Activity Report - SSBSG - SR-22310 - TASK-112826 - MANULIFE - OS-VA - REMEDIATION

2018-BSG-ART-02
ACTIVITY REPORT
Case No: 22310
CLIENT INFORMATION
Client Name: Manulife Philippines
Site Address: 8th Floor NEX Tower, 6786 Ayala Ave, Makati, 1229
Contact Person: Carlito F. Mamarlao
Contact Number: +639277380754 Email Address: carlito_mamarlao@manulife.com
Reference SAR No.:
PURPOSE
Project Implementation/HAT/
Preventive Maintenance System Health Check
Site Survey
Move, Add & Change Equipment Inventory ON CALL
ENGINEER INFORMATION
Name: Carlo Louie M Ortuoste
Division: BSG Department: SSBSG
Activity Start Date: 30 April 2021 Activity Start Time: 0800H
Activity End Date: 30 April 2021 Activity End Time: 1800H
EQUIPMENT DETAILS
Part/Material Code/Dongle/ System ID Serial Number Remarks
MLISPHSRVR021DC 10.42.80.32
CASE STATUS
(Kindly provide EXPLANATION on the Case Status Selected in the Remarks Field below. Such explanation should answer WHY or HOW such case status was
selected)
Case Code Code Description Remarks
CLO Closed
X RES Resolved The case is for closure

WIP Work In Progress
PWC Pending with Client
PAR Pending With Parts
PRI Pending With Principal
PWR Pending With Requester
©Copyright 2018, TRENDS
Form Title Version Author Released by Released

October 2018
TRENDS Activity Report 2.0 BSG Customer Services Group
Page 1 of 41
2018-BSG-ART-02
DESCRIPTION OF ACTIVITY
• CVE-2021-1636 patching for SQL Server 2016 version 13.0.5026
• CVE-2020-1455 patching for SQL Server Management Studio to 15.0.1834.0
• OS Hardening via Windows Local Group Policy Editor and Registry Editor
ACTIONS TAKEN
Actions taken during the scheduled activity:
MLISPHSRVR021DC with IP Address of: 10.42.80.32
I. Vulnerability Assessment Remediation
A. CVE-2021-1636 SQL Server 2016 Patching
Double-click on the patch installer to begin
Accept the license terms then click Next

October 2018
Page 2 of 41
2018-BSG-ART-02
For Select Features, click Select All, then click Next
Wait for the file checking to complete, then click Next

October 2018
Page 3 of 41
2018-BSG-ART-02
Check the update summary by using the scroll-bar on the right-side, afterwards click Update.
Wait for the patch to finish.

October 2018
Page 4 of 41
2018-BSG-ART-02
SQL Server 2016 patch operation was completed. All features listed under the patch must result
as Succeeded after the installation. Then click Close to finish the process.
Open SQL Server Management Studio 18, login onto the server using any authentication
method and then proceed to New Query, type “SELECT @@VERSION” then click Execute

October 2018
Page 5 of 41
2018-BSG-ART-02
B. CVE-2020-1455 SQL Server Management Studio (SSMS) Patching

Double-click the setup installer to begin
The installation setup will be displayed, click Next to continue.
Wait for the installation to finish

October 2018
Page 6 of 41
2018-BSG-ART-02
For the changes to take effect prior to SSMS patching, proceed to system reboot. Click Restart.
After system reboot, open SQL Server Management Studio (SSMS) then go to Help Tab
and select About to display the system version.

October 2018
Page 7 of 41
2018-BSG-ART-02
II. Windows Server 2016 Operating System Hardening

A. Local Group Policy Editor
On Start Menu, run Command Prompt as Administrator.
Run the command “gpedit” to open the Local Group Policy Editor.
Local Group Policy Editor window will be displayed.

