This page details remediations for some common penetration test findings...
Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\"RC4*" -Name "Enabled"
The value of Enabled should be 0Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\"RC4*" -Name "Enabled" -Value 0
USE [master]
GO
SELECT name,
issuer_name,
start_date,
expiry_date
FROM sys.certificates
An alternate check is to create a Policy via SSMS
Server principals with names enclosed by double hash marks (##) are for internal system use only. The following principals are created from certificates when SQL Server is installed, and should not be deleted.
##MS_SQLResourceSigningCertificate##
##MS_SQLReplicationSigningCertificate##
##MS_SQLAuthenticatorCertificate##
##MS_AgentSigningCertificate##
##MS_PolicyEventProcessingLogin##
##MS_PolicySigningCertificate##
##MS_PolicyTsqlExecutionLogin##
These principal accounts do not have passwords that can be changed by administrators as they are based on certificates issued to Microsoft. (1)
These certificates are generated when SQL is installed and are used internally by SQL server. You cannot modify or alter these certificates. (2)
The method below works in:
SQL2016 SP1+
SQL2014 SP3+
SQL2012 SP4+
CREATE EVENT SESSION [tls] ON SERVER
ADD EVENT sqlsni.trace(
WHERE (([sqlserver].[like_i_sql_unicode_string]([text],N'%Handshake%'))))
ALTER EVENT SESSION [tls] ON SERVER
ADD TARGET package0.ring_buffer(SET max_events_limit=(100000),max_memory=(10240))
WITH (MAX_MEMORY=10240 KB,STARTUP_STATE=ON)
GO
ALTER EVENT SESSION [tls] ON SERVER STATE = START;
ALTER EVENT SESSION [tls] ON SERVER STATE = STOP;
Windows Internals