Pentest Remediation
Playbook
Step-by-step fixes for the 30 most common internal penetration testing findings. Copy-paste ready for PowerShell, Group Policy, and network devices.
This playbook provides step-by-step remediation guidance for the 30 most common findings from internal penetration tests. Each finding includes the risk rating, implementation effort, exact commands and configurations, real-world gotchas, and verification steps. It is designed for IT administrators, system engineers, and security teams responsible for implementing fixes after a pentest.
5 Categories of Findings Covered
Organized by domain so you can assign the right team to the right fixes.
Network Protocols
LLMNR/NBT-NS poisoning, SMB signing, IPv6 DNS takeover, WPAD abuse, SNMP defaults, and cleartext protocol usage.
Active Directory
Kerberoasting, AS-REP roasting, unconstrained delegation, NTLM relay, Print Spooler, LAPS, password policy, GPP passwords, LDAP signing, and more.
Credential Management
Default credentials, cleartext passwords in shares, WDigest authentication, and LSASS protection with Credential Guard.
Host Security
Local admin password reuse, RDP without NLA, PowerShell v2, Windows Firewall, end-of-life operating systems, and unrestricted outbound access.
SSL/TLS and Web
Weak SSL/TLS configurations and default web application pages and headers that leak technology stack information.
What's Inside Each Finding
Everything your team needs to fix the issue and verify it stays fixed.
Risk Rating and Effort Level
Critical, High, Medium, or Low severity paired with implementation effort so you can prioritize maximum impact for minimum work.
Copy-Paste Remediation Steps
Exact PowerShell commands, GPO paths, registry keys, and network device configurations. No guesswork required.
Real-World Gotchas
Warnings about what may break when you implement the fix. Legacy printers, VoIP phones, application dependencies — things that catch teams off guard.
Verification Commands
Commands to confirm the remediation was applied successfully. Run these after every change to validate before your retest.
Five Sample Findings With Remediation Patterns
A preview of the level of detail every finding in the playbook includes.
LLMNR and NetBIOS-NS poisoning — Critical, Low Effort
Windows hosts fall back to LLMNR and NetBIOS-NS for name resolution when DNS fails. Attackers on the same VLAN respond to those broadcasts with poisoned answers, capture the resulting NTLMv2 challenge-response, and crack offline or relay to a DC. Fix: Disable LLMNR via Group Policy (Computer Configuration → Policies → Administrative Templates → Network → DNS Client → Turn Off Multicast Name Resolution = Enabled) and disable NetBIOS-NS via DHCP option 1 or scripted registry change. Gotcha: some printers and legacy applications still use NetBIOS — test in a pilot OU before broad rollout.
Kerberoasting — High, Medium Effort
Any authenticated domain user can request a service ticket for any account with an SPN, then crack the Kerberos hash offline. The fix isn't disabling Kerberos — it's making the hashes uncrackable. Fix: set service account passwords to 25+ random characters and rotate them through Group Managed Service Accounts (gMSA) where possible. Audit existing SPNs with Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName and migrate the highest-privilege accounts first. Gotcha: some legacy applications hard-code service account credentials — coordinate with app owners before rotating.
SMB signing not enforced — Critical, Low Effort
Without SMB signing, attackers can intercept and relay authentication between hosts. Modern relay attacks like ntlmrelayx make this trivial when paired with LLMNR poisoning. Fix: enforce SMB signing on every domain-joined Windows host via GPO (Microsoft network server: Digitally sign communications (always) = Enabled). Validate with Get-SmbServerConfiguration | Select RequireSecuritySignature. Gotcha: older NAS appliances and some Linux Samba shares may need updates to support signing — inventory first.
LAPS not deployed — High, Medium Effort
If every workstation shares the same local administrator password, one compromised host gives the attacker administrative access to every host with that password. Local Administrator Password Solution (LAPS) generates unique random passwords per host and stores them encrypted in AD. Fix: deploy Windows LAPS (built in to Windows 11 24H2 and Server 2025; available as a separate install for older OSes), configure password complexity and rotation interval via GPO, restrict who can read passwords from the AD attribute. Gotcha: LAPS only manages the built-in administrator. If your team created custom local admin accounts, those need separate handling.
SSL/TLS legacy protocols and cipher suites — Medium, Low Effort
SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 are deprecated. Weak ciphers (RC4, 3DES, export-grade DH, MD5-based MACs) need to go too. Fix: on Windows servers, use IIS Crypto or registry edits under HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols. On Linux, edit OpenSSL config files. Validate with testssl.sh or Qualys SSL Labs. Gotcha: some older API clients (POS terminals, embedded devices) still negotiate TLS 1.0 — inventory before disabling, and consider a phased deprecation with logging.
How to Use This Playbook
Recommended workflow for a successful remediation cycle.
- 1 Triage findings against your pentest report. Cross-reference each finding in your pentest report against the playbook. Group fixes by category so the right team owns the right work.
- 2 Pilot in a representative OU before broad rollout. Many fixes (LLMNR disabling, SMB signing, TLS hardening) have edge-case impact on legacy systems. Test in a 5-10 host pilot OU for 1-2 weeks before pushing organization-wide.
- 3 Document each change in your change-management system. Auditors and your future self both want to know what was changed, by whom, when, and why. Tie each remediation to its source pentest finding.
- 4 Validate with the verification commands. Each finding includes a verification step. Run it after each change to confirm the fix took effect. Don't trust the GPO refresh — trust the validated state.
- 5 Schedule the retest before the 30-day window closes. Voke Cyber retesting is included for 30 days after the final report. Reach out to your tester at least 5 business days in advance to schedule.
Related Reading and Services
Internal Penetration Testing
The pentest service that surfaces these 30 findings in your environment, with retesting included.
Stakeholder Guide to Pentest Reports
Companion guide for executives and compliance teams reading the pentest report this playbook responds to.
SOC 2 and Penetration Testing
How remediation evidence supports your SOC 2 audit and what auditors want to see.
DNS Security Checklist
Six-area DNS posture review aligned with NIST SP 800-81r3 — the external counterpart to this internal playbook.
"A pentest report without clear remediation steps is just a list of problems."
Every Voke Cyber assessment includes detailed remediation guidance and free retesting within 30 days so you can validate that your fixes actually work. This playbook is the public version of the remediation support we provide to every client.
Need Help Remediating Pentest Findings?
Our team provides hands-on remediation support and free retesting to confirm your fixes are effective.