October 2018
Page 8 of 41
2018-BSG-ART-02
Listed below are the items that were configured using Local Group Policy Editor:
• Interactive logon: message title for users attempting to log on
• Interactive logon: message text for users attempting to log on

October 2018
Page 9 of 41
2018-BSG-ART-02
• Microsoft network server: Digitally sign communications (always)
• Microsoft network server: Digitally sign communications (if client agrees)

October 2018
Page 10 of 41
2018-BSG-ART-02
• Network Access: Do not allow anonymous enumeration of SAM accounts and share
• Microsoft network server: server spn target name validation level

October 2018
Page 11 of 41
2018-BSG-ART-02
• Network security: allow local system to use computer identity for NTLM
• Network security: allow localsystem NULL session fallback

October 2018
Page 12 of 41
2018-BSG-ART-02
• Network security: Allow PKU2U authentication request to this computer to use online
identities
• Network security: Configure encryption types allowed for Kerberos

October 2018
Page 13 of 41
2018-BSG-ART-02
• Network security: LAN Manager authentication level
• Network security: Minimum session security for NTLM SSP based (including secure RPC)
server

October 2018
Page 14 of 41
2018-BSG-ART-02
• Audit PNP Activity
• Audit Group Membership

October 2018
Page 15 of 41
2018-BSG-ART-02
• Enable insecure guest logons
• Turn-On Virtualization based security

October 2018
Page 16 of 41
2018-BSG-ART-02
• Use enhanced anti-spoofing when available
• Specify the maximum log file size (security)

October 2018
Page 17 of 41
2018-BSG-ART-02
• Specify the maximum log file size (application)
• Specify the maximum log file size (system)

October 2018
Page 18 of 41
2018-BSG-ART-02
• Audit Credential Validation
• Audit Kerberos Authentication Service

October 2018
Page 19 of 41
2018-BSG-ART-02
• Audit Kerberos Service Ticket Operations
• Audit Application group Management

October 2018
Page 20 of 41
2018-BSG-ART-02
• Audit Distribution Group Management
• Audit Other Account Management Events

October 2018
Page 21 of 41
2018-BSG-ART-02
• Audit IPSec Extended Mode
• Audit IPSec Main Mode

October 2018
Page 22 of 41
2018-BSG-ART-02
• Audit IPSec Quick Mode
• Audit Network Policy Server

October 2018
Page 23 of 41
2018-BSG-ART-02
• Audit Other Logon/Logoff Events
• Audit User/Devices Claims

October 2018
Page 24 of 41
2018-BSG-ART-02
• Audit Application Generated
• Audit Central Access Policy Staging

October 2018
Page 25 of 41
2018-BSG-ART-02
• Audit Certification Services
• Audit SAM

October 2018
Page 26 of 41
2018-BSG-ART-02
• Audit Authorization Policy Change
• Audit MPSSVC Rule-LevelPolicy Change

October 2018
Page 27 of 41
2018-BSG-ART-02
• Audit Filtering Platform Change
• Audit Non-Sensitive Privilege use

October 2018
Page 28 of 41
2018-BSG-ART-02
• Audit Other Privilege use
• Audit Sensitive Privilege use

October 2018
Page 29 of 41
2018-BSG-ART-02
• Disallow Autoplay for Non-Volume Devices
• Set the default behavior for autorun

October 2018
Page 30 of 41
2018-BSG-ART-02
• Remote Desktop Connection Client > Do not Allow Passwords to be saved
• Search > Allow indexing for encrypted files

October 2018
Page 31 of 41
2018-BSG-ART-02
• WINRM Client > Allow Basic Authentication
• WINRM > Allow unencrypted traffic

October 2018
Page 32 of 41
2018-BSG-ART-02
• WINRM Service > Allow Basic Authentication
• Devices: Allowed to format and eject removable media

October 2018
Page 33 of 41
2018-BSG-ART-02
• Audit Registry (SACL)
• Audit Other Object Access Events

October 2018
Page 34 of 41
2018-BSG-ART-02
• Audit Kernel Object
• Audit Handle Manipulation

October 2018
Page 35 of 41
2018-BSG-ART-02
• Audit File System
• Audit File Share

October 2018
Page 36 of 41
2018-BSG-ART-02
• Turn-Off Multicast Name Resolution
B. Registry Editor
On Start Menu, type Run

October 2018
Page 37 of 41
2018-BSG-ART-02
On Run, type “regedit.exe” to open the Registry Editor
To back-up the current configuration of Registry Editor, right-click Computer, then select Export.
Input the file name for the registry back-up and then click Save.

