Disabling ARC4 Weak Algorithm (SSH Weak Algorithms Supported)

How to Mitigate SSH weak algorithm caused by ARC4 in 

OS: Redhat Linux

Description

Nessus / Open VAS has detected that the remote SSH server is configured to use the Arcfour stream cipher or no cipher at all. RFC 4253 advises against using Arcfour due to an issue with weak keys.

Solution:

To disable ARC4  go to /etc/ssh/sshd_config  and add the following entry 

# restrict ciphers to exclude arcfour

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc

Now restart the sshd 

 service sshd restart

 This should mitigate the identified vulnerability and remove RC4.

you can use the command  sshd -T |grep ciphers to check the current supported cipher versions running . 

KB4088880: Windows Server 2012 March 2018 Security Update

Tenable Plugin : Plugin #108292

Tenable output

  The following registry keys need to be set to the appropriate values as dictated in ADV180002.

  This is required to enable the fix for CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754:

  SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\FeatureSettingsOverride

  SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\FeatureSettingsOverrideMask

  SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\MinVmVersionForCpuBasedMitigations

  See KB Article 4072698 for more details.

Mitigation: 

 Mitigating this vulnerability requires you to make changes to the registry. Please backup your registry before any changes. Also the system needs to be restarted for the changes to take affect. Since this is Hyper V host specific, please shutdown all virtual machines in the host before shutdown.  Also if the Hyper V Host has clustering enabled , the live migration of hosts from the fixed registry Hyper V to Non Fix Hyper V host may fail. So it is recommended to apply the fix simultaneously in all clustered Hyper V hosts

To enable the fix:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f 


More details at

https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

Note:

These posts are more focused towards being complaint in PCI and various other security scans. There are microcode available from respective chip vendors to mitigate this vulnerability but which is beyond the scop of this post  

Installing CA certificate to Windows Server 2016 for RDP

Installing CA certificate to Windows Server 2016 for RDP 

    As a part of PCI compliance  we recently had to use Certification Authority SSL certificates for RDP instead of the usual self signed certificate we were using. Also note that we did not have Remote desktop Gateway role installed in the server.

  

Installing certificates

Follow these steps to install the certificate by using the Microsoft Management Console (MMC) snap-in.

Start >Run>type in "MMC" Which opens the MMC console

On the Console menu, click Add/Remove Snap-in.

A choice to open the snap-in for the current user account, the service account, or for the computer account popups. Select the Computer Account and then Local Computer

Click on certificates in the left panel and click add

Click Close in the Add Standalone Snap-in dialog box.Click OK in the Add/Remove Snap-in dialog box. 

Use the MMC snap-in to install the certificate on the server:

1. In the Certificates snap-in, in the console tree, expand Certificates (Local Computer), Right click personal>All tasks>import.

Click next, next, and finish.

Now you can see that the certificates has been imported an appears under the personal folder. 

By default Windows Server takes the self signed certificate. We need to configure the RDP Listener to use the Imported Certificate. This can be achieved in 2 ways. Either using the WMI script or Using Registry Edit.

WMI Method

The  RDS listener configuration data for  is stored in the Win32_TSGeneralSetting class in WMI under the Root\CimV2\TerminalServices namespace. The thumbprint value is unique to each certificate. and is referenced by the SSLCertificateSHA1Hash property.



Simple Powershell command to get the thumbprint value



Get-Childitem Cert:\LocalMachine\My

(the above command only works if a certificate has been previously imported to the personal folder using mmc snap-in)


     Copy the thumbprint hash value Run the below power shell command in admin mode substituting the highlighted thumbprint value with your thumbprint value of the new certificate.

$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path

Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="thumbprintvalue"} 

A successful completion of the command would look some thing like below.

Once this is successfully executed new rdp connections to the server uses the new CA certificate.



The Same can also be achieved by modifying the following registry values


Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Value name:  SSLCertificateSHA1Hash
Value type:  REG_BINARY
Value data:  certificate thumbprint

Trouble Shooting :