?
Solved

SSLv2 Disable Still Vulnerable

Posted on 2011-09-26
14
Medium Priority
?
5,346 Views
Last Modified: 2012-05-12
Morning,

I am in the process of disabling SSLv2 and associated protocols for PCI compliance. I have followed all mentioned steps from the following sites:

http://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html 
http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx
http://support.microsoft.com/kb/187498
http://www.ehow.com/how_6624580_upgrade-ssl-3_0.html
http://helpdesk.vssbusinesssolutions.com/KB/a50/forcing-iis-to-use-ssl-30-and-not-ssl-20-for-pci-compliance.aspx

We are running in a mixed environment with both Win Server 2003 Ent as well as Win Server 2008 Ent R2 versions on all. I keep failing PCI compliance scan running Qualys.

Scan results are as follows for all servers regardless of OS type:

QID:38139Category:General remote servicesCVE ID:-Vendor Reference-Bugtraq ID:-Service Modified:07/07/2009User Modified:-Edited:NoPCI Vuln:YesCVSS Base:4[1]CVSS Temporal:3.6THREAT:The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server.
 There are known flaws in the SSLv2 protocol. A man-in-the-middle attacker can force the communication to a less secure level and then attempt to break the weak encryption. The attacker can also truncate encrypted messages.
 
These flaws have been fixed in SSLv3 (or TLSv1). Most servers (including all popular Web servers, mail servers, etc.) and clients (including Web-clients like IE, Netscape Navigator and Mozilla and mail clients) support both SSLv2 and SSLv3. However, SSLv2 is enabled by default for backward compatibility.
 
The following link provides more information about this vulnerability:
Analysis of the SSL 3.0 Protocol
IMPACT:An attacker can exploit this vulnerability to read secure communications or maliciously modify messages.SOLUTION:Disable SSLv2.
 Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:
 SSLProtocol -ALL +SSLv3 +TLSv1
 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

 

For Apache/apache_ssl, httpd.conf or ssl.conf should have the following line:
 SSLNoV2

How to disable SSLv2 on IIS : Microsoft Knowledge Base Article - 187498
How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll : Microsoft Knowledge Base Article - 245030

Ports that are failing are 443 and 4443. Any suggestions and is there anyone else still failing scans after making the changes to disable.

Any help would be appreciated!! Thanks in advance!
0
Comment
Question by:brettschwartzunibank
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
14 Comments
 
LVL 17

Expert Comment

by:Rovastar
ID: 36658072
What do you mean

"We are running in a mixed environment with both Win Server 2003 Ent as well as Win Server 2008 Ent R2 versions on all"

You have windows 2003 and windows 2008r2?

Are these both the web servers?

But http://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html should be all you need.

Have you rebooted since this registry change? Removing/disabling the schannel keys removes them from the machine.

Is your security scanner actually returning the SSL2 stuff? Or is it as some of them just see Windows 2003/2008 and saying that it is vulnerable?
 
Use something like http://www.serversniff.net/content.php?do=ssl online to be sure.
0
 
LVL 17

Expert Comment

by:Rovastar
ID: 36660445
Also make sure that Windows is handling the SSL traffic and you have not offloaded it to your load balancer.
0
 
LVL 17

Expert Comment

by:Rovastar
ID: 36663531
Also have a look at this thread as there may be additional steps for 64bit OSs
http://forums.iis.net/t/1151822.aspx
0
Percona Live Europe 2017 | Sep 25 - 27, 2017

The Percona Live Open Source Database Conference Europe 2017 is the premier event for the diverse and active European open source database community, as well as businesses that develop and use open source database software.

 
LVL 17

Expert Comment

by:Rovastar
ID: 36665717
and this:
http://blogs.msdn.com/b/amol/archive/2010/04/27/how-to-disable-ssl-2-0-in-internet-information-services-7.aspx

from the above thread.

