SSLv2 Disable Still Vulnerable
Morning,
I am in the process of disabling SSLv2 and associated protocols for PCI compliance. I have followed all mentioned steps from the following sites:
http://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html
http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx
http://support.microsoft.com/kb/187498
http://www.ehow.com/how_6624580_upgrade-ssl-3_0.html
http://helpdesk.vssbusinesssolutions.com/KB/a50/forcing-iis-to-use-ssl-30-and-not-ssl-20-for-pci-compliance.aspx
We are running in a mixed environment with both Win Server 2003 Ent as well as Win Server 2008 Ent R2 versions on all. I keep failing PCI compliance scan running Qualys.
Scan results are as follows for all servers regardless of OS type:
QID:38139Category:General remote servicesCVE ID:-Vendor Reference-Bugtraq ID:-Service Modified:07/07/2009User Modified:-Edited:NoPCI Vuln:YesCVSS Base:4[1]CVSS Temporal:3.6THREAT:The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server.
There are known flaws in the SSLv2 protocol. A man-in-the-middle attacker can force the communication to a less secure level and then attempt to break the weak encryption. The attacker can also truncate encrypted messages.
These flaws have been fixed in SSLv3 (or TLSv1). Most servers (including all popular Web servers, mail servers, etc.) and clients (including Web-clients like IE, Netscape Navigator and Mozilla and mail clients) support both SSLv2 and SSLv3. However, SSLv2 is enabled by default for backward compatibility.
The following link provides more information about this vulnerability:
Analysis of the SSL 3.0 Protocol
IMPACT:An attacker can exploit this vulnerability to read secure communications or maliciously modify messages.SOLUTION:Disable SSLv2.
Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LO
For Apache/apache_ssl, httpd.conf or ssl.conf should have the following line:
SSLNoV2
How to disable SSLv2 on IIS : Microsoft Knowledge Base Article - 187498
How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll : Microsoft Knowledge Base Article - 245030
Ports that are failing are 443 and 4443. Any suggestions and is there anyone else still failing scans after making the changes to disable.
Any help would be appreciated!! Thanks in advance!
I am in the process of disabling SSLv2 and associated protocols for PCI compliance. I have followed all mentioned steps from the following sites:
http://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html
http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx
http://support.microsoft.com/kb/187498
http://www.ehow.com/how_6624580_upgrade-ssl-3_0.html
http://helpdesk.vssbusinesssolutions.com/KB/a50/forcing-iis-to-use-ssl-30-and-not-ssl-20-for-pci-compliance.aspx
We are running in a mixed environment with both Win Server 2003 Ent as well as Win Server 2008 Ent R2 versions on all. I keep failing PCI compliance scan running Qualys.
Scan results are as follows for all servers regardless of OS type:
QID:38139Category:General remote servicesCVE ID:-Vendor Reference-Bugtraq ID:-Service Modified:07/07/2009User Modified:-Edited:NoPCI Vuln:YesCVSS Base:4[1]CVSS Temporal:3.6THREAT:The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server.
There are known flaws in the SSLv2 protocol. A man-in-the-middle attacker can force the communication to a less secure level and then attempt to break the weak encryption. The attacker can also truncate encrypted messages.
These flaws have been fixed in SSLv3 (or TLSv1). Most servers (including all popular Web servers, mail servers, etc.) and clients (including Web-clients like IE, Netscape Navigator and Mozilla and mail clients) support both SSLv2 and SSLv3. However, SSLv2 is enabled by default for backward compatibility.
The following link provides more information about this vulnerability:
Analysis of the SSL 3.0 Protocol
IMPACT:An attacker can exploit this vulnerability to read secure communications or maliciously modify messages.SOLUTION:Disable SSLv2.
Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LO
For Apache/apache_ssl, httpd.conf or ssl.conf should have the following line:
SSLNoV2
How to disable SSLv2 on IIS : Microsoft Knowledge Base Article - 187498
How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll : Microsoft Knowledge Base Article - 245030
Ports that are failing are 443 and 4443. Any suggestions and is there anyone else still failing scans after making the changes to disable.
Any help would be appreciated!! Thanks in advance!
Also make sure that Windows is handling the SSL traffic and you have not offloaded it to your load balancer.
Also have a look at this thread as there may be additional steps for 64bit OSs
http://forums.iis.net/t/1151822.aspx
http://forums.iis.net/t/1151822.aspx
and this:
http://blogs.msdn.com/b/amol/archive/2010/04/27/how-to-disable-ssl-2-0-in-internet-information-services-7.aspx
from the above thread.
But the reg entry disablebydefault should do the trick from the forums.iis.net link
http://blogs.msdn.com/b/amol/archive/2010/04/27/how-to-disable-ssl-2-0-in-internet-information-services-7.aspx
from the above thread.
But the reg entry disablebydefault should do the trick from the forums.iis.net link
ASKER
Sorry for the delay. I apologize again for the run on, I was in mid stream writing. You are correct, we are running both 2003 Server R2 editions as well as 2008 Server R2 editions both Enterprise as well. I have made the mentioned changes and in fact rebooted the machines. I even went as far as applying a batch file to make sure I was applying them correctly. .txt of the batch is attached. SSLv2Disable---Copy.txt.
