A security scan was run against the W10 staff service and some vulnerabilities were dentified.
The changes are being applied via Group Policy in the following order…
1. 03/12/18 – IT-Depstaff
2. 05/12/18 – FM-Deptstaff
3. 10/12/18 – ProServ Staff
4. 12/12/18 – WS-SchoolStaff
5. Live to Windows 10 Service
The Nessus scan has identified several registry entries that need to be created or changed on the Staff Service.
1. Need to Disable Week Cyphers – https://littlehyenas.wordpress.com/2014/04/12/disable-rc4-cipher-suites-on-remote-desktop/
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client – Enable 0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server – Enable 0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128 – Enable 0
2. Fix CVE-2017-8529 – An information disclosure vulnerability exists when affected Microsoft scripting engines do not properly handle objects in memory. The vulnerability could allow an attacker to detect specific files on the user’s computer. In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX\iexplorer – 1
HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX\iexplorer – 1
3. MS KB2960358: Update for Disabling RC4 in .NET TLS
HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\SchUseStrongCrypto – 1
HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727 – 1
4. MSIs can not run from the Downloads folder and need moving to another location to install if trusted.