Home Home » Archives for June 2025

[Security] - List of weakpoint need review/consider to resolve

June 17, 2025 |

 



There is a list of weaknesses of Linux and Windows servers. Administrators should consider and resolve it.
[Linux Server]
1. Disable Telnet Service on Opertion
- We should consider disable Telnet service because Telnet is not safe and contains many dangerous security risks.

2. System logging Setting According to Policy
- Check log type is write correct file or not. 
In there
auth, authpriv, corn, daemon, kern, lpr, mail, news, syslog, user, uucp and local0 is operation log => write to operation log

alert, crit, deberg, emerg, err, info, notice, warning => message priority log  should write to dev/test log.

$ vi /etc/rsyslog.conf
Ex:
*.alert /var/log/syslog.log
=> *.alert /dev/console

Alert: situation that requires immediate action

3. Change Community String of SNMP
$ vi /etc/snmp/snmpd.conf

Change "public" to another secret string.
Before: com2sec notConfigUser default public
After: com2sec notConfigUser default <your secret string>

4. Remote terminal connection timeout setting
Set timeout for terminal session
//For specific user
$ vi /home/<user>/.bash_profile
TMOUT=900  //second
export TMOUT

//For all user
$ /etc/profile.d/csh.local
set autologout=15 //Minutes

5. Management Crontab Configuration File Permission Are Insufficient
-  Remove other read permission at /etc/at.deny
$ chmod o-r /etc/at.deny
- at.deny is control user using "at" command.

* The 'at' is a command that allows the users to schedule one-time tasks or recurring jobs at a specific time and date. It is mainly useful for automating the system maintenance, backups, software updates, and various administrative tasks. The 'at' command works by following queuing mechanism for the commands to be executed by the system's job scheduler at the specified time.

6. Management C Configuration File Permission Are Insufficient
- Remove other execution in C compiler
$ chmod o-x /usr/bin/gcc  /usr/bin/cc
- If you don't use C compiler, can remove them
$ rm -f /usr/bin/gcc  /usr/bin/cc

7. World Writable file in home
- We must review all permission file in home of user and check world writable.
- World writable mean that other user/anyone can edit the file.

$chmod o-w <file_name>  
$ rm -rf <file_name> // if exist file not used

8. Insufficient owner or permmission for user environment files
 we should review all environment file permission or right owner.
$ cd /home/<user_ name>
$ ls -al  
$ chown <username> <file_name>  // change file owner if incorrect owner
$ chmod o-r,o-w <file_name>  // remove other write/read permission if file have

These user environment files:
-rw-------. 1 hqt  hqt  2008 Jun 18 15:59 .bash_history
-rw-r--r--. 1 hqt  hqt    18 Jan 24  2023 .bash_logout
-rw-r--r--. 1 hqt  hqt   141 Jun 18 16:20 .bash_profile
-rw-r--r--. 1 hqt  hqt   492 Jan 24  2023 .bashrc
-rw-------. 1 hqt  hqt    20 Feb 10 14:15 .lesshst
-rw-------. 1 hqt  hqt  8277 Jun 19 10:20 .viminfo
-rw-r--r--. 1 hqt  hqt   658 May 15  2022 .zshrc
 9

9. Access control and management of system log
- Review all log permission and owner
$ cd /var/log
$ ls -al

Review one by one log file and change owner to "root" and permission file should be 644 (rw-r--r--)
$ chown root <log_file>
$ chmod 644 <log_file>

10. Su command usable group restriction
Check the "wheel" group and the right access user
$vi /etc/group

Require a user to be in the "wheel" group. Uncomment the red one.
$ vi /etc/pam.d/su


11. Cron service usage account limit
We should check the account using cron and the correct usage of cron.
$ vi /etc/cron.allow
$ vi /etc/cron.deny
















==================================================================
[Windows server]
1. Set timeout of RDP and Terminal session
- Should set timeout of each session when user remote to server. Ex: 15-30 min for each session

How to config:
- Config RDP Timeout:
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits

- Config Terminal Timeout:
The relevant Registry key is typically:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services

2. Set a timeout for SMB
- Go to Run > secpol.msc (Local Security Policy) > Local Policies > Security Options 
- Find :Microsoft network server: Amount of idle time required before suspending session.
- Set 0 to 15 minutes.

3. Enable Network Access with SAM Account (Security Account Manager)
- Go to Run > secpol.msc (Local Security Policy) > Local Policies > Security Options 
- Find : change Disable to Enable option these item below:
           Network access: Do not allow anonymous enumberation of Sam account
            Network access: Do not allow anonymous enumberation of Sam account & shares

4. Check and stop  unessarry services running
- Run > type Services.msc
- Check all services are running and review which services are unnecessary  and disable them

Ex:
- World Wide Web Publish 
- NetBIOS
- FTP
- Alerter
- Automatic Updates
- Clipbook
- Computer Browser
- Cryptographic services
- DHCP Client
- Distributed link tracking client, servers
- DNS Client
- Error reporting services
- Human Interface device access
- IMAPI CD-Burning COM service
- Messeneger
- Net Meeting remote Desktop Sharing
- Portable Media Serial Number
- Print Spooler
- Remote Registry
- Simple TCP/IP services
- Wireless Zero  Configuration

5. CGI path permission in IIS
- Go to IIS > Sites > Right Click > Edit Permission
- Change permission of CGI path
- Remove Everyone permission, should grant to Admin/System user.

6. Remove Handler Mapping in IIS
- Go to IIS > Sites > Select [Site]
- Select Hanlder Mapping
- Remove path below:  .htr (Web-based password reset), .idc (internet database connector), .stm, .shtm, .shtml, .printer (internet printing), .htw, .ida, .idq (index server)

7. Rename of Administrator account
- Go to Run > secpol.msc (Local Security Policy) > Local Policies > Security Options 
- Find : Account: Rename administrator account 
=> Set another name that is difficult guess 

8. Disable Unnecessary Task Scheduler
- Review and disable the unnecessary task scheduler.

9. Don't display last sign-in 
- Go to Run > secpol.msc (Local Security Policy) > Local Policies > Security Options 
- Find : Account: Interactive logon: Don't display last signed-in 
- Change disable => enable

10. Set ScreenSaver Display Time
- Should set the time to less than 10 minutes.

11. Insufficient access restrictions for security management network services
- Go to Run > secpol.msc (Local Security Policy) > Local Policies > User Rights Assigment
- Find: Access this computer from the network
- Check and review User or User Group that remove unnecessary.
Ex: Remove Everyone user.

12. SNMP Service
- Review and stop SNMP service if don't use in services.msc

13. IIS - set error page 
Should set error page for each error code: 400, 401, 403,...
- IIS > Sites > select [sites] > Error page > Set error page for each status code

14. Allow user authentication local logon
- Go to Run > secpol.msc (Local Security Policy) > Local Policies > User Rights Assigment
- Find: Allow log on locally
- Check and review another User/Group except "Administrator"

15. Security Management System Usage Precautions
- Go to Run > secpol.msc (Local Security Policy) > Local Policies > Security Options
- Find: Interactive logon: Message text for users attempting to log on
- Set a warning message/policy/notice...














is updating....

Read more…