Catalog of automation scripts used to remediate vulnerabilities identified by Tenable / Nessus scanners in Windows environments.
This repository serves as a catalog of remediation scripts used during a full vulnerability management program implementation.
The scripts demonstrate how security teams can automate vulnerability remediation and configuration hardening across Windows environments.
Each remediation includes a script reference and the script’s author.
This repository is part of a larger vulnerability management project demonstrating the full remediation lifecycle.
| Repository | Purpose |
|---|---|
| vulnerability-management-program | End-to-end implementation of a vulnerability management program including policy creation, scanning, remediation, and validation. |
| programmatic-vulnerability-remediation (this repository) | Catalog of remediation scripts used during the vulnerability remediation process. |
| cve-2013-3900-winverifytrust-mitigation | Script-based remediation for CVE-2013-3900. |
| nessus-57608-smb-signing-required | Script enforcing SMB signing. |
| nessus-10114-icmp-timestamp-mitigation | Script mitigating ICMP timestamp disclosure. |
Together, these repositories demonstrate how vulnerabilities can be identified, prioritized, remediated programmatically, and validated within a structured vulnerability management lifecycle.
The following remediations are listed in the order they were implemented during the vulnerability remediation lifecycle.
| Order | Vulnerability | Severity | Type | Plugin ID | Script Source | Remediation Repo | Author |
|---|---|---|---|---|---|---|---|
| 1 | Outdated Wireshark Installation | 🔴 Critical / High | Software | Multiple | Script | — | Josh Madakor |
| 2 | Deprecated TLS Protocols Enabled | 🟠 Medium | Configuration | Various | Script | — | Josh Madakor |
| 3 | Weak Cipher Suites Enabled | 🟠 Medium | Configuration | Various | Script | — | Josh Madakor |
| 4 | Guest Account in Administrators Group | 🟠 Medium | Configuration | Google Tenable Plugin DB | Script | — | Josh Madakor |
| 5 | WinVerifyTrust CVE-2013-3900 | 🔴 High | Configuration | 166555 | — | Repo | Sun Dimitri NFANDA |
| 6 | SMB Signing Not Required | 🟠 Medium | Configuration | 57608 | — | Repo | Sun Dimitri NFANDA |
| 7 | ICMP Timestamp Disclosure | 🟡 Low | Network | 10114 | — | Repo | Sun Dimitri NFANDA |
These remediations demonstrate how security teams can implement programmatic vulnerability remediation as part of an enterprise vulnerability management program.
The process includes:
- Vulnerability discovery via authenticated scans
- Risk prioritization
- Script-based remediation
- Change management approval
- Validation via follow-up scans
This approach enables organizations to automate configuration hardening and reduce vulnerability exposure efficiently.
- PowerShell
- Windows Server / Windows 10
- Tenable Vulnerability Management
- Nessus Plugin Database
Full vulnerability management program implementation:
https://github.com/SDimitri05/vulnerability-management-program
MIT License