October 2018
Page 38 of 41
2018-BSG-ART-02
Below is the image of the completed registry keys created under SCHANNEL / Ciphers directory for
MLISPHSRVR021DC server:
For SSL 3.0
For TLS 1.2

October 2018
Page 39 of 41
2018-BSG-ART-02
Disable SMBv1 Protocol to avoid possible ransomware attacks
• On Start Menu input “windows powershell” then run it as Administrator.
• The Windows Powershell window will be displayed. Enter the command “Get-
WindowsOptionalFeature -Online -FeatureName smb1protocol” to determine the status of the
said protocol.
• If it is enabled by default. We must disable it. Enter the command “Disable-

WindowsOptionalFeature -Online -FeatureName smb1protocol” . Then type “Y” as Yes to
reboot the system.

October 2018
Page 40 of 41
2018-BSG-ART-02
Image below will also be shown during the disablement of the smb1protocol :
• After the system boot, do the same procedure again to check the status of the smb1protocol
The result should be shown as Disabled for smb1protocol.
FINDINGS
• NOTE: Some items that were listed on the OS Hardening spreadsheet file were not configured as verified with
the client during the said activity. Mostly pertains to password policies and remote desktop connection
configurations that were both seemed vital due to current work-from-home situation whereas they access the
said server remotely.
• NOTE: On the other hand, for the Vulnerability Assessment remediation, only CVEs 2021-1636 and 2020-1455
were accommodated and patched because the client’s Windows 2016 Server is currently updated to the latest
version. Further attempts to install other vulnerability patches resulted into several “patch is not applicable” as
stated previously that the system is up to date.
RECOMMENDATIONS
N/A

October 2018
Page 41 of 41

Activity Report - SSBSG - SR-22310 - TASK-112826 - MANULIFE - OS-VA - REMEDIATION

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Activity Report - SSBSG - SR-22310 - TASK-112826 - MANULIFE - OS-VA - REMEDIATION

Uploaded by

Copyright:

Available Formats

2018-BSG-ART-02

X RES Resolved The case is for closure

PWC Pending with Client

PAR Pending With Parts

PRI Pending With Principal

PWR Pending With Requester

©Copyright 2018, TRENDS

Form Title Version Author Released by Released

MLISPHSRVR021DC with IP Address of: 10.42.80.32

I. Vulnerability Assessment Remediation

A. CVE-2021-1636 SQL Server 2016 Patching

Double-click on the patch installer to begin

Accept the license terms then click Next

©Copyright 2018, TRENDS

Form Title Version Author Released by Released

For Select Features, click Select All, then click Next

Wait for the file checking to complete, then click Next

©Copyright 2018, TRENDS

Form Title Version Author Released by Released

Wait for the patch to finish.

©Copyright 2018, TRENDS

Form Title Version Author Released by Released

©Copyright 2018, TRENDS

Form Title Version Author Released by Released

B. CVE-2020-1455 SQL Server Management Studio (SSMS) Patching

The installation setup will be displayed, click Next to continue.

Wait for the installation to finish

©Copyright 2018, TRENDS

Form Title Version Author Released by Released

©Copyright 2018, TRENDS

Form Title Version Author Released by Released

II. Windows Server 2016 Operating System Hardening

Local Group Policy Editor window will be displayed.

©Copyright 2018, TRENDS

Form Title Version Author Released by Released

• Interactive logon: message text for users attempting to log on

©Copyright 2018, TRENDS

Form Title Version Author Released by Released

• Microsoft network server: Digitally sign communications (always)

• Microsoft network server: Digitally sign communications (if client agrees)

©Copyright 2018, TRENDS

Form Title Version Author Released by Released

• Microsoft network server: server spn target name validation level

©Copyright 2018, TRENDS

Form Title Version Author Released by Released

• Network security: allow localsystem NULL session fallback

©Copyright 2018, TRENDS

Form Title Version Author Released by Released

• Network security: Configure encryption types allowed for Kerberos

©Copyright 2018, TRENDS

Form Title Version Author Released by Released

• Network security: LAN Manager authentication level

©Copyright 2018, TRENDS

Form Title Version Author Released by Released

• Audit PNP Activity

• Audit Group Membership

©Copyright 2018, TRENDS

Form Title Version Author Released by Released

• Enable insecure guest logons

• Turn-On Virtualization based security

©Copyright 2018, TRENDS

Form Title Version Author Released by Released

• Use enhanced anti-spoofing when available