Cómo solucionar la vulnerabilidad de Windows reportada por el scanner de Qualys "Windows Remote Desktop Protocol Weak Encryption Method Allowed".
Tras escanear un host Windows con la herramienta Qualys, me encontré con la vulnerabilidad "Windows Remote Desktop Protocol Weak Encryption Method Allowed".
Ante todo, comprobé qué encriptación veía activa mediante uno de los plugins de nmap:
HOST# nmap -p 3389 --script rdp-enum-encryption 192.168.1.1
Starting Nmap 7.70 ( https://nmap.org ) at 2021-03-10 10:26 CEST
Nmap scan report for host.local (192.168.1.1)
Host is up (0.00058s latency).
PORT STATE SERVICE
3389/tcp open ms-wbt-server
| rdp-enum-encryption:
| Security layer
| CredSSP: SUCCESS
| Native RDP: SUCCESS
| SSL: SUCCESS
| RDP Encryption level: Unknown
|_ 128-bit RC4: SUCCESS
MAC Address: 00:50:56:A6:07:15 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.77 seconds
Acto seguido, ejecuté estos comando en PowerShell:
PS C:\Users\Administrator> $RDSSettings = Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"
PS C:\Users\Administrator> $RDSSettings.SetEncryptionLevel(3)
__GENUS : 2
__CLASS : __PARAMETERS
__SUPERCLASS :
__DYNASTY : __PARAMETERS
__RELPATH :
__PROPERTY_COUNT : 1
__DERIVATION : {}
__SERVER :
__NAMESPACE :
__PATH :
ReturnValue :
PSComputerName :
PS C:\Users\Administrator> $RDSSettings.SetSecurityLayer(2)
__GENUS : 2
__CLASS : __PARAMETERS
__SUPERCLASS :
__DYNASTY : __PARAMETERS
__RELPATH :
__PROPERTY_COUNT : 1
__DERIVATION : {}
__SERVER :
__NAMESPACE :
__PATH :
ReturnValue :
PSComputerName :
PS C:\Users\Administrator>
Después de esto, volví a pasar nmap y vi lo siguiente:
HOST# nmap -p 3389 --script rdp-enum-encryption 192.168.1.1
Starting Nmap 7.70 ( https://nmap.org ) at 2021-03-10 10:28 CEST
Nmap scan report for host.local (192.168.1.1)
Host is up (0.00058s latency).
PORT STATE SERVICE
3389/tcp open ms-wbt-server
| rdp-enum-encryption:
| Security layer
| CredSSP: SUCCESS
|_ SSL: SUCCESS
MAC Address: 00:50:56:A6:07:15 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.93 seconds
Tras esto, el scanner de Qualys ya no mostró la vulnerabilidad.
Más información:
https://docs.microsoft.com/es-es/windows/win32/termserv/win32-tsgeneralsetting-setsecuritylayer
https://docs.microsoft.com/es-es/windows/win32/termserv/win32-tsgeneralsetting-setencryptionlevel
0 comentarios:
Publicar un comentario