?
Solved

Windows 2003 R2 SP2 and Weak Cipher

Posted on 2009-05-07
3
Medium Priority
?
1,755 Views
Last Modified: 2012-08-16
I have a winodws 2003 R2 SP2 server in my DMZ. I just ran a network security scan on this server and did detect a weak cipher???? SSL is running on this server and I do have a 128-bit certificate from Versign installed on this server. If I following Microsoft KB article 245030 will this break my certifcate that I currently have installed.
0
Comment
Question by:compdigit44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 15

Expert Comment

by:markpalinux
ID: 24332615

Can you name the security scanner that picked this up.

Is the cert used for IIS, or something else ? I would make sure that IIS had the require 128 bit, that maybe the answer.

If not I would backup the cert, be sure to also export the private key ( I also confirm the backup by installing the cert on my workstation )  then backup the registry and use that ms technote to change things if you want ( I do not really think you want to do this. )

I am sure it may default to use a better Cryptographic Algorithms, but may step down a lower Cryptographic Algorithms if the client request it.

Maybe compare the scanner results against a big  website that has ssl and see what the ssl results are there.

Mark
0
 
LVL 20

Author Comment

by:compdigit44
ID: 24338578
Yes this server is running IIS 6.0...
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 2000 total points
ID: 24339715
The KB you mentioned is the appropriate resource for definitively removing support for weaker ciphers.  Enabling the 'require 128 bit' helps, but does not necessarily provide for a stronger crypto method - just that it is using 128 bits.

You might also want to look at http://support.microsoft.com/kb/187498 if you are going for PCI DSS compliance, etc. - you may have a requirement to disable SSL 2.0 at least (this is disabled by default in 2008, but enabled in 2003).  SSL 2.0 was replaced over 10 years ago by SSL v3, which is still considered stable.  Some requirements may still ask you to disable SSL v3 also and only allow for TLS which is based on SSL v3, but was standardized.

The strength of the certificate is misleading - the certificate itself defines the key strength of its own public/private keypair and is used to initiate the SSL handshake which includes session crypto algorithm - the highest common algorithm will be used, but to ensure against lesser crypto algorithms, you should disable them in the registry as well as checkmark the 'require 128 bit' box in the site properties - directory security - edit.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question