Skip to content

Latest commit

 

History

History
280 lines (187 loc) · 13.9 KB

README.md

File metadata and controls

280 lines (187 loc) · 13.9 KB

Azure Vulnerability Management Lab: Assessing and Remediating Security Risks with OpenVAS

Azure Vulnerability Management Lab Assessing and Remediating Security Risks(2)

Introduction:

In this lab, I will go through the process of setting up a vulnerability management environment in Azure. I look to learn how to configure and utilize OpenVAS, a vulnerability scanner, to identify and assess security vulnerabilities in a Windows virtual machine (VM). Additionally, I will perform uncredentialed scans, and credentialed scans, apply remediations, and verify the effectiveness of the remediation measures.

Prerequisites:

  • Computer with Internet access
  • Azure Account (Free subscription may be sufficient)
  • Access to Azure Portal
    • Sign up: https://azure.microsoft.com/en-us/free/
    • Login: https://portal.azure.com

Lab Steps:

Task 1: Prepare the Vulnerability Management Scanner

  • Access the Azure Portal and navigate to the Marketplace.
  • Search for "OpenVAS secured and supported by HOSSTED" and select it.
  • Choose a pre-set configuration and create the VM with specified settings. Choose General Purpose Virtual Machine
  • Virtual Machine Settings
Setting Value
Resource Group: Vulnerability-Management
VM Name: OpenVAS (Take note of the region and Vnet–consider East US )
Region: East US (make sure to note the region and Vnet)
Authentication: Password (Provide Username/Password)
Open VAS VM Basic Settings
  • On the Disk Tab, Networking, Management, and Advanced we will let them remain as their default Settings.

  • For the Monitoring tab, we will disable boot diagnostics as it will not be needed in the lab. You can learn more about boot diagnostics here. Open VAS VM Monitoring Settings

  • Review Create → Create

  • Connect to the OpenVAS VM via SSH using PowerShell (Windows) or Terminal (MacOS).

  • Wait until the OpenVAS deployment completes and access the web app URL (For this example: https://172.190.177.16.c.hossted.com).

SSH Login to OpenVAS VM

  • Log in with provided credentials or try admin/admin if needed (admin/admin was used below).

    Open VAS Login (admin)

  • Reset the admin password to a password of your choosing in the example I will be using "incorrect".

    • To change the password, you will go to the person icon at the top right of the page, then select the pencil/note icon near the top left of the page. You will then be shown a pop-up to make the change of the old password to the new password. Change Open VAS Password

    • If for some reason there is no default value shown for rows per page, you can enter 10 then click save. If this doesn't note and it doesn't accept your input, you can try a different browser using the webapp url to change the password.

Task 2:Create a Client Virtual Machine and Make it Vulnerable

  • Create a new Virtual Machine in Azure Portal, following specified settings
Setting Value
Resource Group: Vulnerability-Management (Same as Previous)
VM Name: Win10-Vulnerable
Region: Same as the OpenVAS VM (East US)
Virtual Network: Same as OpenVAS (this is important)
Image: Windows 10 Pro
Size: Any size with 2 vCPUs
Username: Labuser / incorrect! (whichever you prefer and easy to remember)
Networking: Same Vnet as OpenVAS
  • The other tabs that are associated with the VM were left as default and no additional changes were made.

  • Review Create → Create the VM

    • Ensure you can RDP into the VM after it's created.
    • While inside the vulnerable VM, Disable the Windows Firewall and install outdated software(be sure that this is done inside the virtual machine).
    • You will install each of them with the defaults as there will be no changes/adjustments necessary here.
    • Restart the VM and leave it for now.

Task 3: Configure OpenVAS for Unauthenticated Scan against Vulnerable VM

  • Log in to OpenVAS and add the Client VM's (Win-10 Vulnerable) private IP address as a new host.
    • Hover over Assets → Host → New Host Icon at the top left.
  • Create a new target named "Azure Vulnerable VMs" using the host information.

Create a new target from the host

Note: Take note of the credentials as you scroll down the page below and leave them as their default. We will add SMB credentials later. New target azure vulnerable vms

  • Create a new task named "Scan - Azure Vulnerable VMs" with the target.

    • Hover over Scans → Task → New Task Icon at the top left
    • Scan Targets → “Azure Vulnerable VMs” (This is the target that we created previously) Create a new scan task
  • Start the scan and review the results once it's completed.

    • The status will change from Requested → Queued → Percentage Loaded → Done Start uncredentialed vulnerability scan
    • After pressing the ▶️ button, the Status reflects to be loading Uncredentialed scan status loading
    • Status is now Done and you can select the report to review the vulnerabilities for the uncredentialed scan. Uncredentialed scan done
  • To remove the filtered results of the report, you can select the X near the top of the page and it will display more vulnerabilities.

