Author: Michael Mensah
Platform: Microsoft Azure
Scanner: Tenable Vulnerability Management (Tenable.io)
Status: Windows Lab ✅ Complete | Ubuntu Lab ✅ Complete
This repository documents an end-to-end vulnerability management lab simulating the workflow of a real-world VM analyst. Two Azure-hosted virtual machines — a Windows 11 Pro workstation and an Ubuntu 24.04 LTS server — are assessed across multiple scan cycles covering the full vulnerability management lifecycle: asset discovery, credentialed scanning, intentional misconfiguration, prioritized remediation, validation scanning, and formal risk documentation.
The goal is not simply to run scans and fix findings — it is to demonstrate the analytical thinking, prioritization decisions, and documentation practices that define a mature vulnerability management program.
Vulnerability management is one of the most operationally critical functions in a security program. Organizations face a constant backlog of findings across hundreds or thousands of assets, and the difference between a well-run VM program and a reactive one comes down to process — how findings are discovered, assessed, prioritized, remediated, and tracked.
This lab recreates that process from scratch on two platforms that represent the most common asset types in enterprise environments: a Windows workstation and a Linux server. By working through both, this project demonstrates the ability to manage vulnerabilities across heterogeneous environments — a core expectation for SOC analysts, vulnerability management engineers, and incident responders.
Microsoft Azure
│
├── Windows 11 Pro VM (mike-vm-lab)
│ ├── Tenable unauthenticated scan (external perspective)
│ ├── Tenable credentialed scan — clean baseline
│ ├── Intentional vulnerabilities introduced
│ ├── Tenable credentialed scan — vulnerable state
│ ├── Full remediation performed
│ └── Tenable credentialed scan — post-remediation validation
│
└── Ubuntu 24.04 LTS VM (mike-vm-lab-ubuntu)
├── Tenable unauthenticated scan (external perspective)
├── Tenable credentialed SSH scan — clean baseline
├── Intentional vulnerabilities introduced
├── Tenable credentialed SSH scan — vulnerable state
├── Full remediation performed
└── Tenable credentialed SSH scan — post-remediation validation
Each lab follows a consistent four-scan structure designed to tell a complete risk story.
Simulates an external attacker's view — what is visible from the internet without credentials. This scan reveals open ports, exposed services, and network-layer issues. It intentionally cannot see inside the operating system.
Authenticates to the asset and inspects it from the inside — reading registry keys or installed packages, checking patch levels, and auditing configurations. This establishes the true starting risk posture before any changes are made. On Windows, Tenable authenticates via SMB. On Linux, Tenable authenticates via SSH.
Performed after deliberately introducing misconfigurations and insecure software to simulate a neglected or improperly managed asset. This scan demonstrates how quickly risk accumulates when patch management and configuration hardening are neglected.
Performed after all findings have been addressed. This is the validation scan — it proves that remediation was successful and serves as the new clean baseline.
One of the central demonstrations of this lab is the difference between unauthenticated and credentialed scan results on the same asset — demonstrated across both platforms.
Windows:
| Severity | Unauthenticated Scan | Credentialed Baseline Scan |
|---|---|---|
| Critical | 0 | 0 |
| High | 0 | 5 |
| Medium | 4 | 2 |
| Low | 1 | 2 |
| Info | 31 | 127 |
| Total | 36 | 136 |
Ubuntu:
| Severity | Unauthenticated Scan | Credentialed Baseline Scan |
|---|---|---|
| Critical | 0 | 2 |
| High | 0 | 4 |
| Medium | 0 | 7 |
| Low | 1 | 2 |
| Info | 22 | 61 |
| Total | 23 | 76 |
On both platforms, the unauthenticated scan found zero Critical or High severity findings. The credentialed scans on the same machines surfaced findings that were completely invisible without authentication. Organizations that rely only on network-layer scanning are missing the majority of their actual risk exposure. Credentialed scanning is the standard for any mature enterprise VM program.
| Metric | Value |
|---|---|
| Cloud Platform | Microsoft Azure |
| OS | Windows 11 Pro |
| Scan Tool | Tenable Vulnerability Management |
| Peak Risk Score | 778 (52 Critical, 27 High) |
| Final Risk Score | 13 (0 Critical, 0 High) |
| Risk Reduction | 98.3% |
| Criticals Eliminated | 52 of 52 (100%) |
| Highs Eliminated | 27 of 27 (100%) |
Vulnerabilities introduced:
- Mozilla Firefox 110.0b5 (outdated browser — 30+ versions behind)
- Oracle Java JRE 8u202 (2019 runtime — 7 years of unpatched CVEs)
- Wireshark 2.2.1 (end-of-life, unsupported since 2017)
- MSXML 4.0 (end-of-life Microsoft XML library)
- SMBv1 enabled (legacy protocol behind EternalBlue/WannaCry)
- Windows Firewall disabled
Remediation highlights:
- Software upgraded or removed across all four insecure applications
- SMBv1 disabled via PowerShell
- Windows Update applied for Outlook, Notepad, Teams, and Defender patches
- CVE-2013-3900 resolved via manual registry fix — a configuration-based remediation that Windows Update cannot address
📂 View Scan Reports | 📄 View Risk Management Report
| Metric | Value |
|---|---|
| Cloud Platform | Microsoft Azure |
| OS | Ubuntu 24.04 LTS |
| Scan Tool | Tenable Vulnerability Management |
| Peak Risk Score | 71 (2 Critical, 4 High) |
| Final Risk Score | 16 (0 Critical, 1 High) |
| Risk Reduction | 77.5% |
| Criticals Eliminated | 2 of 2 (100%) |
| Highs Eliminated | 3 of 4 (75%) |
Vulnerabilities introduced:
- vsftpd FTP server (unencrypted file transfer — credentials transmitted in plaintext)
- telnetd (unencrypted remote access — superseded by SSH)
- Samba (SMB file sharing — introduced SMB Signing Not Required finding)
- UFW firewall disabled
- Root password set to "root" (trivially guessable credential)
- PermitRootLogin enabled (bypasses least-privilege, removes accountability)
Remediation highlights:
- Full system update via
apt update && apt upgraderesolved all USN-based findings - vsftpd, telnetd, and Samba removed — attack surface reduced
- UFW re-enabled with default-deny policy
- SSH hardened — root login disabled
- Remaining Vim findings formally accepted via Ubuntu backporting risk acceptance
📂 View Scan Reports | 📄 View Risk Management Report
While both labs follow the same four-scan structure and vulnerability management lifecycle, they highlight fundamentally different aspects of enterprise VM practice. Understanding these differences is essential for analysts managing mixed environments.
