Solved

SSLv2 Disable Still Vulnerable

Posted on 2011-09-26
14
5,254 Views
Last Modified: 2012-05-12
Morning,

I am in the process of disabling SSLv2 and associated protocols for PCI compliance. I have followed all mentioned steps from the following sites:

http://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html
http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx
http://support.microsoft.com/kb/187498
http://www.ehow.com/how_6624580_upgrade-ssl-3_0.html
http://helpdesk.vssbusinesssolutions.com/KB/a50/forcing-iis-to-use-ssl-30-and-not-ssl-20-for-pci-compliance.aspx

We are running in a mixed environment with both Win Server 2003 Ent as well as Win Server 2008 Ent R2 versions on all. I keep failing PCI compliance scan running Qualys.

Scan results are as follows for all servers regardless of OS type:

QID:38139Category:General remote servicesCVE ID:-Vendor Reference-Bugtraq ID:-Service Modified:07/07/2009User Modified:-Edited:NoPCI Vuln:YesCVSS Base:4[1]CVSS Temporal:3.6THREAT:The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server.
 There are known flaws in the SSLv2 protocol. A man-in-the-middle attacker can force the communication to a less secure level and then attempt to break the weak encryption. The attacker can also truncate encrypted messages.
 
These flaws have been fixed in SSLv3 (or TLSv1). Most servers (including all popular Web servers, mail servers, etc.) and clients (including Web-clients like IE, Netscape Navigator and Mozilla and mail clients) support both SSLv2 and SSLv3. However, SSLv2 is enabled by default for backward compatibility.
 
The following link provides more information about this vulnerability:
Analysis of the SSL 3.0 Protocol
IMPACT:An attacker can exploit this vulnerability to read secure communications or maliciously modify messages.SOLUTION:Disable SSLv2.
 Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:
 SSLProtocol -ALL +SSLv3 +TLSv1
 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

 

For Apache/apache_ssl, httpd.conf or ssl.conf should have the following line:
 SSLNoV2

How to disable SSLv2 on IIS : Microsoft Knowledge Base Article - 187498
How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll : Microsoft Knowledge Base Article - 245030

Ports that are failing are 443 and 4443. Any suggestions and is there anyone else still failing scans after making the changes to disable.

Any help would be appreciated!! Thanks in advance!
0
Comment
Question by:brettschwartzunibank
  • 7
  • 7
14 Comments
 
LVL 17

Expert Comment

by:Rovastar
ID: 36658072
What do you mean

"We are running in a mixed environment with both Win Server 2003 Ent as well as Win Server 2008 Ent R2 versions on all"

You have windows 2003 and windows 2008r2?

Are these both the web servers?

But http://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html should be all you need.

Have you rebooted since this registry change? Removing/disabling the schannel keys removes them from the machine.

Is your security scanner actually returning the SSL2 stuff? Or is it as some of them just see Windows 2003/2008 and saying that it is vulnerable?
 
Use something like http://www.serversniff.net/content.php?do=ssl online to be sure.
0
 
LVL 17

Expert Comment

by:Rovastar
ID: 36660445
Also make sure that Windows is handling the SSL traffic and you have not offloaded it to your load balancer.
0
 
LVL 17

Expert Comment

by:Rovastar
ID: 36663531
Also have a look at this thread as there may be additional steps for 64bit OSs
http://forums.iis.net/t/1151822.aspx
0
 
LVL 17

Expert Comment

by:Rovastar
ID: 36665717
and this:
http://blogs.msdn.com/b/amol/archive/2010/04/27/how-to-disable-ssl-2-0-in-internet-information-services-7.aspx

from the above thread.

But the reg entry disablebydefault should do the trick from the forums.iis.net link
0
 

Author Comment

by:brettschwartzunibank
ID: 36716708
Sorry for the delay. I apologize again for the run on, I was in mid stream writing. You are correct, we are running both 2003 Server R2 editions as well as 2008 Server R2 editions both Enterprise as well. I have made the mentioned changes and in fact rebooted the machines. I even went as far as applying a batch file to make sure I was applying them correctly. .txt of the batch is attached. SSLv2Disable---Copy.txt.