    Note: Once the filter is removed here, it will display those that include a 0.0 as their severity level as well. Filtered results of non-credentialed scan

Task 4: Configure Credentialed Scans within VM and OpenVAS

Make necessary configurations within the vulnerable VM (Windows settings).

  • Disable Firewall (done in Task 2 if you happen to have missed it there)

  • Disable User Account Control disable user account control

  • Enable Remote Registry

    • Do a quick search for Services.msc at the bottom left of the Windows machine.
    • Scroll down to Remote Registry → Double click (to select) → Startup Type set to Automatic → Start → Apply → OK.
    Enable remote registry
  • Set Registry Key

  • Launch Registry Editor (regedit.exe) in “Run as administrator” mode and grant Admin Approval, if requested

  • Navigate to HKEY_LOCAL_MACHINE hive

  • Open SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System key

  • Create a new DWORD (32-bit) value with the following properties:

  • create secret key

  • Name: LocalAccountTokenFilterPolicy

    • After DWORD (32-bit) is selected you will add LocalAccountTokenFilterPolicy without any spaces added.
  • Value: 1

    • Double click → LocalAccountTokenFilterPolicy → Change Value from 0 to 1 → OK Edit dword value 1
  • Close Registry Editor

  • Restart the VM

Make corresponding configurations in OpenVAS for credentialed scans.

  • Go to Configuration → Credentials → New Credential
  • Name / Comment → “Azure VM Credentials”
Settings Value
Allow Insecure Use: Yes
Username: azureuser
Password: password (same password as vulnerable VM)
  • Save create new credentials openvas

  • Go to Configuration → Targets → CLONE the Target we made before Clone Targets

  • NEW Name / Comment: “Azure Vulnerable VMs - Credentialed Scan”

  • Ensure the Private IP is still accurate

  • Credentials → SMB → Select the Credentials we just made: Azure VM Credentials New Name for Target Credentialed Scan

  • Save

Task 5: Execute Credentialed Scan against Vulnerable VM

Clone the previous scan task and edit it for credentialed scanning.

  • CLONE the “Scan - Azure Vulnerable VMs” Task, then Edit it:

  • Name / Comment → “Scan - Azure Vulnerable VMs - Credentialed”

  • Targets: Azure Vulnerable VMs - Credentialed Scan Create New Name for Credentialed Scan Clone

  • Save

  • Click the ▶️ button to launch the new Credentialed Scan, and wait for it to finish Start Credentialed Scan

    Note: Since this is a credentialed scan, it will take longer than the last one. Wait for it to finish

Launch the new credentialed scan and wait for it to finish. Observe the differences in findings compared to the unauthenticated scan. completed credentialed scan

Results of the credentialed scan credentialed scan results

Task 6: Remediate Vulnerabilities

Log back into the Win10-Vulnerable VM and uninstall outdated software.

  • Search Control Panel → Uninstall Programs → Select Each Outdated of the Programs (VLC media player 1.1.7, Mozilla Firefox (x64 en-US), Adobe Reader X) Unistall Programs
  • Restart the VM to apply the changes.

Task 7: Verify Remediations

Re-initiate the credentialed scan (“Scan - Azure Vulnerable VMs - Credentialed") and observe the updated results.

Note: In the trend column, we can notice that there is a downward trend now that we have removed the outdated programs. Credentialed scan results (removed outdated programs)

  • The vulnerabilities for FireFox, VLC Player, or Adobe ReaderWe are no longer present. Additionally, we can drill down into the results of the report to view the impact of the vulnerabilities that are remaining and the available solutions. expanded result of windows iexpress

Clean Up Resources

  • Upon the completion of the lab, the resources can not be deleted and the easiest way for this to be done is by deleting the resource group as it contains all the resources. Delete resource group

Reflection:

This lab provided hands-on experience in setting up and using a vulnerability management scanner with Azure and OpenVAS. It highlighted the importance of proactive vulnerability management and the impact of misconfigurations and outdated software on system security.

Configuring OpenVAS for unauthenticated scans and performing the scans allowed me to identify vulnerabilities and understand the need for regular scanning to detect security risks.

Implementing credentialed scans and comparing the results with unauthenticated scans demonstrated the value of using proper credentials for accurate vulnerability identification.

Remediating vulnerabilities by uninstalling outdated software and verifying the changes through subsequent scans reinforced the importance of timely actions to reduce the attack surface.

Conclusion:

This lab enhanced my understanding of vulnerability management and the continuous effort required for maintaining a secure environment. It emphasized the significance of proactive security practices, timely remediation, and the value of comprehensive scanning approaches.

I now possess practical knowledge and skills in vulnerability management using Azure and OpenVAS, ready to apply them in real-world scenarios and contribute to effective system protection.