</p></li><li><p><strong>Unauthorized System Changes</strong>:
        Without UAC, applications and scripts can make changes to system
        settings, install software, or modify critical files without any user
        intervention. This can lead to unauthorized system changes and
        potentially compromise the system's stability and
        security.</p></li><li><p><strong>Credential Theft</strong>: Weaker UAC
        settings may lead users to enter their administrator credentials more
        frequently, especially when prompted by malicious software. Attackers
        can then capture these credentials and use them for malicious
        purposes.</p></li><li><p><strong>Malware Evasion</strong>: Malware may
        attempt to disable or weaken UAC to operate more stealthily and avoid
        detection. This can make it harder for security software to identify and
        mitigate malware infections.</p></li><li><p><strong>Data Loss</strong>:
        Weaker UAC settings can allow unauthorized applications to access and
        modify sensitive user data, potentially leading to data loss or
        theft.</p></li></ul><p>In summary, UAC is an important security feature
        in Windows that helps prevent unauthorized changes and reduce the risk
        of malware infections. Disabling UAC or setting it to a weak level can
        significantly increase the system's vulnerability to various security
        threats and should be avoided for the sake of system security. It's
        generally recommended to keep UAC at its default or strongest
        setting.</p>
      remediation: >-
        <p>Enable UAC via GPO or registry.</p><p><code>"Computer Configuration"
        &gt; "Windows Settings" &gt; "Security Settings" &gt; "Local Policies"
        &gt; "Security Options."</code></p><ul><li><p>"Enabled" corresponds to
        the highest security level, "Always notify
        me."</p></li><li><p>"Disabled" corresponds to the lowest security level,
        "Never notify."</p></li><li><p>"Not Configured" leaves the UAC settings
        at their
        default.</p></li></ul><p><code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</code></p><ul><li><p>Use
        "1" for the highest security level, "Always notify
        me."</p></li><li><p>Use "0" for the lowest security level, "Never
        notify."</p></li></ul><p></p>
      references:
        - >-
          https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/how-it-works
      customFields: []
  category: System Security
  priority: 2
  remediationComplexity: 1

- cvssv3: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'
  details:
    - locale: EN
      title: WSUS Client Configuration
      vulnType: Pentest
      description: >-
        <p>WSUS (Windows Server Update Services) is a Microsoft tool that allows
        organizations to manage and distribute updates released by Microsoft to
        Windows computers within their network. WSUS client settings refer to
        the configurations on individual Windows machines that determine how
        they interact with a WSUS server to receive and install
        updates.</p><p>Using HTTP for WSUS communication can pose security risks
        for several reasons:</p><ul><li><p><strong>Lack of Encryption</strong>:
        HTTP does not encrypt the data transmitted between the WSUS server and
        clients. This means that update metadata, files, and potentially
        sensitive information are sent in plain text over the network. Attackers
        could intercept and eavesdrop on this traffic, potentially gaining
        insight into the systems being updated and the updates
        themselves.</p></li><li><p><strong>Tampering Risk</strong>: Without
        encryption, there is a risk that malicious actors could tamper with the
        update files or metadata during transit. This could result in
        compromised updates being applied to client systems, potentially
        introducing malware or
        vulnerabilities.</p></li><li><p><strong>Credential Exposure</strong>: If
        WSUS clients are configured to use HTTP and require authentication
        (e.g., for proxy authentication), the credentials used for
        authentication may also be transmitted in plaintext, making them
        susceptible to interception.</p></li><li><p><strong>Man-in-the-Middle
        Attacks</strong>: HTTP traffic is vulnerable to man-in-the-middle (MITM)
        attacks, where an attacker intercepts and potentially modifies the
        communication between the client and server. This could allow an
        attacker to inject malicious updates or steal sensitive
        data.</p></li></ul>
      remediation: >-
        <p>To address these security concerns, it is recommended to use HTTPS
        for WSUS communication. HTTPS provides encryption and authentication,
        ensuring the confidentiality and integrity of update data and reducing
        the risk of tampering, eavesdropping, and MITM attacks.</p>
      references:
        - >-
          https://learn.microsoft.com/en-us/mem/configmgr/sum/get-started/software-update-point-ssl
      customFields: []
  category: System Security

- cvssv3: 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'
  priority: 3
  remediationComplexity: 2
  details:
    - locale: EN
      title: IPv6 Configuration
      vulnType: Pentest
      description: >-
        <p>IPv6 is the latest version of the Internet Protocol, designed to
        replace IPv4, and it significantly expands the address space available
        for devices connected to the internet, allowing for a vastly larger
        number of unique IP addresses.</p><p>Man-in-the-Middle (MitM) attacks
        against IPv6-enabled clients are a common way of abusing IPv6 enabled
        clients.</p><p>IPv6 is enabled by default on all newer Windows versions
        and broadcast requests for DHCPv6 are sent out.<br>An attacker in the
        same network segment can respond to those requests and assign the
        attacked client an IPv6 address within the link-local range. In the
        provided DHCPv6 settings, the attacker sets a rogue DNS server to
        redirect the traffic of the attacked clients. As IPv6 per default takes
        precedence over IPv4 those settings will be honored first.</p><p></p>
      remediation: >-
        <p>If possible, completely disable IPv6 on all the network interfaces.
        But be aware that some internal server functions rely on IPv6 e.g.
        Domain Controllers and Exchange servers. So act carefully on
        servers.</p><p>Alternatively IPv4 can be given precedence over IPv6, so
        that firstly you valid IPv4 configuration will be prioritized.</p><p>If
        IPv6 is really needed, you should specify valid values for stuff like
        DNS server and Gateway.</p><p>Some IDS systems and even AVs are capable
        of detecting such attacks and act on them.</p>
      references:
        - >-
          https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/
        - >-
          https://www.blackhillsinfosec.com/mitm6-strikes-again-the-dark-side-of-ipv6/
      customFields: []
  category: System Security