As for 64bit this is not the case in this situation. We do in fact have 64 bit, but the servers in question are 32 bit.
Thanks,
As for 64bit this is not the case in this situation. We do in fact have 64 bit, but the servers in question are 32 bit.
Thanks,
ASKER
Here is another excerpt from the scan results after changes have been made and a reboot. Following these instructions: http://support.microsoft.com/default.aspx?scid=kb;EN-US;245030
Made changes to explicity only allow 3Des 168/168. What am I missing here?
CIPHER
KEY-EXCHANGE
AUTHENTICATION
MAC
ENCRYPTION(KEY-STRENGTH)
GRADE
SSLv3 WEAK CIPHERS
DES-CBC-SHA
RSA
RSA
SHA1
DES(56)
LOW
TLSv1 WEAK CIPHERS
DES-CBC-SHA
RSA
RSA
SHA1
DES(56)
LOW
Made changes to explicity only allow 3Des 168/168. What am I missing here?
CIPHER
KEY-EXCHANGE
AUTHENTICATION
MAC
ENCRYPTION(KEY-STRENGTH)
GRADE
SSLv3 WEAK CIPHERS
DES-CBC-SHA
RSA
RSA
SHA1
DES(56)
LOW
TLSv1 WEAK CIPHERS
DES-CBC-SHA
RSA
RSA
SHA1
DES(56)
LOW
ASKER
Here are the results in JPG file. Easier to read:
ssl-results.JPG
ssl-results.JPG
Firstly Windows 2008 R2 is 64bit only there is no 32 bit version of this so you are dealing with a 64bit version.
Did you follow:
http://blogs.msdn.com/b/amol/archive/2010/04/27/how-to-disable-ssl-2-0-in-internet-information-services-7.aspx
what about:
REG ADD "HKLM\System\CurrentContro
as in the end of
http://forums.iis.net/t/1151822.aspx
Did you follow:
http://blogs.msdn.com/b/amol/archive/2010/04/27/how-to-disable-ssl-2-0-in-internet-information-services-7.aspx
what about:
REG ADD "HKLM\System\CurrentContro
as in the end of
http://forums.iis.net/t/1151822.aspx
ASKER
You are correct.
Are these both the web servers?
These are web servers in the fact that IIS is installed and being utilized by Inside applications. e.g. Management Consoles etc. The servers are not acceible from the internet. Could this be a port binding issue? For instance one MMC utilizes http 1083, https: 443. https: 4443. All bound to the same ip or (all assigned). Does this make sense? Am I off base? I just don't understand how I can make the changes mentioned for both 2003 and 2008 and still fail the tests, without it being something tied to it???
Thanks,
Are these both the web servers?
These are web servers in the fact that IIS is installed and being utilized by Inside applications. e.g. Management Consoles etc. The servers are not acceible from the internet. Could this be a port binding issue? For instance one MMC utilizes http 1083, https: 443. https: 4443. All bound to the same ip or (all assigned). Does this make sense? Am I off base? I just don't understand how I can make the changes mentioned for both 2003 and 2008 and still fail the tests, without it being something tied to it???
Thanks,
ASKER
Hello,
Made the adjustments from your previous post. Still failing on both 2003 and 2008. Here is a snap of the results....
Thanks in Advance for all you help on this.
Made the adjustments from your previous post. Still failing on both 2003 and 2008. Here is a snap of the results....
Thanks in Advance for all you help on this.
I am confused this is only about the weak chipers not the SSL2 issue.
You initially only mention that the SSL2 part was a problem. Are you happy that is now fixed?
You initially only mention that the SSL2 part was a problem. Are you happy that is now fixed?
ASKER
The qualys scans I am running against the box is stating it is an SSLv2 vulnerability and the reason behind this is the weak ciphers. As shown above. They are tieing together, does this not make sense? The SSLv2 issue is not fixed as previously stated.
To be clear:
1. I run a scan against the box
2. I look thru the reports and it has vulnerabilities
3. I scroll down to the vulnerabilities and see SSL Server Supports Weak Encryption Vulnerability
4. I hit the arrow next to the vulnerability and the reason behind it is: Disable support for LOW encryption ciphers.
I dont know what else to tell you, I am sorry for the confusion, I thought I was being straight forward.
Thank you again for your time.....
To be clear:
1. I run a scan against the box
2. I look thru the reports and it has vulnerabilities
3. I scroll down to the vulnerabilities and see SSL Server Supports Weak Encryption Vulnerability
4. I hit the arrow next to the vulnerability and the reason behind it is: Disable support for LOW encryption ciphers.
I dont know what else to tell you, I am sorry for the confusion, I thought I was being straight forward.
Thank you again for your time.....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Exactly what I needed. Sorry for the confusion. Points awarded.
"We are running in a mixed environment with both Win Server 2003 Ent as well as Win Server 2008 Ent R2 versions on all"
You have windows 2003 and windows 2008r2?
Are these both the web servers?
But http://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html should be all you need.
Have you rebooted since this registry change? Removing/disabling the schannel keys removes them from the machine.
Is your security scanner actually returning the SSL2 stuff? Or is it as some of them just see Windows 2003/2008 and saying that it is vulnerable?
Use something like http://www.serversniff.net/content.php?do=ssl online to be sure.