Solved

Windows 2003 R2 SP2 and Weak Cipher

Posted on 2009-05-07
3
1,753 Views
Last Modified: 2012-08-16
I have a winodws 2003 R2 SP2 server in my DMZ. I just ran a network security scan on this server and did detect a weak cipher???? SSL is running on this server and I do have a 128-bit certificate from Versign installed on this server. If I following Microsoft KB article 245030 will this break my certifcate that I currently have installed.
0
Comment
Question by:compdigit44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 15

Expert Comment

by:markpalinux
ID: 24332615

Can you name the security scanner that picked this up.

Is the cert used for IIS, or something else ? I would make sure that IIS had the require 128 bit, that maybe the answer.

If not I would backup the cert, be sure to also export the private key ( I also confirm the backup by installing the cert on my workstation )  then backup the registry and use that ms technote to change things if you want ( I do not really think you want to do this. )

I am sure it may default to use a better Cryptographic Algorithms, but may step down a lower Cryptographic Algorithms if the client request it.

Maybe compare the scanner results against a big  website that has ssl and see what the ssl results are there.

Mark
0
 
LVL 20

Author Comment

by:compdigit44
ID: 24338578
Yes this server is running IIS 6.0...
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24339715
The KB you mentioned is the appropriate resource for definitively removing support for weaker ciphers.  Enabling the 'require 128 bit' helps, but does not necessarily provide for a stronger crypto method - just that it is using 128 bits.

You might also want to look at http://support.microsoft.com/kb/187498 if you are going for PCI DSS compliance, etc. - you may have a requirement to disable SSL 2.0 at least (this is disabled by default in 2008, but enabled in 2003).  SSL 2.0 was replaced over 10 years ago by SSL v3, which is still considered stable.  Some requirements may still ask you to disable SSL v3 also and only allow for TLS which is based on SSL v3, but was standardized.

The strength of the certificate is misleading - the certificate itself defines the key strength of its own public/private keypair and is used to initiate the SSL handshake which includes session crypto algorithm - the highest common algorithm will be used, but to ensure against lesser crypto algorithms, you should disable them in the registry as well as checkmark the 'require 128 bit' box in the site properties - directory security - edit.
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Review of OCA certificate policy 1 54
How to rollback Windows updates with SCCM? 6 119
IIS Authentication Error 401 16 64
http response code 3 29
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question