Link to home
Start Free TrialLog in
Avatar of Aaron Thorn
Aaron ThornFlag for United States of America

asked on

SSL Server Supports Weak Encryption Vulnerability

We are doing a scan of our network and getting the error in the picture
 User generated imageI did do the following edits to the server
http://gabriel.rabbaa.net/systems/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protocols-in-schannel-dll-ciphers-in-windows-2003/

But we are still getting the error

Avatar of vinsvin
vinsvin
Flag of India image

IIS 6.0 Security Best Practices (IIS 6.0)

General Best Practices
• Log on with the least credentials. Log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator.
 
• Reduce the attack surface. Disable all services you do not need, including IIS services such as FTP, NNTP or SMTP. If a feature or service is not enabled, then there is no need to secure it.
 
• Do not download or run programs from untrusted sources. Programs can contain instructions to violate security in a number of ways including data theft, denial of service, and data destruction.
 
• Keep virus scanners up to date. Virus scanners frequently identify infected files by scanning for a signature that is a known component of a previously identified virus. The scanners keep these virus signatures in a signature file, which is usually stored on the local hard disk. Because new viruses are discovered frequently, this file should also be updated frequently for the virus scanner to easily identify all current viruses.
 
• Keep current with all software updates. Software updates provide solutions to known security issues. Check software provider Web sites periodically to see if there are new updates available for software used in your organization.

• The new process model in IIS 6.0 includes process recycling, which means an administrator can easily install most IIS updates and most new worker process DLLs without any interruption of service.
 
• Auto Update version 1.0 provides three options to customers: notify update availability the moment it is available; download the update, and notify that it has been downloaded; and scheduled install. For more information, see "Windows Automatic Updates" in Help and Support Center for Windows Server 2003.
 
 
• Use NTFS. The NTFS file system is more secure than the FAT or FAT32 file system.
 
• Assign strong NTFS permissions for your resources.
 
• Exercise caution with domain controllers. If you use a domain controller as an application server, be aware that if security is compromised on the domain controller, then security is compromised on the entire domain.
 
• Restrict write access permissions for the IUSR_computername account. This will help limit the access anonymous users have to your computer.
 
• Store executable files in a separate directory. This makes it easier to assign access permissions and audit for administrators.
 
• Create a group for all anonymous user accounts. You can deny access permissions to resources based on this group membership.
 
• Deny execute permissions for anonymous users to all executables in Windows directories and subdirectories.
 
• Use IP address restriction if administering IIS remotely. For more information, see Securing Sites with IP Address Restrictions.
 
• Assign the most restrictive permissions possible. For example, if your Web site is used only for viewing information, assign only Read permissions. If a directory or site contains applications, assign Scripts Only permissions instead of Scripts and Executables permissions. For more information, see Securing Sites with Web Site Permissions.
 
• Do not assign Write and Script source access permissions or Scripts and Executables permissions. Use this combination with extreme caution. It can allow a user to upload potentially harmful executable files to your server and run them. For more information, see Securing Sites with Web Site Permissions.
 
• Enable data encryption in all WMI-based remote administration scripts. For more information, see Encrypting Data When Running WMI–Based Remote Administration Scripts.
 
• Ensure that the VeriSign Intermediate Root CA on your Web server is up to date. Verify the expiration date, and update the Intermediate Root CA if necessary. The new VeriSign Intermediate Root CA has the following properties:

Issued to: www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Issued by: Class 3 Public Primary Certification Authority
Valid from: 4/16/97 to 10/24/11
 
Avatar of Aaron Thorn

ASKER

My question is how do i make the server do this ?
Or is this a update i must have to (IIS 6.0)
Does the test actually attempt to negotiate an SSL channel using a weak cipher?  

What criteria determine failure?  Do specific ciphers always fail or only when they are under some minimum key length?  

That screenshot does not provide enough information to let you know what exactly the testing program did that it considers a failure.  If a test won't tell you why you failed it isn't a very useful test.
This is all it will tell me   I can call if this does not help  
User generated image
It looks like the page has instructions for Apache and Tomcat but the IIS instructions are cut off at the bottom, is there a page 2?

The test says it considers any key length less than 128 a failure so, going back to that blog post by Gabriel Rabbaa, I guess I would look at the same registry location and see if there are other ciphers listed with shorter key lengths and if so disable those also.  The blog doesn't mention if you need to restart IIS for these changes to take effect but it wouldnt shock me if that was necessary.
Bingo, those at the top of page 2 should be links, if they are not, just type the title into a search engine:

how to restrict the use of certain cryptographic algorithms and protocols in schannel.dll

It says you'll have to restart windows for it to work and then that chart at the bottom shows which ones you'll need to disable to pass this test.

 
hmmm   I did make all the changes and still getting the same error
ASKER CERTIFIED SOLUTION
Avatar of AlexPace
AlexPace
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
yep
never mind it looks to be ok now   Thanks