?
Solved

Windows 2003 R2 SP2 and Weak Cipher

Posted on 2009-05-07
3
Medium Priority
?
1,760 Views
Last Modified: 2012-08-16
I have a winodws 2003 R2 SP2 server in my DMZ. I just ran a network security scan on this server and did detect a weak cipher???? SSL is running on this server and I do have a 128-bit certificate from Versign installed on this server. If I following Microsoft KB article 245030 will this break my certifcate that I currently have installed.
0
Comment
Question by:compdigit44
3 Comments
 
LVL 15

Expert Comment

by:markpalinux
ID: 24332615

Can you name the security scanner that picked this up.

Is the cert used for IIS, or something else ? I would make sure that IIS had the require 128 bit, that maybe the answer.

If not I would backup the cert, be sure to also export the private key ( I also confirm the backup by installing the cert on my workstation )  then backup the registry and use that ms technote to change things if you want ( I do not really think you want to do this. )

I am sure it may default to use a better Cryptographic Algorithms, but may step down a lower Cryptographic Algorithms if the client request it.

Maybe compare the scanner results against a big  website that has ssl and see what the ssl results are there.

Mark
0
 
LVL 20

Author Comment

by:compdigit44
ID: 24338578
Yes this server is running IIS 6.0...
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 2000 total points
ID: 24339715
The KB you mentioned is the appropriate resource for definitively removing support for weaker ciphers.  Enabling the 'require 128 bit' helps, but does not necessarily provide for a stronger crypto method - just that it is using 128 bits.

You might also want to look at http://support.microsoft.com/kb/187498 if you are going for PCI DSS compliance, etc. - you may have a requirement to disable SSL 2.0 at least (this is disabled by default in 2008, but enabled in 2003).  SSL 2.0 was replaced over 10 years ago by SSL v3, which is still considered stable.  Some requirements may still ask you to disable SSL v3 also and only allow for TLS which is based on SSL v3, but was standardized.

The strength of the certificate is misleading - the certificate itself defines the key strength of its own public/private keypair and is used to initiate the SSL handshake which includes session crypto algorithm - the highest common algorithm will be used, but to ensure against lesser crypto algorithms, you should disable them in the registry as well as checkmark the 'require 128 bit' box in the site properties - directory security - edit.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Good news! Plesk 12.5 (with update #28 and above) now includes support for HTTP/2. This is a major update to HTTP1.1, which is over 15 years old. Read below to learn how to enable HTTP/2 on your Media Temple DV with Plesk.
Did you know PowerShell can save you time with SaaS platforms? Simply leverage RESTfulAPIs to build your own PowerShell modules. These will kill repetitive tickets and tabs, using the command Invoke-RestMethod. Tune into this webinar to learn how…
Watch the working video to know how to import Outlook PST/OST files to Amazon WorkMail. Kernel released this tool which is very easy to use and migrate single or multiple PST and OST files to Amazon WorkMail. To know more about Kernel Import PST to …

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question