Nexpose reports the following vulnerability: TLS/SSL Server Supports The Use of Static Key Ciphers. Negotiated with the following insecure cipher suites: TLS 1.2 ciphers: TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 But the Get-TlsCipherSuite command outputs only these ciphers are present in the machine: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 How can I get rid of the vulnerability ..read more

I, as Administrator, tried to assign Backup privileges to a sample user via secedit command... cmd> secedit /export /cfg config.inf It exported the contents of Local Security Policy (LSP) database to the newly created "config.inf" file. I edited it manually, added my sample username to the respective SeBackupPrivilege & SeRestorePrivilege fields... I saved & applied this updated configuration with these commands... cmd> secedit /import /cfg config.inf /db config.sdb cmd> secedit /configure /db config.sdb /cfg config.inf But when viewing privileges after logging in with that ..read more

I am testing the security of a Windows Server 2019 machine and have a question about remote access to the machine. The user on the machine has the permission "SeBackupPrivilege". I can therefore dump the "Administrator" user's SAM and SYSTEM. whoami /all ... SeBackupPrivilege Back up files and directories Disabled ... I then used the Administrator user's NTHash with PsExec to do a pass-the-hash attack. After doing this attack I get a shell with high integrity. impacket-psexec -hashes :[NTHASH_HERE] administrator@10.10.10.10 C:\Windows\system32> whoami ..read more

We noticed FTP service going down intermittently in the server and we found an FTP user was used to DDoS the server. Then we deleted the specific user from the server. After that the user "anonymous" was hitting the server with 1000s of connections as seen here https://prnt.sc/JtCx7n1ok3Xv . Things we have tried so far IIS manager -> FTP site -> FTP authentication and disabled anonymous authentication IIS manager -> FTP site -> FTP authorization rule and added a deny rule for "All anonymous users" Located the anonymous user MSFTP7_023979 and disabled it Removed the user MSFTP7_023 ..read more

I have a website running on IIS. I have set inbound rule for wp3wp.exe with any port opition but web site is not reachable with this rule. When i add rule with settings: Program and Services > All programs that meet the specified conditions or This program: System Then IIS works like a rock. These firewall rules contain security vulnerabilities as i see logs. Isn't there a rule to ensure that Firewall only communicates with IIS? Hopefully, we don't no need to check All programs that meet the specified conditions or give permission for System. Any suggestion ..read more

For me building interfaces through HTML / JS frameworks is by far easier then any other framework I have tried in the past. It's also not that strange, as by far the most UIs are based on the web nowadays, so the tools are superb (to me). Sometimes I need a small tool or app that needs access to "native Windows" stuff - like the file system. So I built a microserver executable. A very lightweight ASP.NET App (Minimal Web API) where I can build my interface in HTML and JS and communicate with XHR calls for things like "ProcessFiles" or read XXX. The user launches the daemon and the interface ca ..read more

We are running a Windows server - SSD Cloud 6. It seems some configuration settings of 'Symantec Endpoint Protection' conflict with the cloud backup. We tried creating an exception. This didn't work. Can you suggest steps we should take to correct this? Thank you ..read more

I'm sorry if this is not the right place to post this. I administer a Windows Server with IIS that has many DNN sites (the .net CMS) working, and in the past weeks we noticed that the results on google of these DNN sites show spam, gibberish, weird characters and when opening the link it doesn't show the site itself, just a blank page; when looking at the page source of this blank page you can clearly see malware in action. Windows Defender on the server detected many threats and eliminated them, but this has happened many times, as if the infection is not solved from it's source, i've restore ..read more

So roughly 2 weeks ago my Remote Desktop was compromised whilst I was actively interacting with my server via Rdp I was prompted with a disconnect status equal to “ Another user has connected to remote server “ which obviously raised alarms so I began checking my event logs and found a third parties IP had connected successfully, shortly after removing all my content from the server it was then infected with ransomware.. I’m still unsure as to what the cause was behind the intrusion as I was using a random generated string of roughly 28 characters for my password if I remember correctly.. The ..read more

I have installed Sysmon 10 on a Windows 2008 R2 box in the hope of, amongst other things, capturing DNS requests. Sysmon appears to be capturing all other Event ID's except for 22. I have installed this on a 2012 box with the same .xml configuration file and 22 is being happily logged. Has anyone else noticed the same on a Windows 2008 box ..read more