SSLv2 Disable Still Vulnerable

Morning,

I am in the process of disabling SSLv2 and associated protocols for PCI compliance. I have followed all mentioned steps from the following sites:

http://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html 
http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx
http://support.microsoft.com/kb/187498
http://www.ehow.com/how_6624580_upgrade-ssl-3_0.html
http://helpdesk.vssbusinesssolutions.com/KB/a50/forcing-iis-to-use-ssl-30-and-not-ssl-20-for-pci-compliance.aspx

We are running in a mixed environment with both Win Server 2003 Ent as well as Win Server 2008 Ent R2 versions on all. I keep failing PCI compliance scan running Qualys.

Scan results are as follows for all servers regardless of OS type:

QID:38139Category:General remote servicesCVE ID:-Vendor Reference-Bugtraq ID:-Service Modified:07/07/2009User Modified:-Edited:NoPCI Vuln:YesCVSS Base:4[1]CVSS Temporal:3.6THREAT:The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server.
 There are known flaws in the SSLv2 protocol. A man-in-the-middle attacker can force the communication to a less secure level and then attempt to break the weak encryption. The attacker can also truncate encrypted messages.
 
These flaws have been fixed in SSLv3 (or TLSv1). Most servers (including all popular Web servers, mail servers, etc.) and clients (including Web-clients like IE, Netscape Navigator and Mozilla and mail clients) support both SSLv2 and SSLv3. However, SSLv2 is enabled by default for backward compatibility.
 
The following link provides more information about this vulnerability:
Analysis of the SSL 3.0 Protocol
IMPACT:An attacker can exploit this vulnerability to read secure communications or maliciously modify messages.SOLUTION:Disable SSLv2.
 Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:
 SSLProtocol -ALL +SSLv3 +TLSv1
 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

 

For Apache/apache_ssl, httpd.conf or ssl.conf should have the following line:
 SSLNoV2

How to disable SSLv2 on IIS : Microsoft Knowledge Base Article - 187498
How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll : Microsoft Knowledge Base Article - 245030

Ports that are failing are 443 and 4443. Any suggestions and is there anyone else still failing scans after making the changes to disable.

Any help would be appreciated!! Thanks in advance!
brettschwartzunibankAsked:
Who is Participating?
 
RovastarConnect With a Mentor Commented:
OK there are 2 seperate things the SSLv2 and weak chipers.

Looking at the screenshot you have given appear to be only talking about the weak ciphers in SSLv3 and TSL1
I have found this tool

https://www.nartac.com/Products/IISCrypto/Default.aspx

Try that it sounds like it should do all you need it too.

As always try on your test boxes first.



0
 
RovastarCommented:
What do you mean

"We are running in a mixed environment with both Win Server 2003 Ent as well as Win Server 2008 Ent R2 versions on all"

You have windows 2003 and windows 2008r2?

Are these both the web servers?

But http://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html should be all you need.

Have you rebooted since this registry change? Removing/disabling the schannel keys removes them from the machine.

Is your security scanner actually returning the SSL2 stuff? Or is it as some of them just see Windows 2003/2008 and saying that it is vulnerable?
 
Use something like http://www.serversniff.net/content.php?do=ssl online to be sure.
0
 
RovastarCommented:
Also make sure that Windows is handling the SSL traffic and you have not offloaded it to your load balancer.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
RovastarCommented:
Also have a look at this thread as there may be additional steps for 64bit OSs
http://forums.iis.net/t/1151822.aspx
0
 
RovastarCommented:
and this:
http://blogs.msdn.com/b/amol/archive/2010/04/27/how-to-disable-ssl-2-0-in-internet-information-services-7.aspx

from the above thread.

But the reg entry disablebydefault should do the trick from the forums.iis.net link
0
 
brettschwartzunibankAuthor Commented:
Sorry for the delay. I apologize again for the run on, I was in mid stream writing. You are correct, we are running both 2003 Server R2 editions as well as 2008 Server R2 editions both Enterprise as well. I have made the mentioned changes and in fact rebooted the machines. I even went as far as applying a batch file to make sure I was applying them correctly. .txt of the batch is attached. SSLv2Disable---Copy.txt.

As for 64bit this is not the case in this situation. We do in fact have 64 bit, but the servers in question are 32 bit.

Thanks,
0
 
brettschwartzunibankAuthor Commented:
Here is another excerpt from the scan results after changes have been made and a reboot. Following these instructions: http://support.microsoft.com/default.aspx?scid=kb;EN-US;245030 
Made changes to explicity only allow 3Des 168/168. What am I missing here?


CIPHER

KEY-EXCHANGE

AUTHENTICATION

MAC

ENCRYPTION(KEY-STRENGTH)

GRADE

SSLv3 WEAK CIPHERS

 DES-CBC-SHA

RSA

RSA

SHA1

DES(56)

LOW

TLSv1 WEAK CIPHERS

 DES-CBC-SHA

RSA

RSA

SHA1

DES(56)

 LOW
0
 
brettschwartzunibankAuthor Commented:
Here are the results in JPG file. Easier to read:
ssl-results.JPG
0
 
RovastarCommented:
Firstly Windows 2008 R2 is 64bit only there is no 32 bit version of this so you are dealing with a 64bit version.

Did you follow:
http://blogs.msdn.com/b/amol/archive/2010/04/27/how-to-disable-ssl-2-0-in-internet-information-services-7.aspx

what about:
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f

as in the end of
http://forums.iis.net/t/1151822.aspx
0
 
brettschwartzunibankAuthor Commented:
You are correct.

Are these both the web servers?

These are web servers in the fact that IIS is installed and being utilized by Inside applications. e.g. Management Consoles etc. The servers are not acceible from the internet. Could this be a port binding issue? For instance one MMC utilizes http 1083, https: 443. https: 4443. All bound to the same ip or (all assigned). Does this make sense? Am I off base? I just don't understand how I can make the changes mentioned for both 2003 and 2008 and still fail the tests, without it being something tied to it???

Thanks,
0
 
brettschwartzunibankAuthor Commented:
Hello,

Made the adjustments from your previous post. Still failing on both 2003 and 2008. Here is a snap of the results.... Server 2003 Scan results Server 2003 Cipher Results Server 2008 Scan results Server 2008 Cipher Results
Thanks in Advance for all you help on this.
0
 
RovastarCommented:
I am confused this is only about the weak chipers not the SSL2 issue.

You initially only mention that the SSL2 part was a problem. Are you happy that is now fixed?
0
 
brettschwartzunibankAuthor Commented:
The qualys scans I am running against the box is stating it is an SSLv2 vulnerability and the reason behind this is the weak ciphers. As shown above. They are tieing together, does this not make sense? The SSLv2 issue is not fixed as previously stated.

To be clear:
1. I run a scan against the box
2. I look thru the reports and it has vulnerabilities
3. I scroll down to the vulnerabilities and see SSL Server Supports Weak Encryption Vulnerability
4. I hit the arrow next to the vulnerability and the reason behind it is: Disable support for LOW encryption ciphers.

I dont know what else to tell you, I am sorry for the confusion, I thought I was being straight forward.

Thank you again for your time.....
0
 
brettschwartzunibankAuthor Commented:
Exactly what I needed. Sorry for the confusion. Points awarded.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.