As for 64bit this is not the case in this situation. We do in fact have 64 bit, but the servers in question are 32 bit.

Thanks,
0
 

Author Comment

by:brettschwartzunibank
ID: 36718284
Here is another excerpt from the scan results after changes have been made and a reboot. Following these instructions: http://support.microsoft.com/default.aspx?scid=kb;EN-US;245030
Made changes to explicity only allow 3Des 168/168. What am I missing here?


CIPHER

KEY-EXCHANGE

AUTHENTICATION

MAC

ENCRYPTION(KEY-STRENGTH)

GRADE

SSLv3 WEAK CIPHERS

 DES-CBC-SHA

RSA

RSA

SHA1

DES(56)

LOW

TLSv1 WEAK CIPHERS

 DES-CBC-SHA

RSA

RSA

SHA1

DES(56)

 LOW
0
 

Author Comment

by:brettschwartzunibank
ID: 36718317
Here are the results in JPG file. Easier to read:
ssl-results.JPG
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 17

Expert Comment

by:Rovastar
ID: 36719655
Firstly Windows 2008 R2 is 64bit only there is no 32 bit version of this so you are dealing with a 64bit version.

Did you follow:
http://blogs.msdn.com/b/amol/archive/2010/04/27/how-to-disable-ssl-2-0-in-internet-information-services-7.aspx

what about:
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f

as in the end of
http://forums.iis.net/t/1151822.aspx
0
 

Author Comment

by:brettschwartzunibank
ID: 36719774
You are correct.

Are these both the web servers?

These are web servers in the fact that IIS is installed and being utilized by Inside applications. e.g. Management Consoles etc. The servers are not acceible from the internet. Could this be a port binding issue? For instance one MMC utilizes http 1083, https: 443. https: 4443. All bound to the same ip or (all assigned). Does this make sense? Am I off base? I just don't understand how I can make the changes mentioned for both 2003 and 2008 and still fail the tests, without it being something tied to it???

Thanks,
0
 

Author Comment

by:brettschwartzunibank
ID: 36891539
Hello,

Made the adjustments from your previous post. Still failing on both 2003 and 2008. Here is a snap of the results.... Server 2003 Scan results Server 2003 Cipher Results Server 2008 Scan results Server 2008 Cipher Results
Thanks in Advance for all you help on this.
0
 
LVL 17

Expert Comment

by:Rovastar
ID: 36903476
I am confused this is only about the weak chipers not the SSL2 issue.

You initially only mention that the SSL2 part was a problem. Are you happy that is now fixed?
0
 

Author Comment

by:brettschwartzunibank
ID: 36904819
The qualys scans I am running against the box is stating it is an SSLv2 vulnerability and the reason behind this is the weak ciphers. As shown above. They are tieing together, does this not make sense? The SSLv2 issue is not fixed as previously stated.

To be clear:
1. I run a scan against the box
2. I look thru the reports and it has vulnerabilities
3. I scroll down to the vulnerabilities and see SSL Server Supports Weak Encryption Vulnerability
4. I hit the arrow next to the vulnerability and the reason behind it is: Disable support for LOW encryption ciphers.

I dont know what else to tell you, I am sorry for the confusion, I thought I was being straight forward.

Thank you again for your time.....
0
 
LVL 17

Accepted Solution

by:
Rovastar earned 500 total points
ID: 36909609
OK there are 2 seperate things the SSLv2 and weak chipers.

Looking at the screenshot you have given appear to be only talking about the weak ciphers in SSLv3 and TSL1
I have found this tool

https://www.nartac.com/Products/IISCrypto/Default.aspx

Try that it sounds like it should do all you need it too.

As always try on your test boxes first.



0
 

Author Comment

by:brettschwartzunibank
ID: 36917929
Exactly what I needed. Sorry for the confusion. Points awarded.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now