Solved

Windows 2003 R2 SP2 and Weak Cipher

Posted on 2009-05-07
3
1,745 Views
Last Modified: 2012-08-16
I have a winodws 2003 R2 SP2 server in my DMZ. I just ran a network security scan on this server and did detect a weak cipher???? SSL is running on this server and I do have a 128-bit certificate from Versign installed on this server. If I following Microsoft KB article 245030 will this break my certifcate that I currently have installed.
0
Comment
Question by:compdigit44
3 Comments
 
LVL 15

Expert Comment

by:markpalinux
ID: 24332615

Can you name the security scanner that picked this up.

Is the cert used for IIS, or something else ? I would make sure that IIS had the require 128 bit, that maybe the answer.

If not I would backup the cert, be sure to also export the private key ( I also confirm the backup by installing the cert on my workstation )  then backup the registry and use that ms technote to change things if you want ( I do not really think you want to do this. )

I am sure it may default to use a better Cryptographic Algorithms, but may step down a lower Cryptographic Algorithms if the client request it.

Maybe compare the scanner results against a big  website that has ssl and see what the ssl results are there.

Mark
0
 
LVL 19

Author Comment

by:compdigit44
ID: 24338578
Yes this server is running IIS 6.0...
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24339715
The KB you mentioned is the appropriate resource for definitively removing support for weaker ciphers.  Enabling the 'require 128 bit' helps, but does not necessarily provide for a stronger crypto method - just that it is using 128 bits.

You might also want to look at http://support.microsoft.com/kb/187498 if you are going for PCI DSS compliance, etc. - you may have a requirement to disable SSL 2.0 at least (this is disabled by default in 2008, but enabled in 2003).  SSL 2.0 was replaced over 10 years ago by SSL v3, which is still considered stable.  Some requirements may still ask you to disable SSL v3 also and only allow for TLS which is based on SSL v3, but was standardized.

The strength of the certificate is misleading - the certificate itself defines the key strength of its own public/private keypair and is used to initiate the SSL handshake which includes session crypto algorithm - the highest common algorithm will be used, but to ensure against lesser crypto algorithms, you should disable them in the registry as well as checkmark the 'require 128 bit' box in the site properties - directory security - edit.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now