Table of Contents
1. Server password restrictions
2. Service remote management
3. Turn on the logging function
4. Clear identification information
5.SSL/TLS protocol information leakage
5.1.tomcat disables 3DES and DES algorithms:
5.2.nginx disables 3DES and DES algorithms:
6. Terminal Services is not using Network Level Authentication (NLA)
7. Microsoft Windows Remote Desktop Protocol service program key leak vulnerability (CVE-2005-1794)
8. Response header security vulnerability
8.1 Strict-Transport-Security response header is not set
8.2 X-Download-Options response header not set
8.3 The X-Permitted-Cross-Domain-Policies response header is not set
8.4 Referrer-Policy response header is not set
8.5 X-XSS-Protection response header is not set
8.6 Click Hijacking: No X-Frame-Options header information
8.7 X-Content-Type-Options response header not set
?edit
9. Complete nginx.conf file content:
1. Server password restrictions
Problems in the equal protection assessment and testing: The complexity of the identity authentication information was not checked, and regular password changes were not mandated.
Solution:
Win + R key to open Run, enter secpol.msc to open the local security policy
Open Computer Management
Open the cmd panel, enter compmgmt.msc, and open
Set the password to never expire to unchecked
2. Service remote management
Problems in the MAPS evaluation and detection: No security methods such as encryption measures are used to remotely manage the system;
Solution:
Win + R key to open Run, enter gpedit.msc to open the Local Group Policy Editor
[Computer Configuration] – [Administrative Templates] – [Windows Components] – [Remote Desktop Services] – [Remote Desktop Session Host] – [Security]
Double-click the “Set Client Connection Encryption Level” option, configure it to Enabled, and configure the encryption level to “Client Compatible”
Double-click the “Remote (RDP) connection requires the use of the specified security layer” option, configure it to Enabled, and configure the security layer to “Negotiate”
3. Turn on the logging function
Problems in the equal protection assessment and evaluation: The log function is not turned on and the audit records cannot be protected.
Solution:
Win + R key to open Run, enter secpol.msc to open the local security policy
Win + R keys to open Run, enter “eventvwr” to open the event viewer
Set up applications, security, settings, and system separately.
4. Clear identity authentication information
Problems in the MAPS evaluation and detection: Failure to clear the identity identification information in a timely manner or the mechanism for releasing or clearing the identity identification information poses security risks.
Solution:
Win + R key to open Run, enter secpol.msc to open the local security policy
5.SSL/TLS protocol information leakage
MLPS evaluation detection issues: SSL/TLS protocol information leakage vulnerability (CVE-2016-2183) [principle scan]
Solution:
Win + R key to open Run, enter gpedit.msc to open the local policy editor
Replace the following ciphers into: SSL cipher suite
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA,WITH_AES _256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_S HA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_2 56_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECD HE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA2 56,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_NULL_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA
5.1.tomcat disables 3DES and DES algorithms:
Find the port configuration in tomcat/conf/server.xml, add Ciphers=””, add supported algorithms here, please do not add unsupported algorithms! as follows:
Ciphers="TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_ AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TL S_ECDHE_RSA_WITH_AES_256_CBC_SHA ,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
Restart Tomcat
5.2.nginx disables 3DES and DES algorithms:
Add the following to the nginx/conf/nginx.conf file:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #Only allow TLS protocol ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384 :ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE -RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA :AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; #Encryption suite, CloudFlares Internet facing SSL cipher configuration is used here
6. Terminal Services is not using Network Level Authentication (NLA)
Problems in the equal protection assessment and testing:
Solution:
(1) Select [My Computer], right-click and select [Properties] to open the system and security settings.
(2) Select [Remote Settings]
(3) Check [Allow remote connections to this computer] [Allow connections only from computers running Remote Desktop using network level authentication (recommended)]
7.Microsoft Windows Remote Desktop Protocol Service Program Key Leakage Vulnerability (CVE-2005-1794)
Problems in the equal protection assessment and testing:
Solution:
(1) Select [My Computer], right-click and select [Properties] to open the system and security settings.
