Verifying if VA scan's vulnerabilities are false positives

We run our McAfee Vulnerability Mgr scan against a Windows 2012 R2 & the report
indicated it's a Win 2016 (which I don't know why the wrong OS is given) & it gives 3
vulnerabilities below (which my Wintel colleague says are not applicable for Win2012
R2) which I'm trying to verify if they are false positives.

Without installing any tool on the server, how can I verify if they're false +ves :

1) SSLv3 Information Disclosure Vulnerability [FID 17281]
2) TLS/SSL RC4 Cipher Suites Information Disclosure Vulnerability [FID 18179]
3) SSL/TLS Protocol Triple-DES Information Disclosure Vulnerability [FID 20465]

I have openssl client on my laptop but I can run it against that server as the
firewall blocks tcp443 from my laptop to that server :
   openssl s_client -connect  that_server_IP:443

I'm not allowed to install any tool as well on other servers in the same subnet
as that server as well;  so is there any native (ie built-in) ways to check ?
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

masnrockCommented:
One thing you could do is have your Wintel person verify what versions of SSL and TLS are enabled on the servers in question. We're basically at a point where enough bugs have been shown in the protocols (this has no tie to a given OS) that older secure protocols should be getting disabled. Ideally you want to have everything only using TLS 1.2, but if you have to keep anything older enabled for some reason, then it should be documented (along with having a process for someone signing off on accepting the risk). And obviously, you don't want to be using RC4 ciphers.

Chances are these are true positives, and the admin just doesn't want to have to fix it for whatever reason.

Can you connect to any of these servers? You possibly do tests that way with a browser (which follows the rules because you didn't add tools!) Otherwise, you can load on a workstation a tool like MS Baseline Analyzer (you can do remote scans) or OpenVAS. Nmap would also help you out here: https://danielmiessler.com/blog/check-logjam-nmap/#gs.dzgSAn4
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Check the policy setting;
 Computer Configuration > Administrative Templates > Network > SSL Configuration Settings
Or from registry from OS level;
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols
https://support.microsoft.com/en-za/help/187498/how-to-disable-pct-1.0,-ssl-2.0,-ssl-3.0,-or-tls-1.0-in-internet-information-services
0
Rajul RajInformation Security OfficerCommented:
Use Nexpose for performing VA .
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
tls/ssl

From novice to tech pro — start learning today.