| Windows 11 Pro | Ubuntu 24.04 LTS | |
|---|---|---|
| Credentialed Auth Method | SMB (Windows credentials) | SSH (username/password or key) |
| Patch Management | Windows Update + Microsoft Store | apt package manager |
| Vulnerability Source | Outdated third-party software (Firefox, Java, Wireshark) | System library vulnerabilities (curl, glibc, libpng) |
| Risk Spike | Dramatic — 778 peak score (52 Criticals from old software) | Moderate — 71 peak score (system-level findings) |
| Remediation Approach | Mix of patch-based and configuration-based (registry fix) | Primarily package-based (apt upgrade) |
| Unique Challenge | CVE-2013-3900 requires manual registry fix — Windows Update cannot resolve it | Vim findings persist due to Ubuntu backporting — version number alone cannot determine patch status |
| Protocol Risk | SMBv1 enabled — directly tied to EternalBlue/WannaCry | SMB Signing not required — enables relay attacks |
| Firewall | Windows Defender Firewall disabled | UFW disabled |
| Residual Risk | 4 Medium findings (libcurl, SSL certificate) — system component limitations | 4 Vim findings (1 High, 3 Medium) — Ubuntu backporting false positives |
| Key Lesson | Not all remediation is patching — some fixes require manual configuration changes | Version-based detection is insufficient for Ubuntu — USN database must be cross-referenced |
Running the same vulnerability management lifecycle on both platforms in the same project demonstrates something that a single-platform lab cannot — the ability to adapt tools, techniques, and remediation approaches to the environment you are working in. Windows and Linux require different scan configurations, different authentication methods, different patch workflows, and different approaches to interpreting findings. Enterprise environments are almost always mixed, and a VM analyst who only understands one platform has a significant blind spot.
Vulnerability-Management-Lab/
│
├── README.md ← You are here
├── vulnerability-management-policy.md ← Org-wide VM policy governing both labs
│
├── windows/
│ ├── README.md ← Full Windows lab writeup
│ ├── risk-management-report.md ← Risk register, risk scoring, and risk acceptance log
│ └── scans/
│ ├── 1-noncredentialed-scan.pdf
│ ├── 2-credentialed-baseline.pdf
│ ├── 3-credentialed-vulnerable.pdf
│ └── 4-credentialed-remediated.pdf
│
└── ubuntu/
├── README.md ← Full Ubuntu lab writeup
├── risk-management-report.md ← Risk register, risk scoring, and risk acceptance log
└── scans/
├── 1-noncredentialed-scan.pdf
├── 2-credentialed-baseline.pdf
├── 3-credentialed-vulnerable.pdf
└── 4-credentialed-remediated.pdf
| Tool | Purpose |
|---|---|
| Microsoft Azure | VM provisioning and cloud hosting |
| Tenable Vulnerability Management | Vulnerability scanning and reporting |
| PowerShell | Remediation scripting, Windows Update automation, SMBv1 remediation |
| Windows Settings / Microsoft Store | Patch management for built-in Windows applications |
| Bash / apt | Ubuntu package management, service removal, SSH hardening |
| UFW | Linux host-based firewall management |
- Unauthenticated vs. credentialed vulnerability scanning and understanding why both matter
- Vulnerability lifecycle management: discovery → assessment → remediation → validation
- Risk prioritization using CVSS scoring and likelihood/impact analysis
- Cross-platform vulnerability management across Windows and Linux environments
- Credentialed scanning via SMB (Windows) and SSH (Linux)
- Patch-based vs. configuration-based remediation techniques
- Formal risk documentation: risk register, risk scoring, and risk acceptance
- SMBv1 identification and remediation — including its relationship to EternalBlue/WannaCry
- Ubuntu backporting — understanding when version-based findings are false positives due to distro-level patch backporting
- Attack surface reduction through unnecessary service removal
- SSH hardening — disabling root login, enforcing least privilege
- Vulnerability management policy development covering scope, SLAs, risk acceptance, and change control
This lab was completed as part of Josh Madakor's Cyber Range — a hands-on cybersecurity training community that provides members with access to real enterprise security tools and guided project frameworks.
Through the Cyber Range community, I was able to:
- Access a Tenable Vulnerability Management license for professional-grade vulnerability scanning
- Provision and configure Azure virtual machines following real-world enterprise practices
- Work through a structured vulnerability management workflow that mirrors how security teams operate in production environments
- NIST SP 800-40 Rev. 4 — Guide to Enterprise Patch Management
- NIST SP 800-30 Rev. 1 — Guide for Conducting Risk Assessments
- Microsoft Security Advisory CVE-2013-3900
- Microsoft SMBv1 Deprecation Guidance
- EternalBlue / WannaCry Background — CISA
- Ubuntu Security Notices
- Ubuntu Backporting Security Fixes
- Tenable Vulnerability Management Documentation