(2) [Advanced system settings]
(2) The settings are as follows. If you have already operated [Remote Settings], you do not need to operate it again.
8. Response header security vulnerability
Problems in the equal protection assessment and testing:
8.1 Strict-Transport-Security response header is not set
8.2 The X-Download-Options response header is not set
8.3 The X-Permitted-Cross- is not set Domain-Policies response header
8.4 The Referrer-Policy response header is not set
8.5 The X-XSS-Protection response header is not set
8.6 Click hijacking: No X-Frame-Options header Information
8.7 The X-Content-Type-Options response is not set Head
Solution:
Add the following configuration to the nginx.conf configuration file:
# Related security vulnerability response headers
# It is detected that the target X-Content-Type-Options response header is missing. This is not enabled for the time being, otherwise some banners cannot be used.
#add_header X-Content-Type-Options "nosniff";
# It is detected that the target Content-Security-Policy response header is missing. This is not enabled for the time being, otherwise Cesium will be unusable.
#add_header Content-Security-Policy "default-src 'self' http: https://* data: blob: 'unsafe-eval' 'unsafe-inline';child-src 'none\ ' "always;
#Relevant security vulnerability response headers
# Detected target X-XSS-Protection response header missing
add_header X-XSS-Protection "1; mode=block";
# Detected that the target Referrer-Policy response header is missing
add_header Referrer-Policy "no-referrer-when-downgrade" always;
# Detected that the target X-Permitted-Cross-Domain-Policies response header is missing
add_header X-Permitted-Cross-Domain-Policies none;
# Detected target X-Download-Options response header missing
add_header X-Download-Options noopen;
# Detected that the target Strict-Transport-Security response header is missing
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
#Click Hijack: X-Frame-Options not configured
add_header X-Frame-Options SAMEORIGIN;
#Detected target X-Content-Type-Options response header is missing. Some banners cannot be used after being turned on. They are not used by our system and can be turned on.
add_header X-Content-Type-Options "nosniff";
Just restart nginx after configuration
If the following problem occurs after configuration, Cesium cannot be used. Just do not configure Content-Security-Policy for nginx. It will not affect missed scans. The above configuration has commented out Content-Security-Policy and can be copied and used directly.
9. Complete nginx.conf file content:
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
server {
listen 8080 ssl;
server_name www.aaa.cn;
client_max_body_size 300m; #Mainly this parameter limits the size of uploaded files
ssl_certificate www.aaa.cn_bundle.pem;
ssl_certificate_key www.aaa.cn.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#Only allow TLS protocol
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384 :ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE -RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA :AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
#Encryption suite, CloudFlares Internet facing SSL cipher configuration is used here
ssl_prefer_server_ciphers on;
# Negotiate the best encryption algorithm by the server
#Relevant security vulnerability response headers
# Detected target X-XSS-Protection response header missing
add_header X-XSS-Protection "1; mode=block";
# Detected that the target Referrer-Policy response header is missing
add_header Referrer-Policy "no-referrer-when-downgrade" always;
# Detected that the target X-Permitted-Cross-Domain-Policies response header is missing
add_header X-Permitted-Cross-Domain-Policies none;
# Detected target X-Download-Options response header missing
add_header X-Download-Options noopen;
# Detected that the target Strict-Transport-Security response header is missing
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
#Click Hijack: X-Frame-Options not configured
add_header X-Frame-Options SAMEORIGIN;
location /ak_hwrl {
proxy_pass http://192.168.100.10:8012;
}
location /sys-api {
proxy_pass http://192.168.100.10:9999;
}
\t
location /manage-api {
proxy_pass http://192.168.100.10:9999;
}
location /hangjingsoft {
proxy_pass http://192.168.100.10:8012;
}
location /excel {
proxy_pass http://192.168.100.10:8012;
}
location /ryjl {
proxy_pass http://192.168.100.10:8012;
}
location /ueditor {
proxy_pass http://192.168.100.10:8012;
}
location/{
roothtml;
index index.html index.htm;
}
}
}