But the reg entry disablebydefault should do the trick from the forums.iis.net link
0
 

Author Comment

by:brettschwartzunibank
ID: 36716708
Sorry for the delay. I apologize again for the run on, I was in mid stream writing. You are correct, we are running both 2003 Server R2 editions as well as 2008 Server R2 editions both Enterprise as well. I have made the mentioned changes and in fact rebooted the machines. I even went as far as applying a batch file to make sure I was applying them correctly. .txt of the batch is attached. SSLv2Disable---Copy.txt.

As for 64bit this is not the case in this situation. We do in fact have 64 bit, but the servers in question are 32 bit.

Thanks,
0
 

Author Comment

by:brettschwartzunibank
ID: 36718284
Here is another excerpt from the scan results after changes have been made and a reboot. Following these instructions: http://support.microsoft.com/default.aspx?scid=kb;EN-US;245030 
Made changes to explicity only allow 3Des 168/168. What am I missing here?


CIPHER

KEY-EXCHANGE

AUTHENTICATION

MAC

ENCRYPTION(KEY-STRENGTH)

GRADE

SSLv3 WEAK CIPHERS

 DES-CBC-SHA

RSA

RSA

SHA1

DES(56)

LOW

TLSv1 WEAK CIPHERS

 DES-CBC-SHA

RSA

RSA

SHA1

DES(56)

 LOW
0
 

Author Comment

by:brettschwartzunibank
ID: 36718317
Here are the results in JPG file. Easier to read:
ssl-results.JPG
0
 
LVL 17

Expert Comment

by:Rovastar
ID: 36719655
Firstly Windows 2008 R2 is 64bit only there is no 32 bit version of this so you are dealing with a 64bit version.

Did you follow:
http://blogs.msdn.com/b/amol/archive/2010/04/27/how-to-disable-ssl-2-0-in-internet-information-services-7.aspx

what about:
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f

as in the end of
http://forums.iis.net/t/1151822.aspx
0
 

Author Comment

by:brettschwartzunibank
ID: 36719774
You are correct.

Are these both the web servers?

These are web servers in the fact that IIS is installed and being utilized by Inside applications. e.g. Management Consoles etc. The servers are not acceible from the internet. Could this be a port binding issue? For instance one MMC utilizes http 1083, https: 443. https: 4443. All bound to the same ip or (all assigned). Does this make sense? Am I off base? I just don't understand how I can make the changes mentioned for both 2003 and 2008 and still fail the tests, without it being something tied to it???

Thanks,
0
 

Author Comment

by:brettschwartzunibank
ID: 36891539
Hello,

Made the adjustments from your previous post. Still failing on both 2003 and 2008. Here is a snap of the results.... Server 2003 Scan results Server 2003 Cipher Results Server 2008 Scan results Server 2008 Cipher Results
Thanks in Advance for all you help on this.
0
 
LVL 17

Expert Comment

by:Rovastar
ID: 36903476
I am confused this is only about the weak chipers not the SSL2 issue.

You initially only mention that the SSL2 part was a problem. Are you happy that is now fixed?
0
 

Author Comment

by:brettschwartzunibank
ID: 36904819
The qualys scans I am running against the box is stating it is an SSLv2 vulnerability and the reason behind this is the weak ciphers. As shown above. They are tieing together, does this not make sense? The SSLv2 issue is not fixed as previously stated.

To be clear:
1. I run a scan against the box
2. I look thru the reports and it has vulnerabilities
3. I scroll down to the vulnerabilities and see SSL Server Supports Weak Encryption Vulnerability
4. I hit the arrow next to the vulnerability and the reason behind it is: Disable support for LOW encryption ciphers.

I dont know what else to tell you, I am sorry for the confusion, I thought I was being straight forward.

Thank you again for your time.....
0
 
LVL 17

Accepted Solution

by:
Rovastar earned 2000 total points
ID: 36909609
OK there are 2 seperate things the SSLv2 and weak chipers.

Looking at the screenshot you have given appear to be only talking about the weak ciphers in SSLv3 and TSL1
I have found this tool

https://www.nartac.com/Products/IISCrypto/Default.aspx

Try that it sounds like it should do all you need it too.

As always try on your test boxes first.



0
 

Author Comment

by:brettschwartzunibank
ID: 36917929
Exactly what I needed. Sorry for the confusion. Points awarded.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question