Solved

Windows 2003 R2 SP2 and Weak Cipher

Posted on 2009-05-07
3
1,740 Views
Last Modified: 2012-08-16
I have a winodws 2003 R2 SP2 server in my DMZ. I just ran a network security scan on this server and did detect a weak cipher???? SSL is running on this server and I do have a 128-bit certificate from Versign installed on this server. If I following Microsoft KB article 245030 will this break my certifcate that I currently have installed.
0
Comment
Question by:compdigit44
3 Comments
 
LVL 15

Expert Comment

by:markpalinux
ID: 24332615

Can you name the security scanner that picked this up.

Is the cert used for IIS, or something else ? I would make sure that IIS had the require 128 bit, that maybe the answer.

If not I would backup the cert, be sure to also export the private key ( I also confirm the backup by installing the cert on my workstation )  then backup the registry and use that ms technote to change things if you want ( I do not really think you want to do this. )

I am sure it may default to use a better Cryptographic Algorithms, but may step down a lower Cryptographic Algorithms if the client request it.

Maybe compare the scanner results against a big  website that has ssl and see what the ssl results are there.

Mark
0
 
LVL 19

Author Comment

by:compdigit44
ID: 24338578
Yes this server is running IIS 6.0...
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24339715
The KB you mentioned is the appropriate resource for definitively removing support for weaker ciphers.  Enabling the 'require 128 bit' helps, but does not necessarily provide for a stronger crypto method - just that it is using 128 bits.

You might also want to look at http://support.microsoft.com/kb/187498 if you are going for PCI DSS compliance, etc. - you may have a requirement to disable SSL 2.0 at least (this is disabled by default in 2008, but enabled in 2003).  SSL 2.0 was replaced over 10 years ago by SSL v3, which is still considered stable.  Some requirements may still ask you to disable SSL v3 also and only allow for TLS which is based on SSL v3, but was standardized.

The strength of the certificate is misleading - the certificate itself defines the key strength of its own public/private keypair and is used to initiate the SSL handshake which includes session crypto algorithm - the highest common algorithm will be used, but to ensure against lesser crypto algorithms, you should disable them in the registry as well as checkmark the 'require 128 bit' box in the site properties - directory security - edit.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This video discusses moving either the default database or any database to a new volume.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now