Lucene search
+L

Microsoft Windows: Network security: Encryption types allowed for Kerberos

🗓️ 12 Jun 2018 00:00:00Reported by Copyright (C) 2018 Greenbone AGType 
openvas
 openvas
🔗 plugins.openvas.org👁 43 Views

This policy sets encryption types allowed for Kerbero

Refs
Code
# SPDX-FileCopyrightText: 2018 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.109232");
  script_version("2023-08-22T05:06:00+0000");
  script_tag(name:"last_modification", value:"2023-08-22 05:06:00 +0000 (Tue, 22 Aug 2023)");
  script_tag(name:"creation_date", value:"2018-06-12 10:28:28 +0200 (Tue, 12 Jun 2018)");
  script_tag(name:"cvss_base", value:"0.0");
  script_tag(name:"cvss_base_vector", value:"AV:L/AC:H/Au:S/C:N/I:N/A:N");
  script_tag(name:"qod", value:"97");

  script_name("Microsoft Windows: Network security: Encryption types allowed for Kerberos");

  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2018 Greenbone AG");
  script_family("Policy");
  script_dependencies("compliance_tests.nasl", "smb_reg_service_pack.nasl");
  script_mandatory_keys("Compliance/Launch");

  script_add_preference(name:"DES-CBC-CRC", type:"radio", value:"Disabled;Enabled", id:1);
  script_add_preference(name:"DES-CBC-MD5", type:"radio", value:"Disabled;Enabled", id:2);
  script_add_preference(name:"RC4-HMAC", type:"radio", value:"Disabled;Enabled", id:3);
  script_add_preference(name:"AES128-CTS-HMAC-SHA1-96", type:"radio", value:"Enabled;Disabled", id:4);
  script_add_preference(name:"AES256-CTS-HMAC-SHA1-96", type:"radio", value:"Enabled;Disabled", id:5);
  script_add_preference(name:"Future encryption types", type:"radio", value:"Enabled;Disabled", id:6);

  script_xref(name:"Policy", value:"CIS Microsoft Windows 10 Enterprise (Release 22H2) Benchmark v2.0.0: 2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1' 'AES256_HMAC_SHA1' and 'Future encryption types'");
  script_xref(name:"Policy", value:"CIS Microsoft Windows 10 Enterprise (Release 2004) Benchmark v1.9.1: 2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1' 'AES256_HMAC_SHA1' and 'Future encryption types'");
  script_xref(name:"Policy", value:"CIS Microsoft Windows Server 2019 RTM (Release 1809) Benchmark v1.1.0: 2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1' 'AES256_HMAC_SHA1' and 'Future encryption types'");
  script_xref(name:"Policy", value:"CIS Controls Version 7: 16.4 Encrypt or Hash all Authentication Credentials");
  script_xref(name:"Policy", value:"CIS Controls Version 7: 16.5 Ensure Workstation Screen Locks Are Configured");
  script_xref(name:"URL", value:"https://www.microsoft.com/en-us/download/confirmation.aspx?id=25250");

  script_tag(name:"summary", value:"This policy setting allows you to set the encryption types that
Kerberos is allowed to use.

If not selected, the encryption type will not be allowed. This setting may affect compatibility with
client computers or services and applications. Multiple selections are permitted.

(C) Microsoft Corporation 2015.");

  exit(0);
}

include("smb_nt.inc");
include("policy_functions.inc");
include("host_details.inc");
include("version_func.inc");
include("byte_func.inc");

FutureEncryptionTypes = script_get_preference('Future encryption types');
AES256 = script_get_preference('AES256-CTS-HMAC-SHA1-96');
AES128 = script_get_preference('AES128-CTS-HMAC-SHA1-96');
RC4HMAC = script_get_preference('RC4-HMAC');
MD5 = script_get_preference('DES-CBC-MD5');
CRC = script_get_preference('DES-CBC-CRC');

if(FutureEncryptionTypes == 'Enabled'){
  default += ',Future encryption types';
  bin = '11111111111111111111111111';
}else{
  bin = '0';
}
if(AES256 == 'Enabled'){
  default += ',AES256-CTS-HMAC-SHA1-96';
  bin += '1';
}else{
  bin += '0';
}
if(AES128 == 'Enabled'){
  default += ',AES128-CTS-HMAC-SHA1-96';
  bin += '1';
}else{
  bin += '0';
}
if(RC4HMAC == 'Enabled'){
  default += ',RC4-HMAC';
  bin += '1';
}else{
  bin += '0';
}
if(MD5 == 'Enabled'){
  default += ',ADES-CBC-MD5';
  bin += '1';
}else{
  bin += '0';
}
if(CRC == 'Enabled'){
  default += ',DES-CBC-CRC';
  bin += '1';
}else{
  bin += '0';
}

def = bin2dec(bin:bin);

target_os = "Microsoft Windows 7 or later";
win_min_ver = "6.1";
title = "Network security: Configure encryption types allowed for Kerberos";
solution = "Set following UI path accordingly: Computer Configuration/Windows Settings/Local Policies/Security Options/" + title;
type = "HKLM";
key = "Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters";
item = "SupportedEncryptionTypes";
reg_path = type + "\" + key + "!" + item;
test_type = "RegKey";
default = str_replace(string:default, find:",", replace:"", count:1) + " (" + def + ")";

if(!policy_verify_win_ver(min_ver:win_min_ver))
  results = policy_report_wrong_os(target_os:target_os);
else
  results = policy_match_exact_reg_dword(key:key, item:item, type:type, default:def);

value = results["value"];
comment = results["comment"];
compliant = results["compliant"];

policy_reporting(result:value, default:default, compliant:compliant, fixtext:solution,
  type:test_type, test:reg_path, info:comment);
policy_set_kbs(type:test_type, cmd:reg_path, default:default, solution:solution, title:title,
  value:value, compliant:compliant);

exit(0);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation